This guide provides an overview of the UK GDPR and other UK Data Protection laws
What is UK Data Protection?
Data Protection law in the UK post-Brexit consists mainly of the UK GDPR and the Data Protection Act 2018 as revised by the Brexit legislation. Below we explain how Brexit changed the situation in the UK, what it means for different countries, and provide a brief overview of the two main pieces of legislation now in place.
The situation before Brexit
Prior to Brexit, the UK was a member state of the European Union and so was subject to its laws. In 1995 the EU created the Data Protection Directive which, rather than becoming law directly in all member states, instead provided what was effectively a specification for each member state to introduce their own law concerning data protection. Accordingly, the UK brought in the Data Protection Act in 1998 as its implementation of the Directive, and other EU countries enacted their equivalents. Many years passed and technology moved on relentlessly, blurring the lines of data protection as it went. To catch up (and to simplify the situation where each member state had slightly differing laws), the EU created the General Data Protection Regulation (GDPR) in 2016 and this became law within the EU on 25 May 2018. The GDPR, being a Regulation rather than a Directive, directly applied to all of the EU without needing a separate local law to be passed in each member state. However, the GDPR did allow for some variations within each country, such as the age of a child for data protection purposes (default 16, but this could be as low as 13). Partly to specify what these were in the UK, the government introduced an update to the Data Protection Act in 2018. So, prior to Brexit, data protection law in the UK was defined mainly by a combination of the GDPR and the Data Protection Act 2018 (there are also laws called the PECR and NIS, but we won’t be discussing these here). The combination of the GDPR and the changes to it introduced by the Data Protection Act 2018 are sometimes referred to as the “applied GDPR”.
The situation after Brexit
Once Brexit was decided upon, the UK started the preparations for the UK to leave the EU. From a data protection point of view, the main piece of legislation they passed was called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. These regulations set out the changes that would be made to current UK laws to adapt them to the fact that the UK was leaving the EU. In basic terms, what they did was to create the “UK GDPR” (as distinct from the “EU GDPR”) and make changes to the DPA 2018. The intention is that UK data protection law remains the same as EU law, at least in the short term, so most of the changes are simply replacing references to the EU and its institutions with their UK equivalents. So, after Brexit, data protection law in the UK is defined mainly by a combination of the UK GDPR and the (revised) Data Protection Act 2018.
What’s changed as a result of Brexit?
So what does this mean for organisations in the UK, the EU and elsewhere that need to comply with relevant data protection law? The first thing to say is that the original EU GDPR is still very much alive and must still be complied with by all organisations that process the personal data of people in the EU, wherever they are based. The second point is that the situation is still evolving, and political changes may be made, sometimes at short notice, that affect what needs to be done to stay compliant with data protection law. The general guidance depends mainly on where your organisation is based, and the personal data it processes.
UK-based organisations
If you’re an organisation based in the UK, and you’re processing the personal data of UK citizens only, then you will just need to comply with the UK GDPR and DPA 2018. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision, which means that little additional justification is required. If you do process the personal data of people in the EU, then the EU GDPR will continue to apply to you in addition to UK law, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK. Under the treaty negotiated between the EU and the UK at the end of 2020, a six-month period was initially agreed during which personal data could flow freely from the EEA (The European Economic Area, which consists of the EU member states plus Norway, Iceland and Liechtenstein) to the UK, as before Brexit. Fortunately, once this period expired, a new EU adequacy decision was made in favour of the UK, so these transfers will continue to be legally covered for now.
EU-based organisations
For organisations based in the EU, and processing the personal data of people in the EU only, largely nothing changed after Brexit. The EU GDPR still applies; the main aspect such organisations may need to review is in the situation where they transfer personal data to the UK, perhaps for processing. Not long after Brexit, the EU granted an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If your organisation not only processes the personal data of people in the EU, but also of UK citizens, then you will need to comply not only with the EU GDPR, but also with UK data protection laws. The main one of these is the UK GDPR which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which wasn’t needed previously.
Organisations based outside the EU and UK
If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of people both in the UK and EU). If you don’t operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (although the EU adequacy decisions for the UK covers this). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by; initially they may be considered to be the same, but the UK government is working on some updates so watch this space.
Changes affecting transfers to the USA
The data protection laws in the USA are not currently seen by the EU or the UK as adequate and, up until recently, a special scheme called the EU-US Privacy Shield was in place to allow the transfer of personal data to the USA. However, in July 2020 the Court of Justice of the European Union (CJEU) made a judgement on a case brought by an Austrian privacy activist called Schrems that meant that the EU-US Privacy Shield scheme was no longer available to US organisations wishing to accept transfers of EU personal data. As a result, for a period of time organisations making transfers to the US under the scheme had to find an alternative way to make such transfers legal under both the EU and (post Brexit) the UK GDPR. In 2023 a replacement for the Privacy Shield was agreed – the EU-US Data Privacy Framework, and currently transfers may be made to USA organisations that have registered with this scheme. However, Maximillian Schrems, who also had a hand in the demise of the Privacy Shield’s predecessor (which was called “Safe Harbor”), is rumoured to be looking at the EU US Data Privacy framework too, so the new scheme may have a similarly uncertain and controversial future.
The UK GDPR
The first thing to say about the UK GDPR is that it doesn’t actually exist as a separate document that is published by the UK government. This may seem strange, but it’s due to the way that such amendments work in the UK legal system; laws remain in their original form and must be considered in conjunction with changes to them until they are “consolidated”.
According to published guidance, at the moment there are no plans to consolidate either the UK GDPR or the Data Protection Act. To see the contents of the UK GDPR, it is necessary to start with the EU GDPR and then look at the changes made to it by the read.
To make referencing the UK GDPR easier, CertiKit has produced a more readable version that shows the revised document, with the changes incorporated but not marked up, and this is included in UK Data Protection Toolkit (along with the originals).
The original EU GDPR 2016 document is eighty-eight pages long and consists of two main parts:
Recitals – 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background.
Articles – the 99 sections that set out the detail of the Regulation
In comparison, the UK GDPR does without the recitals completely and removes many of the articles that deal with the workings of the EU data protection mechanisms, so it’s much shorter, with a total of thirty-two articles removed for just one added, making a total of sixty-eight.
The UK GDPR establishes several principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):
Lawfulness, fairness and transparency – keep it legal and fair; say what you’re going to do with the data in clear terms
Purpose limitation – don’t do more with the data than you said you would
Data minimisation – don’t collect more data than you need
Accuracy – keep it up to date and deal with inaccuracies as soon as possible
Storage limitation – don’t keep the data for longer than necessary
Integrity and confidentiality – keep the data safe while you have them
Accountability – be able to show that you’re complying with the principles above
If you always keep these principles in mind, you’re unlikely to fall foul of the UK GDPR.
The data protection act 2018
The Data Protection Act 2018, as it is revised by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, adds a layer of additional clarification to various points stated in the UK GDPR. These largely revolve around the definition of terms such as “public body” or “public authority” in a UK context, how UK law applies to the articles, powers of the Secretary of State (including regarding international transfers), and various other specific issues. All of these points can be found in Part 2, Chapters 1 and 2 of the Act. The rest of the Act, which is lengthy (7 Parts in all, with a further twenty Schedules), largely covers areas not generally relevant to a non-public sector organisation looking to remain compliant, such as law enforcement processing, intelligence services processing, the Information Commissioner and enforcement.
How can CertiKit help?
To start, we’d advise reading the UK GDPR in conjunction with our UK Data Protection Implementation Guide, with the revised Data Protection Act 2018 on hand too.
For fast and easy compliance, the CertiKit UK Data Protection Toolkit includes the revised text of the DPA 2018 Part 1 and 2 (chapters 1 and 2), as well as 100+ templates and guides and expert support.