Differences between the UK-GDPR and the EU-GDPR regulation

GDPR EU explains the differences between the original GDPR from the EU and the UK’s adapted version of the GDPR regulation

How do the UK’s GDPR and EU’s GDPR regulation compare?

GDPR regulation

The UK’s decision to leave the European Union (EU) back in 2020 ended up with some confusion regarding the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation.

UK businesses may need clarification on GDPR compliance considering the two separate regulations. How do they ensure compliance with privacy laws when doing business in the EU? And, on the flipside, how does the UK’s GDPR apply to EU citizens and businesses?

Breaking Down the EU’s GDPR Regulation and UK Data Protection Act

The UK General Data Protection Regulation closely follows the same data protection rules as the EU General Data Protection Regulation (GDPR), which is Europe’s comprehensive data protection law. These differences may increase with time, especially with potential UK reforms like the Data Protection and Digital Information (DPDI) Bill (if passed).

Furthermore, the UK Data Protection Act (DPA) essentially adapts the GDPR Europe rules for the UK’s legal system. The DPA outlines data privacy laws, the data protection measures that public bodies must follow and lists the enforcement powers and processes.

Introduction to Data Protection

Data protection is a fundamental right in the European Union and the General Data Protection Regulation (GDPR) is the primary law that regulates the processing of personal data. The GDPR aims to protect the rights and freedoms of individuals, particularly their right to privacy, and to ensure that personal data is processed in a fair, transparent, and secure manner.

The GDPR applies to all organizations that process personal data of EU data subjects, regardless of their location. This means that organizations outside the EU that offer goods or services to EU data subjects or monitor their behavior must also comply with the GDPR.

In the UK, the GDPR has been incorporated into national law as the UK GDPR, which applies to the processing of personal data by organizations in the UK. The UK GDPR is enforced by the Information Commissioner’s Office (ICO), which is the independent supervisory authority responsible for data protection in the UK.

Why is there a separate GDPR for the UK?

In 2018, the UK Government took on the EU (Withdrawal) Act to prepare the country to leave the European Union. This Act incorporates several EU laws into UK domestic law. As part of this, the GDPR was incorporated 100% entirely. The European Court of Justice enforced it in the UK until 31 December 2020.

So, in real terms, the EU’s GDPR was fully part of UK law until the end of 2020. At the beginning of 2021, the UK legal system expelled the European Union GDPR and replaced it with the UK’s GDPR.

Brexit spawned the UK’s GDPR, with the Government replacing references to things like the European Parliament and the European Council with UK institutions. For example, all references to the Surveillance Authority were replaced with the Information Commissioner’s Office (ICO).

Key differences between the EU GDPR v UK GDPR v UK DPA

The UK DPA is concerned with the implementation of the European Union GDPR within the UK.

For example, all the EU’s data protection principles have been changed to fit the UK’s legal system. This covers all forms of personal data protection, including how it’s enforced, who enforces it and how regular and systematic monitoring will happen.

On to the UK’s GDPR. This very closely follows the EU’s GDPR regulatory environment. There is, however, some slight modification for the UK’s version. Businesses in the UK and international organisations must both understand these differences to ensure GDPR compliance.

The processing of personal data relating to criminal convictions and offences is subject to specific conditions under the GDPR. Data controllers and processors must designate a Data Protection Officer (DPO) when handling such sensitive information, ensuring compliance with the regulation.

All data processing and collection of sensitive personal data prior to 31 December 2020 fell under the rules laid out in the EU’s GDPR. Any data collected after that (i.e., from 1 January 2021 onwards) falls under the detailed guidance of the UK’s GDPR.

The UK now has two laws for data

Since Brexit, the UK has two key data protection laws that apply to businesses.

Any organisation that processes personal data must follow the detailed guidance available. They must also ensure that GDPR compliance is met for the EU’s laws where applicable.

Organisational measures must be taken to meet the legal obligation of the Data Protection Act 2018 and the UK’s GDPR obligations. And, of course, data controllers based in EU countries also need to understand the processing activities they must follow to comply. Third countries have different rules to EU member states, and that’s what now applies to the UK.

This is particularly relevant when data is transferred between the UK and EU, as such transfers may now be treated as “transfers to a third country” under the EU GDPR.

Data Protection Principles

The GDPR is based on several key data protection principles that organisations must follow when processing personal data. These principles are:

  1. Lawfulness, fairness, and transparency: Personal data must be processed in a lawful, fair, and transparent manner.
  2. Purpose limitation: Personal data must be collected for a specific, legitimate purpose and not used for any other purpose.
  3. Data minimization: Only the minimum amount of personal data necessary for the purpose must be collected and processed.
  4. Accuracy: Personal data must be accurate and up-to-date.
  5. Storage limitation: Personal data must not be stored for longer than necessary.
  6. Integrity and confidentiality: Personal data must be processed in a way that ensures its integrity and confidentiality.
  7. Accountability: Organizations must be accountable for their data processing activities and demonstrate compliance with the GDPR.

Rights of the Data Subject

The GDPR provides several rights to data subjects, including:

  1. Right to be informed: Data subjects have the right to be informed about the processing of their personal data.
  2. Right of access: Data subjects have the right to access their personal data and to obtain a copy of it.
  3. Right to rectification: Data subjects have the right to rectify inaccurate or incomplete personal data.
  4. Right to erasure: Data subjects have the right to erase their personal data in certain circumstances.
  5. Right to restriction of processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
  6. Right to data portability: Data subjects have the right to transfer their personal data to another organization.
  7. Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances.

Data Controllers and Processors

The GDPR distinguishes between data controllers and data processors. A data controller is an organisation that determines the purpose and means of processing personal data. A data processor is an organisation that processes personal data on behalf of a data controller.

Data controllers are responsible for ensuring that personal data is processed in accordance with the GDPR, whilst data processors must follow the instructions of the data controller and implement appropriate security measures to protect personal data.

Lawful Processing of Personal Data

The GDPR requires that personal data be processed lawfully, fairly, and transparently. This means that organisations must have a lawful basis for processing personal data, such as:

  1. Consent: Data subjects must give their consent to the processing of their personal data.
  2. Contract: Personal data must be processed to fulfill a contract with the data subject.
  3. Legal obligation: Personal data must be processed to comply with a legal obligation.
  4. Vital interests: Personal data must be processed to protect the vital interests of the data subject.
  5. Public interest: Personal data must be processed in the public interest.
  6. Legitimate interests: Personal data must be processed for the legitimate interests of the organization, unless those interests are overridden by the rights and freedoms of the data subject.

Organisations must also implement appropriate security measures to protect personal data, including:

  1. Encryption: Personal data must be encrypted to protect it from unauthorised access.
  2. Access controls: Organisations must implement access controls to ensure that only authorized personnel can access personal data.
  3. Data backup: Organisations must implement data backup procedures to ensure that personal data is not lost in the event of a data breach.

In the event of a data breach, organizations must notify the ICO and the affected data subjects within 72 hours.

What the data protection officer needs to know

Before 28 June 2021, the UK Government and the EU had not agreed the lawful basis upon which personal data can flow between them.

But, as the UK is now a third country, data transfers between the two must be covered by safeguards such as the Standard Contractual Clauses or the Binding Corporate Rules approved by the National Surveillance Authorities.

Since 28 June 2021, however, the EU officially adopted an adequacy decision for the UK, allowing personal data to flow freely between the UK and EU. However, this decision is set to expire in 2025, after which further safeguards such as Standard Contractual Clauses (SCCs) may be required

If the adequacy decision is not renewed in 2025, alternative transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), will be necessary for cross-border data transfers between the UK and EU.

Do the EU’s principles apply in the UK?

For any business based in the UK that offers services or goods to people based in the EU, the EU’s GDPR applies.

This is because the EU’s GDPR applies globally to all countries, whether part of the EU or not. Every other non-EU country must ensure the GDPR’s implementation, and so must the UK.

So, organisations in the UK need to maintain full GDPR compliance with the EU and UK regulations. In addition, they must also comply with the data protection law (Data Protection Act 2018).

Explaining the Data Protection Act 2018

Think of the UK DPA as the UK implementation of the large-scale legal obligations of the EU’s original GDPR– now the UK’s version. The DPA also outlines rules that every data protection officer must follow in sectors where the EU’s (now UK’s) GDPR doesn’t apply.

An example of this would be the national security sector, where the GDPR doesn’t apply. So, the UK DPA provides the regulation that must be followed for the collection and use of personal data. The UK DPA also outlines the powers, in plain language, that the ICO has. The ICO is, as explained earlier, the Data Protection Authority in the UK, which works in a judicial capacity.

Every data protection officer must follow the DPA, which is split into separate sections. All of these sections are presented in clear and plain language in such a way as to ensure easier access and more control over compliance.

  • The general regulations for data processing and for the data processor.
  • The GDPR itself, and how it impacts the data privacy of the data subject.
  • How law enforcement should process data.
  • How intelligence services should process data.
  • Cross-border transfers of data, data portability and how the transfer of data relating to individuals transfers outside of the UK.
  • Which exemptions apply to public bodies or individuals.
  • The legal basis for enforcement.
  • Contact details of the Information Commissioner.
  • Special categories.
  • Provisions on pseudonymisation and anonymisation of data.

Pseudonymisation and anonymisation of data

One of the key upcoming changes to the UK’s data protection landscape is the potential passage of the Data Protection and Digital Information (DPDI) Bill, which could reform the rules around pseudonymisation, anonymisation, and privacy-enhancing technologies.

Pseudonymisation is defined in the UK’s legislation as data processing in a way that means it can’t be easily attributed to the data subject. This practice is crucial for protecting sensitive information, as it ensures that only non-sensitive substitutes are exposed while the actual sensitive information is kept hidden. While it doesn’t restrict processing, it means that data subjects are further protected. Extra information would be needed to be able to attribute the personal data to the data subjects.

The guidance does still consider this kind of data as personal data. This is because it can still be used to identify the data subject, provided more information is given. It does go on to say that the data in question may not be considered personal after it has been transferred to a separate organisation. This is if the information necessary to identify the data subject is not provided at the same time.

What benefits does the pseudonymisation of personal data bring?

According to the draft guidance that is being considered by the ICO, there are several benefits of pseudonymising personal data, including:

  • Builds confidence and trust in the organisation’s data processing, even if it includes automated decision making.
  • Supports overall compliance without undue delay, and therefore avoiding the possibility of GDPR fines.
  • Supports reusing personal data while safeguarding the rights of the data subject.
  • Reduces risks for the individual’s data usage.
  • Enhances security.
  • Data minimisation to only what is strictly necessary.
  • Pseudonymisation may also provide certain exemptions from data breach reporting to the affected data subjects under Article 34 of the UK’s GDPR, and says that the pseudonymisation could form part of the wider organisational and technical measures that – if properly implemented – could allow the data controller to avoid reporting the data breach to affected individuals.

The ICO consultation regarding this part of the large scale processing of data under the DPA can be viewed here. It will be open until 16 September 2022.

UK health data use principles consultation

Also in the public interest, the Association of the British Pharmaceutical Industry (ABPI) has launched its own consultation. This consultation is specifically about the public authority and the use of health data.

According to the public authorities, there is huge potential in the data collated and stored by the NHS for research purposes. Here are the main principles that the consultation covers regarding NHS data, which includes biometric data.

  1. The transparency behind what the data will be used for. This aims to improve overall clarity about how health data is utilised by the data controller, in this case, health researchers and the benefits that can be expected from research.
  2. Clarity of the contractual arrangements over the data.
  3. Public and patient engagement and involvement – to further involve representation for both in the approval and design of projects that use health data.
  4. Compliance with regulations, to include how it will be GDPR compliant.
  5. That data sets should be available non-exclusively for all kinds of researchers.

How similar are the UK’s and EU’s legislation in real terms?

The UK’s GDPR uses a format that is similar to the EU’s original legislation. This means it’s pretty much identical. To remain GDPR compliant, those working with information systems must follow the same rules as the EU’s GDPR lays out.

For example, a website owner must get explicit consent from visitors via cookies prior to using or processing their personal data. Third party trackers and cookies are both used for this. It’s also necessary that withdrawing consent is just as easy for the website visitor as obtaining it.

UK residents retain all the data rights under the UK GDPR, including the right to be forgotten and rectification of inaccurate data. Conversely, EU businesses offering goods or services to UK residents must comply with the UK GDPR, and UK businesses operating in the EU must comply with the EU GDPR due to its extraterritorial application.

Where has the UK deviated from the EU’s regulations?

Most of the legal text in the UK’s GDPR, and the core definitions used, remain the same. However, some deviations have occurred, particularly in the areas of immigration, national security, and intelligence, and these deviations may increase if the UK pursues its proposed reforms in the Data Protection and Digital Information Bill (DPDI Bill).

These deviations from the EU’s GDPR mean that, to avoid a criminal offence, businesses must understand the changing legal landscape regarding data use in the UK. You can read about these deviations in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC). This lays out all of the changes made to the EU’s GDPR to make it applicable to domestic law within the UK.

Major changes involve immigration, national security and intelligence

The major changes that the UK Government has made to the EU’s GDPR cover:

  1. Immigration
  2. Intelligence Services
  3. National Security

The UK’s regulations explains that there are some exceptions where the normal protection of data can be ignored. These exceptions include the three areas listed above.

The other major change is that the enforcer, supervisor and regulator of the UK’s GDPR is now the Information Commissioner. This replaces the European Board, which held this position for the UK before Brexit. Furthermore, the Secretary of State has special powers over adequacy decisions, working on behalf of the UK’s legislation.

The UK’s regulations retain an extraterritorial scope, which means that any organisation or website in the world that processes data belonging to people who live in the UK, must comply. This mirrors the EU GDPR’s extraterritorial application, meaning that EU businesses that offer goods or services to UK residents also need to comply with UK GDPR.

Complying with data legislation is the law in the UK

Regardless of your political views, many people thought that Brexit would result in fewer requirements for processing data.

However, this isn’t the case. The EU’s GDPR set a global standard for data, and the UK has now made this its own domestic standard.

Protecting data owned by people remains extremely important for all companies based in the UK. To ensure that no financial loss is incurred due to non-compliance, all businesses must ensure they fully understand what’s required.