One common misconception about the GDPR is that it is an EU regulation. The fact is, GDPR has raised more awareness on Data Privacy than any privacy law before it. The law affects businesses regardless of where they are located. In this article, we will tackle the subject of GDPR and its impact on the UK after its exit, also known as Brexit, from the EU.
GDPR is about how the users’ personal data is going to be protected, and businesses that handle that data will have to comply with basic rules that allow individuals to know what data is being collected, why it’s being collected, who it’s being shared with, and what protections are in place. When the UK decided to bid farewell to its five decades-long EU membership, one of the things that had people worried was the future of GDPR in the country. Will it still apply in the UK? Let’s find out.
Brexit and GDPR: a quick recap
After months of negotiations and a lot of mixed reactions, the UK left the EU on January 31, 2020. The UK and EU agreed on a deal to decide their relationship post-Brexit. The withdrawal agreement between the UK and EU decided that the UK will be in a ‘transition period’ to negotiate the exit terms with the EU, until December 31, 2020.
During this period, the EU GDPR continued to apply in the UK until the end of the transition period. The businesses (including websites) that serve UK customers continued to follow the GDPR standards until December 31, 2020.
GDPR after Brexit — old laws, new names
With the UK exiting the EU and falling outside of the GDPR zone, it became a “third country” with restrictions on data flow between the two sides. However, the deal signed between the EU and UK ensured the free flow of data for six months starting from January 1, 2021.
Following that, on June 28, 2021, the EU adopted an adequacy decision for the UK to allow uninterrupted data flow from the EU without further supervisory authorization or legal measures for four years (until June 2025).
Meanwhile, the UK government amended and updated the pre-existing UK privacy laws to accommodate the changes brought by Brexit. It formed Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (DPPEC). The highlights of the DPPEC are a new domestic law called UK GDPR and the amended Data Protection Act 2018.
The UK GDPR 2021
To fulfill the Withdrawal Agreement for providing the EU equivalent level of data protection, the UK government amended the EU GDPR and created a new domestic law called UK GDPR to replace the former.
businesses based in or outside the UK that have been previously following the EU GDPR for processing the UK users’ personal data now have to comply with the UK GDPR requirements. Also, those that are offering goods and services to EU users should continue to follow the EU GDPR.
All businesses that have no base within the UK that are processing the personal data of UK individuals must appoint a UK representative to supervise and deal with any concerns related to UK GDPR compliance.
The amended Data Protection Act (DPA) 2018
The DPA 1998 was passed to address the privacy issues in the UK that are beyond the scope of the EU GDPR (before Brexit) and to implement the GDPR in the country. The GDPR has given each EU member state provision to implement their frameworks for enforcing the regulation. The difference is the domestic privacy issues that are beyond the scope of the GDPR. The amended DPA was implemented in 2018 to set a framework for enacting the EU GDPR in the UK and address issues not covered by the EU GDPR.
The DPA 2018 was once again amended on January 1, 2021, after the UK’s transition period after Brexit. The DPPEC merged the EU GDPR rules to create a new data protection regime known as the UK GDPR.
Read more about the Data Protection Act 2018.
What happens to GDPR after Brexit?
The EU GDPR is the most robust and stringent data protection law that affects a lot of businesses worldwide. Even after Brexit.
There are a few notable changes that you may want to be aware of:
- Businesses operating in the UK, offering goods and services to UK individuals are no longer required to follow the EU GDPR. They have to align all their policies and privacy practices with the UK GDPR.
- UK businesses operating in the EU, offering goods and services to EU individuals must continue to follow the EU GDPR along with the UK GDPR.
- ICO is no longer the UK regulator for any EU GDPR-related concerns. It is the independent supervisory body for UK data privacy laws.
- Data transfer from the UK to the EU will be subject to the UK International Data Transfer laws and EU SCCs.
UK International data transfer post Brexit
On February 2, 2022, the Secretary of State issued the International Data Transfer Agreement (IDTA), the Addendum to EU SCCs, and transitional provisions under Section 119A of the Data Protection Act 2018. This came after consultation with the ICO and Parliament’s approval. The documents came into force on March 21, 2022.
The IDTA allows for international transfers of data from the UK to countries with equivalent data privacy laws. For the countries that do not have equivalent privacy laws, the Addendum will allow for international transfers of data from the UK, similar to how new EU SCCs work.
Both agreements require importers and exporters of personal data to follow certain rules and regulations, such as providing information about local laws and practices before transferring the data and responding to access requests from public authorities.
The IDTA does not follow the EU standard format of modularity. Instead, the IDTA relies on a “linked agreement” to address processor to sub-processor transfers and controller to processor transfers.
Does GDPR still apply in the UK?
As mentioned, the EU GDPR will cease to affect any business that operates in the UK and process the personal data of UK individuals. They will have to adhere to the requirements of the UK GDPR and update all their policies and contracts to comply with the UK GDPR.
UK-based businesses that process the personal data of the EU individuals must continue complying with the EU GDPR along with the UK GDPR (if they process the personal data of the UK individuals).
How to comply with GDPR post Brexit?
The UK variant of the GDPR doesn’t differ a lot from the EU GDPR. The requirements are almost the same and any business that is subject to the UK GDPR does not have to put in a lot of effort. The common requirements that these two regulations will also help businesses that are subject to comply with both of them.
At the outset, businesses will need to identify the source of collecting personal data. However, since both laws have similar requirements, you can follow some common steps to ensure compliance. This also applies to businesses that must comply with both the laws.
- Audit the personal data flow in your business to identify what laws apply to you.
- Identify your EU and UK supervisory authorities.
- Appoint the UK and/or EU representative per your business size and requirements.
- Update privacy policies to reflect the changes in business post-Brexit. Explain how users can control their data and exercise their rights.
- Update existing contracts and documents to accommodate the EU and UK GDPR requirements.
- Continue obtaining user consent for using their personal data (the age of consent is 16 years in the EU and 13 years in the UK).
Adopt appropriate technical and organizational measures to ensure security for international data transfer as per the EU and the UK rules.
Whether it’s UK GDPR or EU GDPR, we’ll give you the best cookie consent solution.
Sign up on CookieYes and simplify cookie consent management trusted by 1 Million+ websites.Try it free
*no credit card required
GDPR and Brexit: the future
On May 10, 2022, the UK government announced that it will be introducing a Data Reform Bill.
The Bill will create a new, more agile regulatory regime that minimizes the bureaucratic time and cost burden placed on SMEs while giving them the tools they need to thrive. It will also make UK citizens’ data rights stronger than ever before, helping to give them greater control over how companies use their personal data.
The Bill will help businesses by making it easier for them to use data, and it will give people more power over their own personal data. This will make life easier for everyone, as well as further scientific research and innovation. The Bill is intended to improve how public bodies use data. It will improve services by allowing more data to be shared between public bodies, and it will protect the public’s privacy by making sure that personal data is protected.
The government also went on to remark that the UK GDPR and DPA 2018 are “highly complex and prescriptive pieces of legislation”.
Frequently asked questions
Is GDPR affected by Brexit?
Brexit has affected GDPR in a big way. The EU GDPR is not valid in the UK after Brexit after the end of the transition period, i.e. December 31, 2020. Any organization that had to comply with the EU GDPR for processing the personal data of UK citizens must now follow the UK DPA/UK GDPR. However, it’s valid wherever businesses process the personal data of EU individuals.
Is the UK still covered by GDPR?
The UK government passed its own version of the GDPR, called the UK GDPR. It regulates data processing, along with the DPA. The EU GDPR no longer applies to businesses operating in the UK, offering goods and services to UK citizens, or monitoring their behavior in the UK.
Why will GDPR still apply despite Brexit?
The EU GDPR’s extraterritorial reach makes sure that any business, regardless of its location if operates in the EU and processes the personal data of Eu customers, is subject to compliance. Brexit does not mean GDPR still doesn’t apply in the UK. The UK has incorporated the GDPR into its domestic law (UK GDPR) for data protection and privacy in the country.
Is the GDPR different from Brexit?
The UK GDPR introduced after Brexit is almost word-to-word borrowed from the EU GDPR. There are only a few notable differences. Like the age of consent (16 in the EU and 13 in the UK) and the maximum fine for non-compliance (€20 million in the EU and €17.5 million in the UK).
Is GDPR EU only?
The GDPR protects the personal data of EU individuals. It has wide territorial reach as it applies to organizations that process personal data, whether they are based in the EU or not. Therefore, UK-based businesses that operate in the EU and process personal data of individuals within the EU territory are subject to EU GDPR compliance.