There are many questions being asked regarding the UK, GDPR and Brexit, including what happens now that Britain has left the EU? Many people are unsure if the UK is GDPR compliant or if GDPR applies to the UK.
You may have heard of the UK General Data Protection Regulation and be unsure of what it is.
We’ve narrowed it down to the most frequently asked questions to help clear up what exactly is going on.
The answer is GDPR still applies in the UK after Brexit. The General Data Protection Regulation applies to any organisation that processes personal data belonging to a resident or citizen of the EEA. If you didn’t know, the EEA consists of the member states of the EU and three countries of the European Free Trade Association (EFTA). These three countries are Iceland, Liechtenstein and Norway.
Though the UK is no longer in the European Union, and so not subject to EU law. The power of the GDPR extends beyond the member state borders of the EU. This means that organisations in the UK wishing to process the personal data of EU citizens or residents must continue to comply with General Data Protection Regulation.
The good news is that the General Data Protection Regulation of April 2016 and enforceable from May 2018, was mirrored by the UK’s Data Protection Act 2018 (DPA 2018). So organisations in the UK should already be GDPR compliant.
There are two differences for the UK as of January 2021 because it is no longer a member of the EEA:
As mentioned above, the General Data Protection Regulation will still apply to the UK now that we have left the European Union. However, in addition to the EU GDPR, the UK Government has adopted an amended version of the GDPR into domestic law. In the hope that it will receive adequacy status from the EU and the European Parliament.
In short, data controllers and processors of personal information are still covered by data protection law in the UK. UK data protection rules are still in place for the protection of personal data that is in the public interest.
Data controllers must still disclose any data collection. They must declare the lawful basis and purpose for data processing, state how long data is being retained and if it is being shared with any third parties. Businesses must still report data breaches to UK supervisory authorities and public authorities within 72 hours if they could have an adverse effect on user privacy.
Data subjects still have the right to request a portable copy of the data collected and the right under certain circumstances to have their data erased. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data. Are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR
This amended version of the General Data Protection Regulation is known as the UK GDPR.
The UK General Data Protection Regulation is almost identical to the GDPR as it applies in the EU, with only a few amendments. Almost all of the requirements and legal terms remain the same, with only a handful of new exemptions.
Most of the amendments were to the wording of the law. For example replacing “the Union” with “the United Kingdom”, “Union or Member State law” with “domestic law” and “supervisory authority” with “the Commissioner”. This was to make the regulations fit UK domestic law.
This is important because the amendments don’t change the regulations themselves. They just make it clear that the UK GDPR applies worldwide similar to the EU GDPR, and only concerns the personal data of UK citizens or residents.
The similarities between these two pieces of legislation make it simple to comply with both UK GDPR and the original. Just remember you have to comply with UK GDPR when processing the data of UK residents and you have to comply with EU GDPR when processing personal data of EU residents.
There are some notable exceptions under UK GDPR that you should be aware of:
As we saw above, one change with the UK General Data Protection Regulation is that the ICO is now the supervisory authority in charge of enforcing the UK GDPR.
In the event of data breaches, or if you have questions concerning personal data security, you should contact the ICO. It is also the point of contact for data protection officers working with personal data from the UK.
In order to help the UK General Data Protection Regulation better align with domestic law, the fines that can be issued under the legislation were altered slightly. The two tiers of UK GDPR fines are:
The higher maximum applies to serious infringements. Such as a failure to comply with any of the data protection principles. Or a failure to respect the rights an individual may have under Part 3 of the UK GDPR. Or the transfer of data to a third country, a third country is any country outside of the UK to which transfers are restricted by UK adequacy regulations.
The standard maximum applies to less serious infringements such as administrative requirements not being met.
Hopefully this will have cleared up some of the fog surrounding the UK General Data Protection Regulation for you. For more information on the GDPR seven principles, data security and GDPR compliance, consider taking our GDPR Awareness Training online course.