The UK Government has announced it intends to replace the European Union’s data privacy regime known as the General Data Protection Regulation (GDPR) with its own system.

“We will be replacing GDPR with our own business- and consumer-friendly British data protection system,” the culture secretary Michelle Donelan said, speaking at the Conservative Party’s annual conference this week.

“I can promise…that it will be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape.”

The internet is now full of people questioning the proposal launched by the UK Government, even considering it a strong reason for concern. We’ve discussed it internally with some of our specialists and we put together some thoughts on possible implications:

1. Will the new privacy regime resemble GDPR?

For many years, businesses in UK have been working with the GDPR, spending significant resources, such as time and money, while setting up and running compliance programs.

In this context, avoiding any radical changes from these core principles is what we would expect to see. However, it will be essential to understand if the new privacy regime proposed by the UK Government will still reflect GDPR’s substance and structure, or it will end up being something completely new.

2. Is it really “simpler” and “clearer”?

At this moment, there are many UK businesses that have customers in the EU. Even when the new data privacy regime is in place, such businesses still have to comply with the GDPR.  

As a result, the proposed law might create a situation when businesses will have to comply with two regulatory regimes, overcomplicating things instead of simplifying them, as the initial intention was.

3. Is there a risk to lose UK’s so-called adequacy status with the EU?

The UK currently enjoys an adequacy decision that allows personal data to flow smoothly from the EU to the UK. 

However, this adequacy status is not fixed and is up for full review by the EU in 2025. The EU Commission has also warned it won’t hesitate to pull the plug at any time if the government bends domestic data protection away from ‘essential equivalence’ with the GDPR — which is the standard required to achieve EU adequacy.

According to Michelle Donelan’s speech, the UK would retain its adequacy decision, but that outcome is uncertain.

If you still have questions and you need help navigating all of the changes happening around data privacy, get in touch with our team.