What is UK GDPR: 9 Key Things Businesses Need to Know

UK GDPR came into force on Jan. 1, 2021, and with it came the need for UK organizations to align their data protection compliance efforts with the new requirements.

Since Brexit was officially confirmed with the transition period ending on Dec. 31, 2020, the EU General Data Protection Regulation (GDPR) no longer applies in the UK.

This article focuses on the scope and substance of UK GDPR in relation to;

• What is UK GDPR
• What is the Data Protection Act (DPA) 2018? 
• What is the connection between EU GDPR, DPA 2018, and UK GDPR?
• Who needs to comply with the UK GDPR
• What is the penalty for UK GDPR non-compliance 
• Does the EU GDPR still apply to UK organizations?
• Are there any differences between UK GDPR and EU GDPR?
• How does Brexit affect EU-UK Data transfers? 
• How do I make my website compliant? 

What is UK GDPR?

It refers to the United Kingdom’s General Data Protection Regulation. UK GDPR came into force on January 1, 2021, and outlines the main principles, rights, and requirements that businesses must follow in processing UK residents’ personal data. 

UK GDPR is an adaptation of EU GDPR to ensure the latter works effectively domestically. 

Here is the full-text of the UK GDPR to help you learn more about the new data protection regime in Britain.

What is the Data Protection Act (DPA) 2018? 

It is an Act that creates the legal framework for data protection law in the UK that was adopted on 25 May 2018, to replace the Data Protection Act 1998. 

The DPA 2018 was amended on Jan 1, 2021, following Brexit and now supplements the UK GDPR. 

Check out the full-text of the Data Protection Act 2018 here.

You can read about the Swiss Federal Data Protection Act.

What is the Connection between EU GDPR, DPA 2018, and UK GDPR? 

After Britain left the European Union following the end of the Brexit transition period, The UK Data Protection Act (DPA) 2018 incorporated EU GDPR requirements. 

Therefore, UK GDPR is a new data protection regime resulting from the incorporation of EU GDPR into British domestic data privacy law: the Data Protection Act (2018).

Businesses in the UK need to update their GDPR documentation and ensure it is in alignment with UK GDPR provisions. 

Check out these 4 useful insights  for GDPR post-Brexit with our blog.

Who Needs to Comply with UK GDPR? 

If you collect, hold, or process personal data from persons living within the UK, you will be expected to comply with the post-Brexit data protection regime. 

Similarly, if you are a company headquartered outside the UK, but you provide goods or services to residents of Britain,  and monitor their online behavior, you will need to ensure that your data processing activities are compliant with UK GDPR. 

You can sign up for a free trial of the #1 data privacy compliance tool in the market and make your website compliant in less than 1 week

What is the penalty for UK GDPR non-compliance? 

If your company is found to be violating UK GDPR compliance requirements, you risk a maximum fine of £17.5 million.

This figure is different from the EU GDPR’s non-compliance penalty, which stands at 20 Million Euros or 4% of your yearly global revenue, whichever is higher. 

Does the EU GDPR still Apply to UK Organizations? 

Yes, it does. For companies operating in the UK, and now subject to UK GDPR, it is not time to sit back and relax. You will also be expected to comply with EU GDPR. 

However, since the principles, rights, and obligations are almost similar between the two regulations, the main additional measures you will need to take to comply with EU GDPR include; 

• Designating an EU representative 
• Aligning any existing contracts you currently have that oversee EU-UK data transfers to include standard contractual clauses 
• Finding a lead supervisory authority in the EU
• Keeping your policies, processes, and relevant documentation updated in line with the new changes. 

Are there Any Differences between UK GDPR and EU GDPR? 

Although the two data privacy laws are fundamentally similar, there are some differences you need to pay attention to; 

1. The Legal age for child consent; Under the UK GDPR, the consent to process personal data from a minor is valid if they are at least 13 years old. This differs from EU GDPR, where they need to be at least 16 years old. 
2. Automated Decision making; The UK GDPR allows you to carry out automated profiling in cases where there is a legitimate justification for it. This is not the case when it comes to EU GDPR since the Union’s data privacy legislation gives users the right to reject automated decision-making or profiling. 
3. Privacy vs Freedom of expression; If you have to process a user’s personal data for reasons of public interest, the UK GDPR is lenient in comparison to EU GDPR. 
4. Processing of criminal data; Under the EU GDPR, the processing of personal data needs to meet data protection compliance requirements. The same does not apply to processors of criminal data under the UK GDPR.
   
   

How does Brexit Affect EU-UK Data Transfers? 

Pending the EU’s adequacy decision, the UK is currently designated as a third country when it comes to data flows between the two jurisdictions in the aftermath of Brexit. 

To provide some context, a third country is any country outside the European Economic Area. 

Transfers of EU residents’ personal data to a third country are allowed under three specific conditions which must be met to guarantee legitimacy under the EU GDPR; 

• A third country is a recipient of an adequacy decision from the EU that recognizes it as having the required standards of data protection 
• They are facilitated by either Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) - the appropriate safeguards for third countries without an EU adequacy decision
• They are carried out based on approved codes of conduct. 

For UK organizations, the Trade and Cooperation Agreement reached between the EU and UK in December 2020 means personal data flows from the EU will continue for a period not exceeding six months from December 31, 2020 - the end of the Brexit transition period. 

The final adequacy decision is expected anytime soon since the EU Commission has already submitted the draft decision for review and recommendations from the European Data Protection Board (EDPB). 

How Do I Make My Website Compliant? 

Secure Privacy’s GDPR compliance solution is packed with enterprise-level features that help businesses comply with both UK GDPR and EU GDPR. They include; 

• Advanced  ongoing website scanning with our unique GDPR cookie scanner that helps you detect all cookies and trackers on your website, and blocks the deployment of third-party cookies until consent is given 
• Cross-domain consent to help you manage your data subject’s cookie consent preferences in a single step across multiple domains
• Highly customizable and stylish GDPR cookie consent banners that allow your users to opt-in, or withdraw their cookie consent easily, as well as manage their preferences
• A privacy policy generator that allows you to develop a customized cookie notice for your company automatically.
  Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
• Logs and consents tracking in real-time to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 

Learn more about Secure Privacy’s features with our video here 

Schedule a call to learn more

If you would like to receive additional information about UK GDPR, book a 30-min call today and get a data privacy expert to;

• carry out a quick ‘check-up’ to see if your website is fully compliant 
• Assess whether your cookie consent banner is UK GDPR compliant