When the GDPR came into full effect in May 2018, the United Kingdom (UK) was still a member state of the EU. Though negotiations for the UK's exit from the EU (Brexit) had been ongoing since the referendum in 2016, the UK remained obligated to comply with the GDPR.
However, following the transition period, the UK ceased to be an EU member state on 31 December 2020.
That has raised significant confusion about whether UK organizations still need to comply with the GDPR. And also, what replaces the GDPR in UK legislation.
To clear up any remaining confusion, we'll explain how the GDPR now relates to the UK in this article. We'll also discuss the current state of UK data protection legislation.
From 1 January 2021, the EU GDPR no longer fully applies in the UK. However, the UK – like all non-EU countries – is still bound by the extra-territorial effects of the GDPR.
Two primary extra-territorial effects impact non-EU organizations:
Failure to follow the GDPR to the letter will result in a fine of €20 million or 4% annual global turnover – whichever is highest. For UK organizations, this is more likely to be punishable in court given the recent close adherence to EU legislation.
This does not apply to UK organizations that do not cater to EU citizens, for example, a local restaurant. It also does not apply to personal or family-based communications.
What has replaced the EU GDPR?
In preparation for Brexit, the UK government transferred much of EU legislation into UK law. That includes the EU GDPR. Back in 2018, the Data Protection Act (DPA) already enacted EU GDPR requirements into UK law. However, further amendments to the DPA (2018) were made with the DPPEC (Data Protection Privacy and Electronic Communications (Amendments, etc.) (EU Exit)) in 2019. This legislation merged the DPA (2018) with the EU GDPR to create a new UK-specific data protection regime.
This is known as the UK GDPR.
The UK GDPR is a separate piece of legislation, distinct from the EU GDPR. However, the UK GDPR shares many of the same key principles, rights, and obligations due to its history. Like the EU GDPR, the UK GDPR has two key principles:
The UK GDPR also has implications for non-UK organizations. Like the EU GDPR, the UK GDPR exercises an "extra-territorial effect." That means organizations located outside the UK must follow the UK GDPR under the following circumstances:
- If they market goods or services to UK-based citizens (either paid or free).
- If they monitor the online behavior of UK citizens when accessing their website.
In both cases, the personal data of UK citizens are subject to stringent legislation. Thus, businesses in both the UK and EU must comply with both the UK and EU GDPRs – even though both are regulated separately.
Once again, like the EU GDPR, there are some notable exceptions. The UK GDPR does not govern personal communications or businesses that do not cater to UK citizens. For instance, a local bookshop in Prague, Czechia.
Failure to comply with the UK GDPR also results in fines: either £17.5 million or 4% annual global turnover – whichever is highest. That is not the full list of possible enforcement activities. The UK Information Commissioner's Office (ICO) also retains the right to enforce UK GDPR infringements via other means, including:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction, or erasure of data
- Suspending data transfers to third countries
The UK GDPR also ranks offenses and issues different levels of penalties. There are two penalty levels:
To recap: in preparation for Brexit, the UK government transferred and consolidated existing legislation into the UK GDPR. This regulation mirrors the EU GDPR in many ways. It necessitates non-UK organizations to follow the law when collecting and using UK citizen data.
Therefore, businesses need to familiarize themselves with the legislation and its requirements.