After months of negotiations and a lot of mixed reactions, the United Kingdom (UK) has officially left its (almost) five decades-long EU (European Union) membership. The saga commonly known as the Brexit (Britain’s exit) involved many back and forth discussions and postponed dates. One of the things that have attracted a lot of attention is the future of GDPR in the UK after Brexit. That is what we will be focusing on in this article.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection regulation implemented by the European Parliament. It came into effect on May 25, 2018. It applies to any organizations (including websites), regardless of their location, if they process the personal data of EU residents. Personal data is any data that can identify a person, with or without the help of additional information. E.g., name, address, email address, bank account information, IP address, and social media information.
The EU GDPR discusses several principles for processing the data and the rights EU residents have over their personal data.
There are mainly seven GDPR principles for processing personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The principles are explained in the infographic below:
The rights stated by the regulation are as follow:
The Data Protection Act (DPA) 2018 was established to implement the GDPR in the UK.
GDPR and Brexit: what happened so far
The decision of Brexit went through a lot of rises and falls. After many negotiations, the UK left the EU on January 31, 2020. The UK and EU agreed with a deal to decide their relationship post Brexit. The withdrawal agreement between the UK and EU decided that the UK will be in a ‘transition period’ until December 31, 2020. During this period, the UK negotiated the terms of the exit with the EU.
The EU GDPR will apply in the UK until the transition period ceases. The organizations (including websites) that serve UK customers continued to follow the GDPR standards until December 31, 2020.
Now that the transition period has come to an end, let us look at what happens to GDPR in the post-Brexit era.
GDPR and Brexit: what happens next
With the UK exiting the EU, it is now formally a “third country.” The country now falls outside the EU GDPR zone. The UK government amended the DPA 2018 to align it with the EU regulations and formed a new data protection regulation exclusive to the UK. This is the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019, also known as the UK GDPR.
The UK GDPR replaces the EU GDPR from January 1, 2021. However, they mostly have the same standards. Like the EU GDPR, the UK law also has (six) principles for processing personal data and offers data protection rights to people.
Significant changes or updates that have happened to the GDPR after Brexit are:
- The EU GDPR will no longer apply in the UK. The organizations (based in or outside the UK) that process the personal data of UK residents must comply with the UK GDPR.
- The UK based organizations with EU residents as customers must continue to comply with the EU GDPR.
- Data transfer from the EEA to the UK will flow freely for four months starting from January 1, 2021. After that, it depends on whether the EU will adopt adequacy decisions. The adequacy decisions allow uninterrupted data flow from the EU to countries outside the EU without further supervisory authorization or legal measures.
- Data flow from the UK to the EEA will be supervised under UK law. The data transfer will remain unaffected because of the adequacy decision by the UK government. That means the UK government considers the EEA to be adequate for data protection.
- All privacy notices and declarations must update that the UK is not part of the EU member states.
- Information Commissioner’s Office (ICO) replaces the European Data Protection Board (EDPB) to monitor and supervise the enforcement of the UK GDPR.
As you can see, Brexit is not going to affect the EU GDPR. Its UK version is almost identical to it. So the organization (that deals with the UK and the EU residents) that is already compliant with the GDPR need not worry. You need to be aware of what the UK GDPR requires, which is not much different from the EU. But those who are (still) not compliant might need to buckle up because you have another regulation to add to the pile of your worries.
CookieYes will take care of GDPR cookie compliance requirements for your website. It will help your website to cater to the GDPR standards for cookies.
Set a customizable cookie consent banner on your website with necessary information about cookies and consent options. You can also block third-party cookies before obtaining user consent and maintain a consent log.
Sign up today for a 14-day free trial and enjoy premium features!