© GDPR EU 2023. All rights reserved.
Differences between the UK-GDPR and the EU-GDPR regulation
GDPR EU explains the differences between the original GDPR from the EU and the UK’s adapted version of the GDPR regulation
The UK’s decision to leave the European Union (EU) has led to some confusion regarding the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (GDPR).
UK businesses may need clarification on GDPR compliance considering the two separate regulations. How do they ensure compliance with privacy laws when doing business in the EU? And, on the flipside, how does the UK’s GDPR apply to EU citizens and businesses?
Broadly speaking, the UK General Data Protection Regulation closely follows the same data protection rules as the EU General Data Protection Regulation.
Furthermore, the UK Data Protection Act (DPA) essentially adapts the European Union GDPR rules for the UK’s legal system. The DPA outlines data privacy laws, the data protection measures that public bodies must follow and lists the enforcement powers and processes.
In 2018, the UK Government took on the EU (Withdrawal) Act to prepare the country to leave the European Union. This Act incorporates several EU laws into UK domestic law. As part of this, the GDPR was incorporated 100% entire. The European Court of Justice enforced it in the UK until 31 December 2020.
So, in real terms, the EU’s GDPR was fully part of UK law until the end of 2020. At the beginning of 2021, the UK legal system expelled the European Union GDPR and replaced it with the UK’s GDPR.
Brexit spawned the UK’s GDPR, with the Government replacing references to things like the European Parliament and the European Council with UK institutions. For example, all references to the Surveillance Authority were replaced with the Information Commissioner’s Office (ICO).
The UK DPA concerns the implementation of the European Union GDPR within the UK.
All the EU’s data protection principles have been changed to fit the UK’s legal system. This covers all forms of personal data protection, including how it’s enforced, who enforces it and how regular and systematic monitoring will happen.
On to the UK’s GDPR. This very closely follows the EU’s GDPR regulatory environment. There is, however, some slight modification for the UK’s version. Businesses in the UK and international organisations must both understand these differences to ensure GDPR compliance.
All data processing and collection of sensitive personal data prior to 31 December 2020 fell under the rules laid out in the EU’s GDPR. Any data collected after that (i.e., from 1 January 2021 onwards) falls under the detailed guidance of the UK’s GDPR.
Since Brexit, the UK has two key data protection laws that apply to businesses.
Any organisation that processes personal data must follow the detailed guidance available. They must also ensure that GDPR compliance is met for the EU’s laws where applicable.
Organizational measures must be taken to meet the legal obligation of the Data Protection Act 2018 and the UK’s GDPR obligations. And, of course, data controllers based in EU countries also need to understand the processing activities they must follow to comply. Third countries have different rules to EU member states, and that’s what now applies to the UK.
Before 28 June 2021, the UK Government and the EU had not agreed the lawful basis upon which personal data can flow between them.
But, as the UK is now a third country, data transfers between the two must be covered by safeguards such as the Standard Contractual Clauses or the Binding Corporate Rules approved by the National Surveillance Authorities.
Since 28 June 2021, however, the EU officially adopted an adequacy decision for the UK. This means that personal data from individuals in the EU and UK can continue to flow freely. However, this decision is only for four years. There will be no automatic renewal of it in 2025. So, by June 2025 there will a whole new adequacy decision for the EU to make regarding the UK’s data.
For any business based in the UK that offers services or goods to people based in the EU, the EU’s GDPR applies.
This is because the EU’s GDPR applies globally to all countries, whether part of the EU or not. Every other non-EU country must ensure the GDPR’s implementation, and so must the UK.
So, organisations in the UK need to maintain full GDPR compliance with the EU and UK regulations. In addition, they must also comply with the data protection law (Data Protection Act 2018).
Think of the UK DPA as the UK implementation of the large-scale legal obligations of the EU’s original GDPR– now the UK’s version. The DPA also outlines rules that every data protection officer must follow in sectors where the EU’s (now UK’s) GDPR doesn’t apply.
An example of this would be the national security sector, where the GDPR doesn’t apply. So, the UK DPA provides the regulation that must be followed for the collection and use of personal data. The UK DPA also outlines the powers, in plain language, that the ICO has. The ICO is, as explained earlier, the Data Protection Authority in the UK, which works in a judicial capacity.
Every data protection officer must follow the DPA, which is split into separate sections. All of these sections are presented in clear and plain language in such a way as to ensure easier access and more control over compliance.
The most recent changes to the UK’s legislation include the ICO’s third part of the extended consultation into the Government’s draft guidance on pseudonymised data, anonymisation and privacy boosting tech.
Pseudonymisation is defined in the UK’s legislation as data processing in a way that means it can’t be easily attributed to the data subject. While it doesn’t restrict processing, it means that data subjects are further protected. Extra information would be needed to be able to attribute the personal data to the data subjects.
The guidance does still consider this kind of data as personal data. This is because it can still be used to identify the data subject, provided more information is given. It does go on to say that the data in question may not be considered personal after it has been transferred to a separate organisation. This is if the information necessary to identify the data subject is not provided at the same time.
According to the draft guidance that is being considered by the ICO, there are several benefits of pseudonymising personal data, including:
The ICO consultation regarding this part of the large scale processing of data under the DPA can be viewed here. It will be open until 16 September 2022.
Also in the public interest, the Association of the British Pharmaceutical Industry (ABPI) has launched its own consultation. This consultation is specifically about the public authority and the use of health data.
According to the public authorities, there is huge potential in the data collated and stored by the NHS for research purposes. Here are the main principles that the consultation covers regarding NHS data, which includes biometric data.
The UK’s GDPR uses a common format with the EU’s original legislation. This means it’s pretty much identical. To remain GDPR compliant, those working with information systems must follow the same rules as the EU’s GDPR lays out.
For example, a website owner must get explicit consent from visitors via cookies prior to using or processing their personal data. Third party trackers and cookies are both used for this. It’s also necessary that withdrawing consent is just as easy for the website visitor as obtaining it.
UK users have all of the rights over their data that they had under the EU’s GDPR, including the right to be forgotten and the right to correct data that has already been collected. This covers everything from data about criminal convictions to religious beliefs, and from political opinions to whether the data subject has ever committed a criminal offence.
Most of the legalese in the UK’s GDPR, and the core definitions used, remain the same. However, as we mentioned earlier, there are some deviations.
These deviations from the EU’s GDPR mean that, in order to avoid a criminal offence, businesses must understand the changing legal landscape regarding data use in the UK. You can read about these deviations in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC). This lays out all of the changes made to the EU’s GDPR to make it applicable to domestic law within the UK.
The major changes that the UK Government has made to the EU’s GDPR cover:
The UK’s regulations explains that there are some exceptions where the normal protection of data can be ignored. These exceptions include the three areas listed above.
The other major change is that the enforcer, supervisor and regulator of the UK’s GDPR is now the Information Commissioner. This replaces the European Board, which held this position for the UK before Brexit. Furthermore, the Secretary of State has special powers over adequacy decisions, working on behalf of the UK’s legislation.
The UK’s regulations have extraterritorial scope, which means that any organisation or website in the world that processes data belonging to people who live in the UK, must comply. Of course, this also covers EU companies that are dealing with services and products to people in the UK. The final major change from the European to the UK legislation is that the age of consent in the UK is lowered to 13. In the EU it remains 16.
Regardless of your political views, many people thought that Brexit would result in fewer requirements for processing data.
However, this isn’t the case. The EU’s GDPR set a global standard for data, and the UK has now made this its own domestic standard.
Protecting data owned by people remains extremely important for all companies based in the UK. To ensure that no financial loss is incurred due to non-compliance, all businesses must ensure they fully understand what’s required.
