Brexit and the GDPR
Since the end of the Brexit transition period, 31 December 2020, the EU GDPR (which we know locally simply as the “GDPR”) no longer applies to the processing of UK residents’ personal data.
*the United Kingdom denotes the areas of England, Scotland, Wales and Northern Ireland.
The UK’s data protection authority has already enacted the EU GDPR’s requirements into UK law, and with effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.
There is now a distinction and this new regime is known as ‘the UK GDPR’.
The ‘EU GDPR’ will however still apply to the processing of EU residents’ personal data, as the name suggests.
So what now for doing business with the UK?
Readers can breathe a sigh of relief, as it is not a reinvention of the wheel, completely! Below we will highlight the most important difference between the two.
Who is affected in RSA?
All organisations that process UK residents’ personal data.
With what must I now comply in respect of the UK?
Organisations that process UK residents’ personal data must now comply with:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
The UK GDPR is very similar to the EU GDPR, so organisations that already comply with the EU GDPR are likely to be in compliance with the UK version, however there are some divergences.
Organisations dealing with UK residents’ personal data will have to amend their GDPR documentation to align it with the requirements of the UK GDPR.
Most notably these changes will include updates to data processing records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows which should now also all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.
What stays the same?
The UK GDPR is substantially similar to the EU GDPR and data subjects still have the same rights. These are:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision-making and profiling.
The six data processing principles and six lawful bases for processing stay the same.
Both data controllers and processors continue to be obliged to ensure the lawfulness of processing and security of the personal data.
What is different?
Child consent age
- EU GDPR: A child can consent to data processing at age 16.
- DPA 2018/UK GDPR: A child can consent at age 13.
Definition of personal data
- EU GDPR: Personal data can include IP addresses, Internet cookies and DNA
- DPA 2018/UK GDPR: More limited definition.
Automated decision making/processing
- EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
- DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.
Data subject rights
- EU GDPR: Protects data subjects to personal data processing.
- DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.
Privacy vs Freedom of Expression
- DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.
- EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
- DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.
- EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
- DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.
There will be some work to do to now ensure compliance with the UK GDPR, in addition to the EU GDPR, POPIA and any other data protection legislation which you may be required to accede to.
Focus on updating any contracts governing EU–UK data transfers to incorporate standard contractual clauses. Be sure to then also update your policies, procedures and other documentation in light of the changes you make.