May 25th marked six years since the General Data Protection Regulation has been in effect.
Since it was implemented, GDPR has been regarded as the gold standard for data protection legislation across the world. The implementation of GDPR signaled the European Union's firm stance on data privacy and security, demonstrated by the large fines introduced for businesses that violate GDPR standards. The GDPR is retained in the UK's domestic law as UK GDPR, which sits alongside the Data Protection Act 2018.
In this article we look back at the most important recent developments in data protection law, and look ahead to the developments that will impact UK employers in the coming years.
- The EU AI Act – the EU AI Act ("AI Act") was approved by the European Parliament on March 13, 2024 and will be the world's first comprehensive law regulating AI. The AI Act imposes large fines (nearly double those under GDPR) and will have extra-territorial scope meaning international companies, even if they are not based in the EU, may still find themselves subject to the AI Act. Read our more detailed analysis about the AI Act here.
- UK regulation of AI – in contrast to the EU's approach, the UK has taken a more "innovation"-led approach, introducing sector-specific regulation and guidance. There are some rumblings of potential regulation in this area, including a bill which aims to regulate AI in employment and to establish a central AI Authority in the UK. Read more about this here.
- Potential shift away from UK GDPR – after Brexit, the UK government proposed new legislation to simplify the UK's data protection framework, reducing the compliance burden on organizations. The Data Protection and Digital Information Bill is still being reviewed by the House of Lords in the UK. Read our more detailed analysis of the bill here.
- More ICO guidance – as we see more technological and legal developments, we can expect to see more guidance published by the Information Commissioner in the UK. The ICO published its guidance on AI in the workplace in March 2023.
- European Commission review of GDPR – we are expecting the European Commission to publish its review of EU GDPR in 2024.
- Areas of regulatory focus – as part of its strategic plans, the ICO has committed to focus its attention on the use of AI in recruitment and data protection compliance within the financial services industry.
- Labour Government and change in policy – it remains to be seen whether we will have a Labour government later this year or early next, and what a Labour government will do in relation to data protection legislation. Early indications show that Labour may be more willing to regulate AI in the UK than the current Conservative government.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.