The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
What is the UK GDPR?
The UK GDPR is the United Kingdom General Data Protection Regulation, which became effective on the 1st January 2021. The law covers the key principles along with rights and obligations when processing personal data in the United Kingdom and sits alongside the Data Protection Act 2018. It applies to any organization who offers goods and services to individuals in the UK and/or monitors behaviour of any individuals in the UK.
On this page
Who Does it Apply to?
The UK GDPR applies to UK businesses and organizations and International businesses and organizations who collect and process personal data of UK citizens.
Personal data is defined as any information or identifiers that enables an individual to be identified either directly or in combination with other data that relates to the individual. Examples of identifiers are name, location data, ID number and online identifier (including IP address and cookies identifiers).
The Principles for the UK GDPR are the same as those for the GDPR. There are 7 of them:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
For further information on these principles see our article “The Seven Key Principles of GDPR”
Key Areas of Change in UK GDPR
There are a few key areas where changes have had an impact on data transfer between the UK and the EEA (European Economic Area) since Brexit. These are:
- International Data Transfers
- EU representatives
- EU regulatory oversight
- other minor updates
International Data Transfers
If your UK business or organization transfers personal data to or from other countries, including those in the EEA, you can transfer that data as long as it is covered by one of the following:
- an adequacy regulation: this was previously known as an adequacy decision under GDPR. It is a decision made by the UK government in relation to transferring personal data to third countries and international organizations.
- an appropriate safeguard: the appropriate safeguards are the above mentioned adequacy decision, the provision allowing the continued use of SCC’s (EU Standard Contractual Clauses) and thirdly certain binding corporate rules
- an exception: if you make a personal data transfer that is not covered by either the adequacy regulation or an appropriate safeguard then it must be covered by an exception. The exceptions are: valid consent given by the individual, a valid contract with this individual that requires a transfer in order to enter the contract, a contract with an individual that benefits another individual whose data is being transferred and is necessary in entering or performing the contract, the transfer is being made in public interest, establishing a legal claim, protecting the vital interests of an individual who is physically or legally incapable of giving consent, the transfer is from a public register, or a its a one time only transfer that is in your compelling legitimate interests.
If you are a UK based controller or processor and you have no offices, branches or establishments in the EEA,and you are offering goods and services to individuals or monitoring the behaviour of individuals in the EEA you will need to consider appointing an European representative.
Your representative needs to be located in the EEA and be able to represent you with regards to any obligations under EU GDPR. This can be done using a service contract with a law firm, consultancy or private company.
There is no need to appoint an European representative if the processing of personal data is only occasional and is low risk, does not involve large scale processing of special category or criminal offense data.
EU Regulatory Oversight
If you are a UK based organization who’s data processing includes cross border processing or if you are “targeting” EEA or EU individuals then you will also need to comply with then there are a number four scenarios which may apply to you. See the ICO’s EU Regulatory Oversight page for details.
Other Minor Updates
If you are a UK business or organization that processes personal data and is subject to the EU GDPR then the following may apply:
Rights of Data Subjects
The UK GDPR applies to the processing of personal data regardless of where the individuals who’s data you are processing reside.
If your organization transfers data internationally, you may need to review the information that is required in your record of processing activities.
Data Protection Officers (DPO’s)
If you were required to have a DPO prior to the exit date, then you will continue to require a DPO. You may choose to use one DPO to cover both the EEA and UK or one for each.
The UK GDPR is very similar to the EU GDPR, with one major difference. The framework is now controlled by the UK government instead of the EU.
There have been very few changes made to the laws, with some changes in international data transfers, EU representatives, EU regulatory oversight and a few other minor updates.
The UK GDPR now sits alongside the Data Protection Act (DPA) 2018 as the United Kingdoms personal data processing laws.