top of page

Сhanges in the personal data processing

Updated: Jan 27, 2022

1 November 2021

The UK government announced a new personal data protection regime. After Brexit, the approaches defined in the GDPR will be changed. Therefore, almost every business in the UK should be ready for such changes.

Please see the main potential changes and we will keep you informed.

Reshaping approach to regulation

Outside the EU, the UK reshapes its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country.

The proposals aim to deliver an even better data protection regime that will:

  • support vibrant competition and innovation to drive economic growth;

  • maintain high data protection standards without creating unnecessary barriers to responsible data use;

  • keep pace with the rapid innovation of data-intensive technologies;

  • help innovative businesses of all sizes to use data responsibly without undue uncertainty or risk, both in the UK and internationally;

  • ensure the Information Commissioner’s Office (ICO) is equipped to regulate effectively in an increasingly data-driven world.

Proposed changes to the UK GDPR

Some of the proposed changes to the UK GDPR are:

  • Making the legitimate interests’ lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.

  • Removal of the right to human review of decisions made on the basis of solely automated data processing.

  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

Potential changes to the UK’s Privacy and Electronic Communications Regulations

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.

  • Removing the requirement for websites to obtain consent before serving some analytics cookies.

  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.


The review of existing GDPR legislation is now in full swing. There is a public consultation on possible changes until 19 November this year. Most of these provisions are expected to receive support and to be implemented.

Lef Changes in the protection of personal data
Download PDF • 1.57MB

For further information on any of the points above contact

Mikita Makayou at, or

9 views0 comments


Thanks for submitting!

bottom of page