UK data protection law

The General Data Protection Regulation (“GDPR”) came into force with direct effect in the European Union on 25 May 2018 and heralded a step change in data protection law throughout the region. The GDPR continues to apply in the UK following Brexit as the “UK GDPR”, supplemented by the Data Protection Act 2018 ("DPA").

The UK GDPR came into effect on 1 January 2021 and is largely consistent with the provisions of the GDPR, with necessary changes to reflect the impact of Brexit and so that the UK GDPR could operate within a UK-context. Now the UK has set forth an ambitious plan of legislative reform affecting the processing of personal and non-personal data.

For more information on the GDPR and the UK GDPR and what steps your business might need to take, look at our overview here.

Future of UK Data Protection

UK Data Protection and Digital Information (No.2) Bill 

On 8 March 2023, the UK Department for Science, Information and Technology ("DSIT") published the Data Protection and Digital Information (No.2) Bill ("New Bill") which replaces the Data Protection and Digital Information (No.1) Bill published in July 2022 ("Previous Bill"). The New Bill updates the Previous Bill and reimagines the Government's plans to reforming the current UK data protection framework, which is comprised of the UK GDPR, the DPA and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

We published details of the difference between the New Bill and the Previous in an insight in March 2022.

​Online Safety Bill ("OSB")

Provision of OSB

Position under the OSB


Brexit has led to the UK taking a parallel approach to the Digital Services Act, in the form of the OSB. This seeks to regulate certain online services and to tackle illegal and harmful online content.

What data will the OSB apply to?

All digital data, including both personal and non-personal data.

Who will the OSB apply to?

The current draft applies to companies whose services are accessible to UK users.

What territories does the OSB apply to?

The OSB has extra-territorial effect in that it applies to companies wherever based geographically, provided they offer regulated services to users based in the UK.

Key Provisions and Proposals

  • Platforms targeted at children will have a duty to protect them from harmful material.
  • Certain large platforms that present a high risk to users will be required to provide control to users over what content they can access. These Platforms must also sett out what content is acceptable or not acceptable in their terms and conditions.
  • Rather than being enforced centrally, the OSB would place enforcement obligations on the online service providers themselves.


Potential fines for non-compliance could be as great as £18 million or 10% of annual global turnover.

Current Status

The OSB is awaiting its second reading in the House of Lords and is not likely to pass into law until Summer 2023.

AI White Paper

The UK Government has published a new white paper outlining the UK government's plans to regulate artificial intelligence (the "AI White Paper"). The AI White Paper builds on the National AI Strategy released in September 2021.

According to the UK Department for Science, Information and Technology ("DSIT"), the AI White Paper demonstrates "a pro-innovation approach to AI regulation" aimed at enabling responsible and trustworthy innovation. It seeks to focus on the benefits and potential of AI, avoiding unnecessary burden to business and allowing for technological growth.

The AI White Paper states that the government does not intend to establish a single AI regulator but rather existing, industry-specific regulators are going to be required to coordinate with the government to produce a context-specific approach. The government is set to provide specific central functions to support these regulators, such as monitoring, assessment and feedback or education and awareness.

The AI White Paper also establishes 5 cross-sectoral principles: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. These principles are to be introduced on a non-statutory basis to begin with and instead upheld by the regulators acting in coordination with the government. Statutory regulations will only be implemented after careful consideration and if the government considers them necessary.

This sector specific approach to AI regulation differs from the approach taken by the EU under the Artificial Intelligence Act ("AI Act"), which seeks to implement a single, legislative framework for all businesses using AI. In contrast, the AI White Paper's regulator-led approach takes a light-touch approach is designed to give regulators flexibility in developing and enforcing AI rules.

Whilst the AI White Paper clarifies the governments intended approach to regulating AI, it gives no further indications of what the regulatory codes of practice will look like. It even goes as far to say that "it would be premature to take specific regulatory action" as it might "risk stifling innovation, preventing AI adoption and distorting the UK's thriving AI ecosystem." This has led to some criticism over the UK's ability to regulate AI at the pace required to keep up with the development of the technology itself.

In terms of next steps, the AI White Paper is open for consultation until 21 June 2023. Following which the government will publish its response to the consultation alongside an AI regulation roadmap. It is envisaged at this point that regulators will be encouraged to publish guidance on the use of AI within 12 months.

Relationship of EU and UK Law

Organisations that process data in the EU and the UK may now be subject to both the EU GDPR and the UK GDPR and any future iterations of the UK Data Protection regime. To ensure compliance with all applicable data protection laws, it is vital that organisations:

  • take stock of their data protection practices
  • understand the impact of data protection law on their business
  • take any necessary action.

For now data sharing between the UK and EU is secure following the European Commission adopting two adequacy decisions in relation to the UK which allow for the continued flow of personal data between the UK and the EU (for more information on these decisions, please see our article here. The UK has similarly adopted an adequacy decision in respect of the EU. Moving forward, any changes to the UK data protection regime may affect the EU's adequacy decision and businesses need to maintain awareness around their ability to provide for changes affecting the free flow of data between the UK and EU.