September 1, 2021

Your UK-GDPR Questions Answered

Your UK-GDPR Questions Answered

The United Kingdom General Data Protection Regulation (UK-GDPR) in many ways, mirror the European GDPR. It was drafted from the EU-GDPR legal text and revised to accommodate the UK's domestic areas of law. Let's walk through what this all means.

What happens with all the jargon?

The core definitions and legal terminology that are now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.

How different are the UK DPA, the UK GDPR and the EU GDPR?

The UK DPA refers to the domestic implementation of the EU-GDPR. It adapts the European rules to the domestic legal system, giving definitions, rules for public bodies, setting enforcement procedures and powers, and so on. The UK-GDPR mirrors the EU-GDPR, so their provisions are similar, with some marginal modification.

Data collected before or on 31 December 2020 would be under the EU-GDPR, while data collected from 1 January 2021 onwards would be under the UK-GDPR.

Does UK-GDPR apply to the EU and vice versa?

In short: yes and yes.

Data controllers based in the EU need to keep in mind that the UK-GDPR still applies outside the UK. Just as the global application of EU-GDPR entails its effect on all businesses anywhere in the world that trade with EU countries, as long as your business offers goods or services to UK individuals or monitor behaviour of UK individuals, it would need to comply with the UK-GDPR provisions.

So, if your UK-based business is trading with the EU and processing data of EU individuals, you would need to maintain GDPR compliance in the UK to both regulations (the EU-GDPR and the UK-GDPR). And on top of that, you will also need to comply with the Data Protection Act 2018.

How does UK-GDPR affect the preexisting legal landscape of data protection in the UK?

Ultimately, the UK-GDPR does expand on and deviate from the EU-GDPR in significant ways that will make changes to the legal landscape of data protection in the UK. These changes are found in the UK government’s Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation). This regulation changes and shapes the European GDPR into the domestic UK-GDPR, as well as revising the Data Protection Act 2018.

However, UK-GDPR expands upon national security, intelligence services and immigration, where certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.

Furthermore, the Information Commissioner, the leading data protection authority in the UK today, will take over the European Data Protection Board's role as the leading supervisor, regulator and enforcer of the UK-GDPR. Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR. In fact, the Secretary can make these decisions without the consultation of the ICO.


So, what now? How do I comply in the UK?

If you operate in the UK, you will need to appoint an EU representative and a Lead Supervisory Authority (LSA) in case you offer services and goods in more than one EU member state. Usually, the controller appoints the LSA in the same EU country as the EU representative.

If you are based in the EU and you offer services and goods to UK customers, you will need to comply with the UK-GDPR because of its extraterritorial effect. You will need to appoint a UK representative who can deal with the ICO.

Do I need to redo my GDPR documentation?

All you need to do is update policies, notices and agreements stating the new legislation.

Remember to update your website privacy notice so that it mentions the UK-GDPR as the regulation that applies to data processing. Depending on whether you are based in the UK or the EU, and depending on whether your processing activities relate to monitoring of behavior or offering of services and goods in the EU or the UK, you will need to comply with the relevant regulations:

Personal data processed in the EU (UK-based controller) - UK-GDPR, DPA 2018, EU-GDPR
Personal data processed in the EU (EU-based controller) - EU-GDPR
Personal data processed in the UK (UK-based controller) - UK-GDPR, DPA 2018
Personal data processed in the UK (EU-based controller) - EU-GDPR, UK-GDPR

I thought I was done with GDPR. Just tell me what I need to do, will you?

If you are already compliant with the EU-GDPR requirements, then implementing the UK-GDPR requirements will actually be rather easy and short. After all, as mentioned in our introduction, the two regulations are almost identical.

In order to verify your new domestic rules, all you need to do is:

  • Adapt your documentation in order to mention the new UK-GDPR
  • Organise your data transfer with the EU
  • check the data transfer instruments with countries outside the EU and the UK