General Data Protection Regulation (GDPR) and UK Data Protection Act 2018

Data protection has been an increasingly important issue for board members and executives over the past decade. The introduction of the GDPR heralded a new era, where data protection was elevated to a standing agenda item for boards and executives across every industry. In the years following the introduction of the GDPR similar, but not identical, legislative frameworks establishing data protection rights have been implemented in other jurisdictions around the world. This patchwork of differing international requirements further complicates corporate attempts to adopt coherent compliance measures.

Now, following Brexit, the UK government has indicated that it may seek to chart an alternative course from that pursued by the EU, potentially adopting an approach contrary to the increasing privacy rights being enacted across the globe  The lawyers in Jenner & Block’s Data Privacy and Cybersecurity Practice worked closely with clients as they prepared for the GDPR, counselled clients seeking to comply with differing privacy laws globally, and are now prepared to help clients navigate the increasingly divided European data protection landscape, with an ever more divergent approach being taken by the UK.


The UK has been subject to its own domestic version of the GDPR since 1 January 2021. Initially, this resulted in alignment with the EU, bringing about a welcome adequacy decision permitting the free flow of data, and minimising compliance costs for companies.

At present the key principles, rights and obligations contained in the UK’s GDPR remain the same as the EU’s GDPR. However, we have already seen the UK taking its own approach to the governance of international personal data transfers. The UK government has also announced a wholesale review into the UK’s data protection landscape. While no concrete steps have been taken, it would appear that the UK government is looking to chart its own course, with a more flexible approach to data privacy rights potentially adopted.

It is as yet unclear what precise steps the UK government may or may not take, and how this will impact companies’ data protection compliance programmes. In the near term, this regulatory uncertainty requires businesses to carefully consider:

  • how to future-proof – so far as possible – transfers of personal data between the EEA and UK;
  • a potential need for regime-specific data protection officers, and how to train these individuals;
  • keeping close attention to documentation to ensure both UK and EU GDPR compliance; and
  • adapting to the ever-changing approaches of the various data protection authorities.

Over a longer time period, it is possible that the UK will diverge even further from the EU in its approach to data privacy issues.  Companies will therefore need to closely monitor developments as the rules for data processing and control evolve, and respond accordingly.

These issues take on a particular level of importance when the penalties that the EU GDPR introduced for non-compliance are considered, which remain present in the UK GDPR.  The maximum penalty that can be applied under the either the EU or the UK GDPR is the greater of €20 million/£17.5 million or four percent of a business’s annual worldwide turnover.  Getting the right advice about the GDPR is essential for your business.


When GDPR came into force, Jenner & Block was there for its clients. Following the UK’s departure from the EU our clients relied on Jenner & Block to help them navigate the applicable legal regimes.  Now, in a new era of uncertainty, the Jenner & Block Data Privacy and Cybersecurity Practice is ready to use its extensive experience to ensure that data privacy compliance programmes are revised in the short term to ensure compliance with the UK GDPR and then whatever form the UK’s new data privacy regime ultimately takes.

Jenner & Block’s London team characterises the best traditions of the firm. Drawing on a diverse range of experience, the team is capable of handling a wide range of matters that relate to European data protection issues, and has experience of dealing with other data protection regimes globally.  This capacity ranges from counselling clients through data incidents attracting regulatory and public scrutiny to providing advice in an agile manner to resolve complex privacy issues.

The team in London also has significant experience in collaborating with the firm’s US offices, law firms in other jurisdictions and other trusted privacy advisors around the globe. This collaborative approach to partnership extends beyond issues of just data privacy and encompasses other areas that data privacy might impact, including investigations, litigation, employment issues, listing regulations or reputation management.