It's been four years since the UK General Data Protection Regulation (GDPR) came into force after the UK left the European Union (EU).
However, while the UK legislation remains aligned with that of the EU, it gives the UK the independence to keep the framework under review.
Like the EU GDPR, the UK version places requirements on organizations that process personal data, based on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality and accountability.
Charlie Bromley-Griffiths, senior legal counsel at legal document management software form Conga, said that while the legislation has delivered marked benefits, lingering issues remain.
"Over the last four years, UK businesses have made substantial strides in aligning with UK GDPR requirements. Companies have implemented stronger data governance policies, enhanced security protocols and prioritized the rights of data subjects," Bromley-Griffiths said.
"However, challenges still remain, particularly for small and medium-sized enterprises struggling with the complexity and cost of full compliance. GDPR mandates stringent measures to safeguard consumer data, which includes data storage, processing and transfer practices, all of which impacts organizations’ data strategies and operational costs."
Brexit has also caused issues with regard to the transfer of personal data between the UK and the European Economic Area (EEA), along with UK controllers who have an establishment or customers in the EEA, or who monitor individuals in the area.
While the EU GDPR still applies to this processing, the way organizations interact with European data protection authorities has changed.
"The international data landscape is now rather complex. UK businesses handling data from the European Union (EU) must also comply with the EU GDPR," said Bromley-Griffiths.
"Then, of course, there is the US-UK data bridge, which forms part of the EU-US Data Privacy Framework and permits the flow of EU-based data to the United States under certain conditions."
All this, he said, highlights the importance of maintaining two or more compliance strategies to make sure operations across borders go smoothly – and, ultimately, keep the trust of customers, reassuring them that their data is safe.
Looking ahead, Bromley-Griffiths expects regulatory bodies to look at cracking down harder on repeat offenders or businesses that have suffered significant data breaches.
Meanwhile, the UK GDPR is likely to be amended, with the introduction last October of the Data Use and Access Bill in the House of Lords. With this bill, and in future, the UK is unlikely to diverge significantly from EU legislation.
It currently enjoys 'data adequacy' with the EU, meaning that personal data can be transferred freely between the two. If this were lost, it could be an economic disaster.
However, more minor changes, said Bromley-Griffiths, could be on the cards.
"Given how quickly cyber threats are evolving, the UK GDPR standards may be updated. Businesses need to have the appropriate tools and measures in place to ensure that they are ready to adapt to any legislative changes," he said.
"Organizations must remain committed to investing in their employee’s ongoing education but also in the right technology to safeguard personal data."
