On January 1 2021, the UK formally and effectively left the European Union. The UK is now a “third country” under the EU’s GDPR (i.e., outside the EU). As a result, The EU-GDPR is an EU regulation and it no longer applies to the UK.
The general data protection regime under UK law has been modified to address the EU-GDPR's removal from domestic applicability. The regulations amended the Data Protection Act (DPA) 2018 and merged it with the EU GDPR requirements to form a new, UK-specific data protection regime that works in a UK context after Brexit.
This new regulatory framework for UK data protection is known as UK-GDPR.
The new UK-GDPR is nearly identical to the EU-GDPR. However, it is independent UK legislation governed and enforced by the UK data protection agencies and does not influence EU authorities.
It is based on the same legal language as the EU GDPR, but with the parts of the text that read EU and Union law replaced with the UK and domestic law. The UK-GDPR merge the two pre-existing regimes for personal data protection, namely, EU-GDPR and the DPA 2018.
The UK-GDPR took core provisions from EU-GDPR in terms of:
The DPA 2018 has also been incorporated into the UK-GDPR, and it addresses the areas of law enforcement, intelligence services and immigration that EU-GDPR did not cover.
While transiting from EU-GDPR into the UK-GDPR, organizations based in the UK will need to address the following areas in their DPAs and privacy policies:
The UK-GDPR, like the EU-GDPR, requires websites to get users' prior consent before processing any of their personal data through cookies and third-party trackers. Also, website privacy policies must be updated to reflect that the company is fully aware of the UK-GDPR regulations and has applied them in their business activities.
"Website privacy policies must be updated to reflect that the company is fully aware of the UK-GDPR regulations"
In addition to the UK-GDPR, the following laws apply to UK businesses:
Yes, it applies. PECR (Privacy and Electronic Communications Regulations) is UK legislation derived from the EU’s law e-privacy directive.
Yes, it applies. NIS (Network and Information Systems) is based on EU legislation but is incorporated into UK law.
Yes, but The UK eIDAS (electronic identification and trust services) regulations are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation but are tailored for use within the UK.
The Freedom of Information Act 2000 forms part of UK law and will continue to apply.
The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law.
The government has indicated that Britain will aim to break away from European data protection requirements as it revamps its policies following Brexit. Some of the expected reforms are:
A man was fined under the UK-GDPR after his Amazon Ring doorbell system captured data on his neighbor. Amazon has since responded, issuing a statement asking product owners to "respect their neighbors' privacy and comply with any applicable laws." A British man installed his Ring camera on his shed, which captured video and audio of his neighbor from up to 68 feet away. A judge ruled the man violated UK-GDPR and that the Ring contributed to harassment.
We hope these commonly asked questions help you to understand the post-Brexit data protection regulations. Ultimately, ensuring that companies go through regular IT security and compliance health checks, security education and training and ongoing improvements across people, processes and technology controls is the way forward. This will ensure that company culture is improving and regulation and privacy compliance objectives are being met regularly. Otherwise, compliance remains a tick in the box, and we have many examples where compliance-certified companies incurred data losses and led to breaches.
Let’s hope the expected reforms ensure long-term privacy improvements, a step further than the solid ground built by GDPR so far.
