Jenner & Block

General Data Protection Regulation (GDPR) and UK Data Protection Act 2018

The GDPR elevated the issue of data privacy to one that frequently sits on the agendas of boards and executives across every industry. Companies spent months – if not years – preparing to comply with the GDPR.  Now, because of Brexit, at least some of that work may need to be revisited.  The lawyers in Jenner & Block’s Data Privacy and Cybersecurity Practice worked closely with clients as they initially prepared for the GDPR, and are prepared to help clients navigate the European data protection landscape with a European Union that does not include the UK.


The UK will no longer be subject to the GDPR after 31 December 2020.  On 1 January 2021, the UK will implement its own domestic version of the GDPR.  The key principles, rights and obligations contained in the EU’s GDPR remain in the UK’s GDPR, but local variations will require analysis and potential changes to businesses practices.

Complicating matters is the as yet outstanding adequacy decision to be made by the EU in respect to the UK’s data protection regime.  It is looking increasingly unlikely that the UK will receive such a determination.  If the EU decides that the UK’s data protection framework is inadequate, businesses will need to implement “appropriate safeguards”, or rely on a specific derogation, if they wish to transfer data from the EEA to the UK.

In the near term, this regulatory uncertainty requires businesses to carefully consider:

  • how to transfer personal data between the EEA and UK;
  • a potential need for regime-specific data protection officers;
  • revising documentation to ensure UK and EU GDPR compliance; and
  • confirming the choice of lead supervisory authority.

Over a longer time period, it is likely that the UK will diverge even further from the EU in its approach to data privacy issues.  Companies will therefore need to not only prepare for the impending departure of the UK from the EU, but also closely monitor developments as the rules for data processing and control evolve.

These issues take on a particular level of importance when the penalties that the GDPR introduced for non-compliance are considered.  The maximum penalty that can be applied under the GDPR is the greater of €20 million or four percent of a business’s annual worldwide turnover.  Getting the right advice about the GDPR is essential for your business.


When GDPR came into force, Jenner & Block was there for its clients.  With the impending schism between the EU’s GDPR and the UK’s GDPR, we remain a resource on which companies can rely to navigate the applicable legal regimes.  The Jenner & Block data privacy and cybersecurity team has extensive experience in ensuring that data privacy compliance programmes are established and overhauled, to ensure compliance with the GDPR and the UK’s new data privacy regime.

Jenner & Block’s London team characterises the best traditions of the firm.  Drawing on a diverse range of experience, the team is capable of handling a wide range of matters that relate to European data protection issues.  This capacity ranges from counselling clients through data incidents attracting regulatory and public scrutiny to providing advice in an agile manner to resolve complex privacy issues.

The team in London also has significant experience in collaborating with the firm’s US offices, law firms in other jurisdictions and other trusted privacy advisors around the globe. This approach to partnership extends beyond issues of just data privacy and encompasses other areas that data privacy might impact, including investigations, litigation, employment issues, listing regulations or reputation management.