Differences between the UK-GDPR and the EU-GDPR regulation
GDPR EU explains the differences between the original GDPR from the EU and the UK’s adapted version of the GDPR regulation
The UK’s decision to leave the European Union (EU) back in 2020 ended up with some confusion regarding the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation.
UK businesses may need clarification on GDPR compliance considering the two separate regulations. How do they ensure compliance with privacy laws when doing business in the EU? And, on the flipside, how does the UK’s GDPR apply to EU citizens and businesses?
The UK General Data Protection Regulation closely follows the same data protection rules as the EU General Data Protection Regulation (GDPR), which is Europe’s comprehensive data protection law. These differences may increase with time, especially with potential UK reforms like the Data Protection and Digital Information (DPDI) Bill (if passed).
Furthermore, the UK Data Protection Act (DPA) essentially adapts the GDPR Europe rules for the UK’s legal system. The DPA outlines data privacy laws, the data protection measures that public bodies must follow and lists the enforcement powers and processes.
Data protection is a fundamental right in the European Union and the General Data Protection Regulation (GDPR) is the primary law that regulates the processing of personal data. The GDPR aims to protect the rights and freedoms of individuals, particularly their right to privacy, and to ensure that personal data is processed in a fair, transparent, and secure manner.
The GDPR applies to all organizations that process personal data of EU data subjects, regardless of their location. This means that organizations outside the EU that offer goods or services to EU data subjects or monitor their behavior must also comply with the GDPR.
In the UK, the GDPR has been incorporated into national law as the UK GDPR, which applies to the processing of personal data by organizations in the UK. The UK GDPR is enforced by the Information Commissioner’s Office (ICO), which is the independent supervisory authority responsible for data protection in the UK.
In 2018, the UK Government took on the EU (Withdrawal) Act to prepare the country to leave the European Union. This Act incorporates several EU laws into UK domestic law. As part of this, the GDPR was incorporated 100% entirely. The European Court of Justice enforced it in the UK until 31 December 2020.
So, in real terms, the EU’s GDPR was fully part of UK law until the end of 2020. At the beginning of 2021, the UK legal system expelled the European Union GDPR and replaced it with the UK’s GDPR.
Brexit spawned the UK’s GDPR, with the Government replacing references to things like the European Parliament and the European Council with UK institutions. For example, all references to the Surveillance Authority were replaced with the Information Commissioner’s Office (ICO).
The UK DPA is concerned with the implementation of the European Union GDPR within the UK.
For example, all the EU’s data protection principles have been changed to fit the UK’s legal system. This covers all forms of personal data protection, including how it’s enforced, who enforces it and how regular and systematic monitoring will happen.
On to the UK’s GDPR. This very closely follows the EU’s GDPR regulatory environment. There is, however, some slight modification for the UK’s version. Businesses in the UK and international organisations must both understand these differences to ensure GDPR compliance.
The processing of personal data relating to criminal convictions and offences is subject to specific conditions under the GDPR. Data controllers and processors must designate a Data Protection Officer (DPO) when handling such sensitive information, ensuring compliance with the regulation.
All data processing and collection of sensitive personal data prior to 31 December 2020 fell under the rules laid out in the EU’s GDPR. Any data collected after that (i.e., from 1 January 2021 onwards) falls under the detailed guidance of the UK’s GDPR.
Since Brexit, the UK has two key data protection laws that apply to businesses.
Any organisation that processes personal data must follow the detailed guidance available. They must also ensure that GDPR compliance is met for the EU’s laws where applicable.
Organisational measures must be taken to meet the legal obligation of the Data Protection Act 2018 and the UK’s GDPR obligations. And, of course, data controllers based in EU countries also need to understand the processing activities they must follow to comply. Third countries have different rules to EU member states, and that’s what now applies to the UK.
This is particularly relevant when data is transferred between the UK and EU, as such transfers may now be treated as “transfers to a third country” under the EU GDPR.
The GDPR is based on several key data protection principles that organisations must follow when processing personal data. These principles are:
The GDPR provides several rights to data subjects, including:
The GDPR distinguishes between data controllers and data processors. A data controller is an organisation that determines the purpose and means of processing personal data. A data processor is an organisation that processes personal data on behalf of a data controller.
Data controllers are responsible for ensuring that personal data is processed in accordance with the GDPR, whilst data processors must follow the instructions of the data controller and implement appropriate security measures to protect personal data.
The GDPR requires that personal data be processed lawfully, fairly, and transparently. This means that organisations must have a lawful basis for processing personal data, such as:
Organisations must also implement appropriate security measures to protect personal data, including:
In the event of a data breach, organizations must notify the ICO and the affected data subjects within 72 hours.
Before 28 June 2021, the UK Government and the EU had not agreed the lawful basis upon which personal data can flow between them.
But, as the UK is now a third country, data transfers between the two must be covered by safeguards such as the Standard Contractual Clauses or the Binding Corporate Rules approved by the National Surveillance Authorities.
Since 28 June 2021, however, the EU officially adopted an adequacy decision for the UK, allowing personal data to flow freely between the UK and EU. However, this decision is set to expire in 2025, after which further safeguards such as Standard Contractual Clauses (SCCs) may be required
If the adequacy decision is not renewed in 2025, alternative transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), will be necessary for cross-border data transfers between the UK and EU.
For any business based in the UK that offers services or goods to people based in the EU, the EU’s GDPR applies.
This is because the EU’s GDPR applies globally to all countries, whether part of the EU or not. Every other non-EU country must ensure the GDPR’s implementation, and so must the UK.
So, organisations in the UK need to maintain full GDPR compliance with the EU and UK regulations. In addition, they must also comply with the data protection law (Data Protection Act 2018).
Think of the UK DPA as the UK implementation of the large-scale legal obligations of the EU’s original GDPR– now the UK’s version. The DPA also outlines rules that every data protection officer must follow in sectors where the EU’s (now UK’s) GDPR doesn’t apply.
An example of this would be the national security sector, where the GDPR doesn’t apply. So, the UK DPA provides the regulation that must be followed for the collection and use of personal data. The UK DPA also outlines the powers, in plain language, that the ICO has. The ICO is, as explained earlier, the Data Protection Authority in the UK, which works in a judicial capacity.
Every data protection officer must follow the DPA, which is split into separate sections. All of these sections are presented in clear and plain language in such a way as to ensure easier access and more control over compliance.
One of the key upcoming changes to the UK’s data protection landscape is the potential passage of the Data Protection and Digital Information (DPDI) Bill, which could reform the rules around pseudonymisation, anonymisation, and privacy-enhancing technologies.
Pseudonymisation is defined in the UK’s legislation as data processing in a way that means it can’t be easily attributed to the data subject. This practice is crucial for protecting sensitive information, as it ensures that only non-sensitive substitutes are exposed while the actual sensitive information is kept hidden. While it doesn’t restrict processing, it means that data subjects are further protected. Extra information would be needed to be able to attribute the personal data to the data subjects.
The guidance does still consider this kind of data as personal data. This is because it can still be used to identify the data subject, provided more information is given. It does go on to say that the data in question may not be considered personal after it has been transferred to a separate organisation. This is if the information necessary to identify the data subject is not provided at the same time.
According to the draft guidance that is being considered by the ICO, there are several benefits of pseudonymising personal data, including:
The ICO consultation regarding this part of the large scale processing of data under the DPA can be viewed here. It will be open until 16 September 2022.
Also in the public interest, the Association of the British Pharmaceutical Industry (ABPI) has launched its own consultation. This consultation is specifically about the public authority and the use of health data.
According to the public authorities, there is huge potential in the data collated and stored by the NHS for research purposes. Here are the main principles that the consultation covers regarding NHS data, which includes biometric data.
The UK’s GDPR uses a format that is similar to the EU’s original legislation. This means it’s pretty much identical. To remain GDPR compliant, those working with information systems must follow the same rules as the EU’s GDPR lays out.
For example, a website owner must get explicit consent from visitors via cookies prior to using or processing their personal data. Third party trackers and cookies are both used for this. It’s also necessary that withdrawing consent is just as easy for the website visitor as obtaining it.
UK residents retain all the data rights under the UK GDPR, including the right to be forgotten and rectification of inaccurate data. Conversely, EU businesses offering goods or services to UK residents must comply with the UK GDPR, and UK businesses operating in the EU must comply with the EU GDPR due to its extraterritorial application.
Most of the legal text in the UK’s GDPR, and the core definitions used, remain the same. However, some deviations have occurred, particularly in the areas of immigration, national security, and intelligence, and these deviations may increase if the UK pursues its proposed reforms in the Data Protection and Digital Information Bill (DPDI Bill).
These deviations from the EU’s GDPR mean that, to avoid a criminal offence, businesses must understand the changing legal landscape regarding data use in the UK. You can read about these deviations in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC). This lays out all of the changes made to the EU’s GDPR to make it applicable to domestic law within the UK.
The major changes that the UK Government has made to the EU’s GDPR cover:
The UK’s regulations explains that there are some exceptions where the normal protection of data can be ignored. These exceptions include the three areas listed above.
The other major change is that the enforcer, supervisor and regulator of the UK’s GDPR is now the Information Commissioner. This replaces the European Board, which held this position for the UK before Brexit. Furthermore, the Secretary of State has special powers over adequacy decisions, working on behalf of the UK’s legislation.
The UK’s regulations retain an extraterritorial scope, which means that any organisation or website in the world that processes data belonging to people who live in the UK, must comply. This mirrors the EU GDPR’s extraterritorial application, meaning that EU businesses that offer goods or services to UK residents also need to comply with UK GDPR.
Regardless of your political views, many people thought that Brexit would result in fewer requirements for processing data.
However, this isn’t the case. The EU’s GDPR set a global standard for data, and the UK has now made this its own domestic standard.
Protecting data owned by people remains extremely important for all companies based in the UK. To ensure that no financial loss is incurred due to non-compliance, all businesses must ensure they fully understand what’s required.