Alessandra NisticoThere is a lot of confusion related to the EU GDPR vs the UK GDPR, how UK businesses need to comply with privacy regulations when doing business in the EU, and what EU businesses need to comply with when collecting personal data in the UK.
The UK GDPR mirrors the EU GDPR, so their provisions are similar with some minimal modification, while the UK DPA adapts EU GDPR rules to the domestic legal system giving definitions, rules for public bodies, and setting enforcement procedures and powers.
How did the EU GDPR become the UK GDPR?
To prepare for EU withdrawal, the United Kingdom government adopted the European Union (Withdrawal) Act 2018, which incorporates into domestic law some EU regulations (named “retained EU law”). The General Data Protection Regulation (EU) 2016/679 GDPR has been included in its entirety, with the interpretation provided from the European Court of Justice until 31 December 2020. Therefore, the EU GDPR has been part of the UK legal system throughout 2020, but what about after that period?
Since that period, the EU GDPR has been expelled from the UK legal system and replaced by the UK GDPR. In fact, the EU Withdrawal Act 2018 allowed the UK ministers to modify any “retained EU law” to adapt into UK law once the transition period had ended. That is how the UK GDPR was born from Brexit. The UK government replaced any reference to EU institutions (EU Commission, EU Parliament, European Data Protection Board, EU Court of Justice, etc.) with reference to UK domestic institutions; EU Member State internal legislation was replaced by the Data Protection Act 2018; and references to the Surveillance Authority were replaced with references to the Information Commissioner’s Officer.
What is the difference between the UK DPA, the UK GDPR and the EU GDPR?
The UK DPA refers to the domestic implementation of the EU GDPR. It adapts the European rules to the domestic legal system, giving definitions, rules for public bodies, setting enforcement procedures and powers, and so on.
The UK GDPR mirrors the EU GDPR, so their provisions are similar, with some marginal modification.
Data collected until 31 December 2020 was under the EU GDPR, while data collected from 1 January 2021 is under the UK GDPR.
Which data protection laws apply in the UK after Brexit?
There are two main data protection laws that apply to the processing of personal data in the UK after Brexit – these being the Data Protection Act 2018 and the UK GDPR.
Data controllers based in the EU need to keep in mind that the UK GDPR applies outside the UK, and, therefore, if they offer goods or services to UK individuals or monitor behaviour of UK individuals, they will need to comply with the UK GDPR provisions.
Now that the UK is an extra-EU country, until the UK government and EU Commission agree on an adequate decision, data transfers between the EU and the UK should be under appropriate safeguards like the Standard Contractual Clauses, the Binding Corporate Rules or Agreements Standard Contractual Clauses, the Binding Corporate Rules or Agreements approved by the EU Commission or the National Surveillance Authorities.
The free flow of personal data between the UK and the EU will be possible when the UK government and the EU Commission agree on the adequacy decision; at the moment of writing this article, the approval procedure is still ongoing, so you need to rely on different transfer tools (i.e., Standard Contractual Clauses).
Does the EU GDPR apply in the UK?
Yes, if you are based in the UK and you offer goods or service to individuals based in the EU, or you monitor behaviour or process personal data of EU individuals, you will need to comply with the EU GDPR because of the global application of the EU GDPR – exactly as you would when based in any other non-EU country. So, you will need to maintain GDPR compliance in the UK to both regulations (the EU GDPR and the UK GDPR). Of course, you will need to comply with the Data Protection Act 2018, as well.
What is the Data Protection Act 2018?
The Data Protection Act 2018 (UK DPA) is the domestic implementation of the EU GDPR (now UK GDPR), and it provides some data protection rules for sectors where the EU GDPR does not apply.
For example, the EU GDPR does not apply in the national security field. In order to define how national security authorities deal with personal data, their powers and limits, the UK DPA provides a regulation. The UK DPA also sets the enforcement powers of the Information Commissioner’s Officer (ICO), the Data Protection Authority in the UK.
These are the sections of the DPA 2018:
- General rules on processing
- The GDPR
- Law enforcement processing
- Intelligence services processing
- Transfers of personal data outside the United Kingdom
- Exemptions
- The Information Commissioner
- Enforcement
- Supplementary and final provision
How to comply with data protection regulations in the UK
Transfers of data between the UK and the EU: until 30 April 2021, you can enjoy the bridge period, which can be extended to 30 June 2021. After that period, there are two possible scenarios:
- If the EU Commission adopts the adequacy decision: your data transfer will be based on that legal basis.
- If the EU Commission does not adopt the adequacy decision: you will need to be ready with another legal ground for data transfer. The EU Commission and the ICO jointly recommend to be prepared to adopt the appropriate safeguards in order to continue with the flow of data.
If you operate in the UK, you will also need to comply with GDPR rules. You will need to appoint an EU representative and a Lead Supervisory Authority (LSA) in case you offer services and goods in more than one EU member state. Usually, the controller appoints the LSA in the same EU country as the EU representative.
If you are based in the EU and you offer services and goods to UK customers, you will need to comply with the UK GDPR because of its extraterritorial effect. You will need to appoint a UK representative who can deal with the ICO.
Do I need to revise my GDPR documentation?
Yes, you need to update policies, notices and agreements stating the new legislation.
Do not forget to update your website privacy notice to mention the UK GDPR as the regulation that applies to data processing. In the following chart, you can see what legislation needs to be mentioned in your privacy documentation. Therefore, depending on whether you are based in the UK or the EU, and depending on whether your processing activities relate to monitoring of behaviour or offering of services and goods in the EU or the UK, you will need to comply with the following regulations:
UK controllers who offer services and goods only to UK customers (or monitor their behaviour, or process data of individuals located in the UK) will be under the domestic legislation: the UK GDPR and the Data Protection Act 2018. If UK controllers offer services to the EU processing data of EU individuals, they will apply the UK GPDR, Data Protection Act 2018 and the EU GDPR. They will need to appoint the EU representative, the LSA and be prepared for the end of the bridge period.
EU controllers who process data of EU and UK citizens will need to comply with the EU GDPR and the UK GDPR. Please note that the DPA 2018 is a domestic legislation, so you do not need to mention it if you are an EU controller (do not forget to mention your domestic data protection law). Of course, EU controllers who do not process any data of UK individuals (e.g., a French company processing data of French individuals) will only apply the EU GDPR.
Proactively prepare for the changes
If you complied with EU GDPR requirements, implementing UK GDPR requirements will be rather short, because the regulations are almost identical. You need to adapt your documentation in order to mention the new UK GDPR, organise your data transfer with the EU, and check the data transfer instruments with countries outside the EU and the UK in order to verify your new domestic rules.
To learn which documents you need to comply with the EU GDPR, download this free Checklist of Mandatory Documentation Required by EU GDPR.