Navigating the evolving landscape of data protection laws – from Data Protection Act 2018 to FADP

Jul 9th '24

Navigating the evolving landscape of data protection laws in the global north: implications for researchers.


The past year has seen a significant shift in the regulatory landscape of data protection laws across Europe, the UK, and the USA. Researchers must now navigate a more complex but GDPR-aligned regulatory environment. This post provides a detailed overview of these changes, their implications, and best practices for compliance.


Primary legislation for the uk is the Data Protection Act 2018 and it’s divergence from the eu GDPR.


Data protection landscape in the European Union (EU)


Strengthening GDPR enforcement

In 2023, the EU introduced significant regulatory developments to enhance its data protection regime. Building on the general data protection regulation (GDPR), the eu proposed the GDPR procedural regulation on July 4, 2023. This regulation aims to standardize and enhance cooperation between eu member state data protection authorities (DPAs in enforcing the GDPR, particularly in cross-border cases.


Key provisions:

  • Streamlining complaints: standardizing the handling of individual complaints related to personal data processing.
  • Conduct of investigations: standardizing investigations by DPAs in cross-border cases.
  • Procedural rights: ensuring procedural rights for individuals and businesses involved in enforcement actions or investigations.
  • Cooperation between DPAs: facilitating cooperation and information sharing between DPAs across member states.


These developments are expected to provide greater legal certainty and efficiency, benefiting entities involved in cross-border data processing and research activities.


Data protection in the United Kingdom 


Diverging post-Brexit approaches

While retaining the core principles of the eu GDPR, the uk has begun to diverge in specific aspects after Brexit. The introduction of the data protection and digital information (no.2) bill on march 8, 2023, aims to amend the uk GDPR and the Data Protection Act 2018.


Key provisions:

  • New definitions: introduces statutory definitions for “scientific research,” “historical research,” and “statistical surveys,” along with amendments to the definition of “consent.”
  • Role of data protection officers: changes the role of data protection officers, replacing them with a Senior Responsible Individual (SRI) for certain organisations.
  • International data transfers: establishes a new test for making adequacy regulations for international data transfers.
  • Information commission: establishes the new information commission, replacing the Information Commissioner’s Office (ICO).
  • Direct marketing fines: increases the limit of fines for breaches of direct marketing rules under the Privacy and Electronic Communications Regulations (PECR).


Additionally, a bill was passed enabling uk organisations to transfer personal data to us entities certified under the uk extension to the eu-us data privacy framework without additional transfer safeguards. This obviously has impacts on the Data Protection Act 2018.


Switzerland’s revised FADP


Aligning with GDPR principles

In 2023, Switzerland enacted the revised Federal Act on Data Protection (FADP), aligning closely with GDPR principles while maintaining several unique aspects.


Key changes:

  • Enhanced individual rights: strengthens individual rights regarding personal data, including access, rectification, erasure, and data portability.
  • Stricter compliance requirements: imposes stricter compliance requirements, similar to those under GDPR, including data security, processing transparency, and lawful data processing.
  • New sanction system: introduces a new sanction system that covers penalties against individuals responsible for data protection within organisations, with fines up to CHF 250,000.


Researchers handling Swiss data must ensure compliance with the revised fadp, which demands more diligence in collecting, using, and storing personal data.


The United States: a patchwork of state-level privacy laws


Towards a rights-based model

The US does not have federal-level data protection laws akin to the GDPR. Instead, data protection is governed by a patchwork of federal and state laws, along with sector-specific regulations.


State-level privacy laws:

  • GDPR-inspired statutes: states like California, Colorado, Connecticut, Utah, and Virginia have implemented GDPR-inspired data privacy statutes, categorizing entities as “data controllers” and “data processors.”
  • Individual rights: new state laws include individual rights such as access, correction, portability, erasure, and consent regarding personal data use and sale.


Sector-specific federal laws:

  • Health data: governed by the Health Insurance Portability and Accountability Act (HIPAA).
  • Financial data: governed by the Gramm-Leach-B liley Act (GLBA).


Researchers in the us must navigate these varied regulations, ensuring compliance with both state and federal laws, which may include requirements like consumer consent, data subject rights, and data minimisation principles.


Implications for researchers


Navigating complex legal frameworks

The evolving landscape of data protection legislation presents both challenges and opportunities for the research community. While the EU, UK, Switzerland, and the US have introduced more stringent, rights-based data protection standards, researchers must adapt their methodologies to ensure compliance.


Key strategies:

Understand jurisdictional nuances: researchers must have a deep understanding of the legal frameworks in each jurisdiction where they operate.


If working across EU GDPR, UJK Data Protection Act 2018, Swiss FADP or the US regional laws, as well as the potential impacts of the data protection and digital information bill, any product creator, marketeer or sales compliance must be considered. Whereas they are all “similar”, there are distinct differences.


  • Invest in compliance: significant resources and expertise are needed to navigate these complex legal requirements.
  • Adapt methodologies: researchers should adjust their data handling practices to align with the stringent requirements of the new regulations.


Recommendations for best practices

  1. Data mapping: identify and document all personal data processing activities across jurisdictions.
  2. Consent management: ensure robust mechanisms for obtaining and managing consent.
  3. Data security: implement stringent data security measures to protect personal data.
  4. Compliance training: regularly train staff on data protection regulations and compliance requirements.
  5. Legal consultation: engage with legal experts to stay updated on regulatory changes and ensure ongoing compliance.



The regulatory landscape for data protection has become increasingly complex, with significant changes across the EU, UK, Switzerland, and the US. Researchers must navigate these changes diligently to ensure compliance and protect personal data. By understanding the nuances of each jurisdiction and implementing robust compliance measures, researchers can continue to conduct valuable research while adhering to stringent data protection standards.


Contact us if you need assistance in implementing, documenting or testing/auditing your data management projects


About us

At LS Consultancy, we provide a cost-effective compliance support including data protection compliance support services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us


Why Not Download our FREE Brochures! Click here.


Need A Regulatory Marketing Compliance Consultant? A Bit More About Us


Call Us Today on 020 8087 2377 or send us an email.


We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…



Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.


Facebook | Instagram | LinkedIn | X (formerly Twitter) | YouTube


Contact us