When the GDPR came into full effect in May 2018, the United Kingdom (UK) was still a member state of the EU. Though negotiations for the UK’s exit from the EU (Brexit) had been ongoing since the referendum in 2016, the UK remained obligated to comply with the GDPR.
However, following the transition period, the UK ceased to be an EU member state on 31 December 2020.
That has raised significant confusion about whether UK organizations still need to comply with the GDPR. And also, what replaces the GDPR in UK legislation.
To clear up any remaining confusion, we’ll explain how the GDPR now relates to the UK in this article. We’ll also discuss the current state of UK data protection legislation.
Does the GDPR apply to the UK?
From 1 January 2021, the EU GDPR no longer fully applies in the UK. However, the UK – like all non-EU countries – is still bound by the extra-territorial effects of the GDPR.
Two primary extra-territorial effects impact non-EU organizations:
- When selling goods and services to EU citizens. Here, the collection of personal data is still regulated and must accord with the GDPR. That means following the seven core principles and ensuring consent is actively given.
- Monitoring of user activity is also covered, for instance, the collection of cookies. Here, any data collected to monitor an EU citizen must follow the GDPR.
Failure to follow the GDPR to the letter will result in a fine of €20 million or 4% annual global turnover – whichever is highest. For UK organizations, this is more likely to be punishable in court given the recent close adherence to EU legislation.
This does not apply to UK organizations that do not cater to EU citizens, for example, a local restaurant. It also does not apply to personal or family-based communications.
What has replaced the EU GDPR?
In preparation for Brexit, the UK government transferred much of EU legislation into UK law. That includes the EU GDPR. Back in 2018, the Data Protection Act (DPA) already enacted EU GDPR requirements into UK law. However, further amendments to the DPA (2018) were made with the DPPEC (Data Protection Privacy and Electronic Communications (Amendments, etc.) (EU Exit)) in 2019. This legislation merged the DPA (2018) with the EU GDPR to create a new UK-specific data protection regime.
This is known as the UK GDPR.
What is the UK GDPR?
The UK GDPR is a separate piece of legislation, distinct from the EU GDPR. However, the UK GDPR shares many of the same key principles, rights, and obligations due to its history. Like the EU GDPR, the UK GDPR has two key principles:
- Organizations collecting the personal data of UK citizens must ensure it is done so in a limited and secure manner. This reduces the mass collection of data and prevents the likelihood of data breaches.
- UK citizens have the right to consent to their data collection and can rescind their consent at a later point. They must be properly informed about how their data is being used before they can make a decision.
The UK GDPR also has implications for non-UK organizations. Like the EU GDPR, the UK GDPR exercises an “extra-territorial effect.” That means organizations located outside the UK must follow the UK GDPR under the following circumstances:
– If they market goods or services to UK-based citizens (either paid or free).
– If they monitor the online behavior of UK citizens when accessing their website.
In both cases, the personal data of UK citizens are subject to stringent legislation. Thus, businesses in both the UK and EU must comply with both the UK and EU GDPRs – even though both are regulated separately.
Once again, like the EU GDPR, there are some notable exceptions. The UK GDPR does not govern personal communications or businesses that do not cater to UK citizens. For instance, a local bookshop in Prague, Czechia.
What happens if you do not comply with the UK GDPR?
Failure to comply with the UK GDPR also results in fines: either £17.5 million or 4% annual global turnover – whichever is highest. That is not the full list of possible enforcement activities. The UK Information Commissioner’s Office (ICO) also retains the right to enforce UK GDPR infringements via other means, including:
– Issuing warnings and reprimands
– Imposing a temporary or permanent ban on data processing
– Ordering the rectification, restriction, or erasure of data
– Suspending data transfers to third countries
The UK GDPR also ranks offenses and issues different levels of penalties. There are two penalty levels:
- Lower level. Fines up to 8.7 million or 2% of annual global turnover. Issued for the following article infringements:
a. Article 8: Conditions for children’s consent
b. Article 11: Processing that doesn’t require identification
c. Articles 25 to 39: General obligations of processors and controllers
d. Article 42: Certification
e. Article 43: Certification bodies
- Higher level. Fines up to £17.5 million or 4% of annual global turnover. Issues for the following article infringements:
a. Article 5: Data processing principles
b. Article 6: Lawfulness of processing
c. Article 7: Conditions for consent
d. Article 9: Processing of special categories of data
e. Article 12 to 22: Data subjects’ rights
f. Article 44 to 49: Data transfers to third countries or international organizations
To recap: in preparation for Brexit, the UK government transferred and consolidated existing legislation into the UK GDPR. This regulation mirrors the EU GDPR in many ways. It necessitates non-UK organizations to follow the law when collecting and using UK citizen data.
Therefore, businesses need to familiarize themselves with the legislation and its requirements.