GDPR – The law we all love to hate | Moorepay
phone 0345 184 4615 Get a Quote
February 19, 2025

GDPR – The law we all love to hate

GDPR - the law we all love to hate

This time seven years ago, we were all quaking as we awaited May’s implementation of the dreaded Europe-wide General Data Protection Regulation.

Of course, we already had the UK 1998 Data Protection Act. But what panicked everyone was the complexity and massive penalties of GDPR. Unsurprising with a new maximum penalty of twenty million euro!

The seven year itch?

2025 is ‘seven-year itch’ time for GDPR. We may have severed our ties with the European Union in 2020 but, in fact, we are still firmly wedded to EU GDPR through what is known as the Adequacy Agreement. However, this agreement is up for review in summer. Hopefully, it will be renewed and remain in place.

Would it matter if it didn’t? Absolutely! The Adequacy Agreement means UK data protection law is essentially regarded as equivalent to that applicable elsewhere in Europe. Without it, those doing business in (or with offices in) Europe would have to meet both European GDPR and UK legislation. GDPR is a minefield. Imagine having to manoeuvre through two minefields!

So, what’s the problem?

The problem is, the UK is currently on its third attempt to amend UK data protection legislation. The first ‘Data Protection and Digital Information Bill’ was put on ice in the brief premiership of Liz Truss. It re-emerged wearing slightly different clothes but fell with the dissolution of parliament for the 2024 General Election. There was widespread concern that (both versions) of the Bill were unacceptable to Europe, putting the ‘Adequacy Agreement’ at risk.

The third version, the Data (Use and Access) Bill introduced by the current government, is likely to be the one scrutinised by Europe. Hopefully, it does not present sufficient challenge to prevent the Adequacy Agreement being renewed… Fingers crossed! To satisfy the ‘adequacy’ test, legislation does not need to be a mirror image of European GDPR. However, it must not afford lower levels of protection for data subjects than Europe does.

What’s proposed?

The intention is to make the practical application of GDPR more user-friendly and have regard for emerging technologies such as AI (Europe has adopted a far more legislation-based approach to AI than the UK). Several changes help employers. For instance, subject access requests would be lodged with you (as data controller) before the ICO can get involved. And subject access searches could be ‘reasonable and proportionate’.

There are more contentious issues. You may not need to undertake a ‘balancing’ exercise to be able to rely on ‘legitimate interest’. Additional ‘special categories’ of data may be introduced, meaning extra hoops to jump though, just like health data currently. The rules around automated decision making may be relaxed; but not to facilitate covert decision making. What will Europe make of more contentious issues like these?

A crumbling consent barrier?

The legislation may also bring a more relaxed approach to consent provisions regarding the use of ‘cookies’. Conversely, the penalty regime for e-privacy offences will be hiked, in line with wider GDPR provisions. £17.5 million or 4% of global turnover, rather than the current £500,000 maximum. In recent years, e-privacy offenders have been a key target for the ICO.  

Should I worry?

If you haven’t audited GDPR provisions since April 2018, yes. If you think GDPR doesn’t apply to small and medium sized organisations, yes. If you do business with Europe, or have offices there, yes. If you haven’t got clear and well understood data privacy and AI policies in place, yes. If you don’t utilise robust, up to date, well understood, cyber security measures, yes.

The ICO (which will become the Information Commission under the legislation) has relaxed its previous financial penalty-driven approach to one that’s more enforcement and reprimand led. However, the increase in penalties for e-privacy breaches and unsolicited nuisance calls etc. may see greater penalty activity again, once enhanced legislation is in place.

Just because the ICO is not issuing as many monetary penalties currently, doesn’t mean they’re not busy. In 2024, they dealt with:

  • 36,000 data protection complaints
  • 278,000 helpline calls
  • 44,000 nuisance call reports
  • 29,000 spam email reports
  • 2,000 data breach cases

What are the big issues?

  • Sending data to the wrong person
  • Sending copy emails ‘c.c.’ rather than ‘b.c.c.’
  • Insufficient data security measures
  • Unauthorised access to personal data
  • Lack of data privacy training for staff
  • Retention of personal data inappropriately
  • Lack of transparent, well understood, privacy policies
  • Sharing personal data without authority
  • Failing to deal immediately with data breaches
  • Failing to respond to subject access requests.

Moorepay can help

Your staff are your organisation’s most important asset. How you deal with their personal data, and how they deal with other peoples on your behalf, are vitally important. If the last time you gave much thought to GDPR and data protection was back in 2018, you’re well overdue an HR GDPR audit. We can facilitate that for you. To find out more, call us on 0345 073 0240 (option 3) or email: policy.team@moorepay.co.uk.

Share this article

Want a round-up of stories like this delivered to your inbox?

Pop in your email address below.

mike fitz
About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment Law Advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.

Want a round-up of stories like this delivered to your inbox?

Pop in your email address below.

Featured

woman smiling down at laptop

Blog

GDPR: How long should you keep your HR records?

Keeping up with the ever changing landscape of GDPR is essential for business success. But…

View Resource

Read next

Neonatal Care Leave: it's impact on pay

We've covered the implications for neonatal care leave for HR teams. But what about its impact on payroll? Luckily for you, Moorepay have the inside scoop. From product forums and…

Laptop, administration and business man focus on finance spreadsheet, bank software or financial accounting. Bookkeeping account data, office gesture and consultant problem solving payroll system.
The Employment Rights Bill: the latest news on the Amendment Paper

Payroll Legislation Manager, Cybill Watkins, talks about the latest updates to the amendments of the Employment Rights Bill. On 4th February the House of Commons has produced an Amendment Paper…

Case Law | Pregnant employee dismissed for morning sickness
Case law | Pregnant employee unfairly dismissed for morning sickness receives £93k

Pregnant employee unfairly dismissed for morning sickness receives £93k In this case, the Employment Tribunal (ET) determined that the dismissal of a pregnant employee experiencing morning sickness was both discriminatory…

Sign up to our newsletter

For more useful content like this!