GDPR UK post-Brexit: Everything you need to know
As the United Kingdom left the European Union on the 31 December 2020, a new domestic data privacy law named the UK GDPR came into effect. This new law, alongside the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR), now governs the processing of all personal data inside the UK.
With a wealth of changes taking place during the transition period that are impacting businesses nationwide, we explore in detail the GDPR UK post-Brexit law and how this differs from the EU GDPR legislation which now no longer applies to the United Kingdom.
What are the key changes to the GDPR after Brexit?
If your organisation operates within the UK, you will need to comply with the 2018 UK data protection law. Since Brexit, the requirements of the EU GDPR have been incorporated into this, forming a UK-specific regime that is now referred to as the UK GDPR.
Ultimately, there are very few differences to the core data protection principles, rights and obligations that the UK once adhered to under the EU GDPR law. As such, the key requirements remain as follows:
- Your website must obtain explicit consent from users before processing their personal data via cookies and third-party trackers
- You must safely store and document every valid consent
- Your website must enable users to easily change their consent if desired
- Your website must give a set of rights to UK users, including the right to delete and the right to correct personal data that has already been collected
However, whilst the core definitions and legal terminology can all still be found in the UK GDPR, the UK regime does expand on or deviate from the EU GDPR in places, and UK businesses should be aware of the impact of this on the legal landscape of data protection moving forwards. These are predominantly in the areas of national security, intelligence services and immigration.
To help businesses navigate the new UK GDPR after Brexit, the UK Government has produced a keeling schedule, which is an unofficial document detailing the main legislation changes. We recommend referring to this for a precise view of how the UK GDPR has been created, and its similarities and differences to the EU GDPR.
Does your business still need to comply with the EU GDPR law?
Both the UK and EU regimes will likely apply to your business if you operate in the European Economic Area (EEA). This will also be the case if you offer goods or services to EU residents or monitor their behaviour.
Likewise, if you still process EU residents’ personal data, you will also be bound by the EU GDPR and may need to appoint an EU representative, who will act as a local contact for data subjects and key authorities on all matters relating to the processing of personal data.
Following Brexit, the UK has been specified as a third country by the EU under the GDPR. However, there is an interim period until June 2021 that ensures an unrestricted flow of data between both jurisdictions until an adequacy decision has been reached by the EU.
If organisations in Europe send you data, it may be necessary to reach a consensus on how they should transfer personal data to the UK in adherence with the UK GDPR, especially if the trade deal bridge ends inadequately.
What does your organisation need to do to meet the requirements of the new UK GDPR after Brexit?
Now that the Brexit deadline has passed, it’s essential to ensure your organisation is compliant with the UK GDPR. We highlight a few simple steps that you can take to smoothly bring your business practices in line with the new legislation, whilst minimising any disruption:
Amend your GDPR documentation
Now is the time to align your existing GDPR policies with the requirements of the new UK GDPR, which can be controlled easily through an enterprise risk management solution. Pay particular attention to Article 30 records, DPIAs, DSARs and privacy notices, as well as transborder data flow documentation, which should all echo the UK’s independent jurisdiction and the full scope of the new regulation.
Ensure effective consent management on your website
Whilst it’s imperative to meet the same high GDPR standards as before, these will now be enforced by the ICO in the UK and will undergo audits. Your website consent management should be able to accurately scan and detect all cookies, as well as automatically control them until the user has provided consent to the processing of their personal data. It should also make it easy for users to change their consent, request deletion of their data or corrections if required.
Plan for a ‘no deal’ scenario in relation to data transfer between the UK and EEA
It is still unclear as to whether the EU will grant the UK’s data protection regime as ‘adequate’. If it does not, then organisations that rely on personal data flowing between the two jurisdictions should keep abreast of updates from the ICO to ensure that their data processing agreements are aligned with a new data privacy regulatory landscape.
Discover how our powerful risk management software can help you react quickly to all regulatory and legal changes, including GDPR UK post-Brexit, to ensure your organisation’s compliance.