Will GDPR apply to the UK after Brexit? & other GDPR FAQ's

There are many questions being asked regarding the UK, GDPR and Brexit, including what happens now that Britain has left the EU? Many people are unsure if the UK is GDPR compliant or if GDPR applies to the UK.

You may have heard of the UK General Data Protection Regulation and be unsure of what it is.

We’ve narrowed it down to the most frequently asked questions to help clear up what exactly is going on.

UK GDPR FAQs

• Does GDPR apply to the UK after Brexit?

• Will the UK keep GDPR after Brexit?

• Is GDPR UK law?

• What is UK GDPR?

• Who enforces UK GDPR?

• How much is a GDPR fine in the UK?

Does the GDPR apply to the UK after Brexit?

The answer is GDPR still applies in the UK after Brexit. The General Data Protection Regulation applies to any organisation that processes personal data belonging to a resident or citizen of the EEA. If you didn’t know, the EEA consists of the member states of the EU and three countries of the European Free Trade Association (EFTA). These three countries are Iceland, Liechtenstein and Norway.

Though the UK is no longer in the European Union, and so not subject to EU law. The power of the GDPR extends beyond the member state borders of the EU. This means that organisations in the UK wishing to process the personal data of EU citizens or residents must continue to comply with General Data Protection Regulation. 

The good news is that the General Data Protection Regulation of April 2016 and enforceable from May 2018, was mirrored by the UK’s Data Protection Act 2018 (DPA 2018). So organisations in the UK should already be GDPR compliant.

There are two differences for the UK as of January 2021 because it is no longer a member of the EEA:

• Article 27 requires organisations processing EU personal data outside of the EU to have a representative in at least one member state they are processing data from.
• For example, an organisation processing data from Germany, Spain or France would be required to have a representative in either Germany, Spain or France. They may want a representative in each country, however, if their activities involved processing a lot of data.
• It is important to note that Article 27 only applies if the processing is likely to result in a risk to the rights and freedoms of any people. Or if it involves large-scale processing of the special categories of data that are protected by the General Data Protection Regulation.
• The UK must pass an adequacy test to be considered a safe place for EU data to be transferred to and from. This adequacy test may take some time to be passed.
• Fortunately, the 2020 trade agreement allows for a grace period during which data may continue to flow freely between the UK and the EEA. The grace period will last until the results are out, or for four months from January 1st 2021. There is an option to extend the period for two months if neither party objects.

Will the UK keep GDPR after Brexit? | Is GDPR UK law?

As mentioned above, the General Data Protection Regulation will still apply to the UK now that we have left the European Union. However, in addition to the EU GDPR, the UK Government has adopted an amended version of the GDPR into domestic law. In the hope that it will receive adequacy status from the EU and the European Parliament.

In short, data controllers and processors of personal information are still covered by data protection law in the UK. UK data protection rules are still in place for the protection of personal data that is in the public interest.

Data controllers must still disclose any data collection. They must declare the lawful basis and purpose for data processing, state how long data is being retained and if it is being shared with any third parties. Businesses must still report data breaches to UK supervisory authorities and public authorities within 72 hours if they could have an adverse effect on user privacy.

Data subjects still have the right to request a portable copy of the data collected and the right under certain circumstances to have their data erased. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data. Are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR

This amended version of the General Data Protection Regulation is known as the UK GDPR. 

What is UK GDPR?

The UK General Data Protection Regulation is almost identical to the GDPR as it applies in the EU, with only a few amendments. Almost all of the requirements and legal terms remain the same, with only a handful of new exemptions. 

Most of the amendments were to the wording of the law. For example replacing “the Union” with “the United Kingdom”, “Union or Member State law” with “domestic law” and “supervisory authority” with “the Commissioner”. This was to make the regulations fit UK domestic law.

This is important because the amendments don’t change the regulations themselves. They just make it clear that the UK GDPR applies worldwide similar to the EU GDPR, and only concerns the personal data of UK citizens or residents.

The similarities between these two pieces of legislation make it simple to comply with both UK GDPR and the original. Just remember you have to comply with UK GDPR when processing the data of UK residents and you have to comply with EU GDPR when processing personal data of EU residents.

There are some notable exceptions under UK GDPR that you should be aware of:

• The age of consent is lowered from 16 to 13 years old.
• The regulations don’t apply to the processing of personal data for law enforcement purposes or by intelligence services (these exemptions were already in place in the DPA 2018).
• The regulations do not apply to activities concerning the maintenance of effective immigration control. Or to the investigation or detection of activities likely to undermine effective immigration control (again this was already part of the DPA 2018 - Schedule 2, Part 1, Paragraph 4).
• Organisations outside of the UK processing data of UK residents require a representative within the UK - this includes organisations within the EEA.
• The Information Commissioner’s Office (ICO) is now the supervisory authority in charge of regulating and enforcing the UK General Data Protection Regulation.

Who enforces the UK GDPR?

As we saw above, one change with the UK General Data Protection Regulation is that the ICO is now the supervisory authority in charge of enforcing the UK GDPR.

In the event of data breaches, or if you have questions concerning personal data security, you should contact the ICO. It is also the point of contact for data protection officers working with personal data from the UK.

How much is a GDPR fine in the UK?

In order to help the UK General Data Protection Regulation better align with domestic law, the fines that can be issued under the legislation were altered slightly. The two tiers of UK GDPR fines are:

• The higher maximum - £17.5 million or 4% of total annual worldwide turnover in the preceding financial year, whichever is greater.
• The standard maximum - £8.7 million or 2% of total annual worldwide turnover in the preceding financial year, whichever is greater.

The higher maximum applies to serious infringements. Such as a failure to comply with any of the data protection principles. Or a failure to respect the rights an individual may have under Part 3 of the UK GDPR. Or the transfer of data to a third country, a third country is any country outside of the UK to which transfers are restricted by UK adequacy regulations.

The standard maximum applies to less serious infringements such as administrative requirements not being met.

Hopefully this will have cleared up some of the fog surrounding the UK General Data Protection Regulation for you. For more information on the GDPR seven principles, data security and GDPR compliance, consider taking our GDPR Awareness Training online course.