GDPR Compliance Post-Brexit: the UK GDPR and EU GDPR

GDPR is Europe’s data privacy and security law. It determines a set of rules for collecting and using the personal data of EU citizens, both for EU companies and foreign ones.

GDPR covers the key rules for collecting and using personal data. It requires your company to be fair and clear about how you use the data collected from your customers. You should also only collect and use the data for purposes you informed your client base about.

GDPR guidelines also apply to storing personal data and govern how long you can store them, and how to keep it protected. Data security involves using technical measures like encryption and two-factor authentication. It also includes organizational measures like staff training and limiting data access.

The UK, before Brexit, was also subject to GDPR. Yet, post-Brexit, the UK created its own set of rules for GDPR. It is now commonly referred to as the UK GDPR.

So, it’s important to understand what UK GDPR is if you want to collect and use the data of UK citizens. Let's cover how it differs from EU GDPR, and what are the laws and regulations governing data in the UK.

What is EU GDPR?

EU GDPR is a data protection law that came into effect in 2018 in the EU. The law aims to give individuals control over their personal data. It also holds companies accountable for how they use and store their customer data. It is also a significant aspect of international payroll, so it is important to get familiar with its regulations.

EU GDPR has seven key rules and responsibilities each company has to follow. They include:

1. Lawfulness, Fairness, and Transparency

GDPR requires that: "personal data must be processed lawfully, fairly, and transparently." Your company must have a good reason to use someone’s data. It could be the person's permission, legal need, or legitimate interest.

You can’t collect data simply because it's convenient. The GDPR requires a legal reason, and you must be clear and honest to your customers about why you need it.

2. Purpose Limitation

When your company collects personal data, you must have a specific reason and use it only for that purpose. You should also inform your customers of the reason for collecting their data, and have documents explaining the intended use. It’s important to review the data processing regularly. When needed, promptly update documentation and procedures.

3. Data Minimization

Under GDPR, companies must collect only the data they need. By collecting less data, you reduce the risk of having problems in case of a data breach. This mandates not asking for unnecessary information, but only the needed one to complete a specific reason.

4. Accuracy

The data you collect must be accurate and kept up-to-date. If someone tells you their information has changed, you must update it. This means regularly checking and correcting data to ensure it’s always correct.

5. Storage Limitation

Don’t keep personal data longer than necessary. Once you no longer need the data for the reason you collected it, you should delete or anonymize it. This ensures people’s information isn’t kept forever, which could be risky.

6. Integrity and Confidentiality (Security)

You must protect personal data from being lost, stolen, or accessed by unauthorized people. This includes using strong passwords, encrypting data, and ensuring only certain people can see or use the data. If there’s a data breach, you must report it within 72 hours to minimize harm.

7. Accountability

Organizations must take responsibility for the data they collect. They should also prove they are following GDPR rules. This means having clear policies, training staff, and being able to show how they protect data. If there’s a high risk of a data problem, they should conduct a Data Protection Impact Assessment to find and fix potential issues before they happen.

This law also makes it difficult for companies to mislead consumers with confusing or vague language. It ensures that companies notify their website visitors they are collecting their data.

Under GDPR, clients and customers explicitly consent to this information-gathering. Sites must ask for their consent by asking them to click on a button or take some other action. Additionally, sites must notify visitors promptly if their personal data gets compromised due to a breach.

Lastly, the law also mandates an assessment of the site's data security. It also determines whether the company needs to hire a dedicated Data Protection Officer (DPO). In some cases, an existing staff member can fulfill this role.

What is UK GDPR?

The United Kingdom General Data Protection Regulation (UK GDPR) is the UK’s law regulating data protection. It is based on the EU GDPR and has many similarities with it. The UK’s post-Brexit GDPR retains the core values of EU GDPR, ensuring data protection standards are maintained.

Which cases UK GDPR applies to?

One of the main differences between UK GDPR vs. EU GDPR lies in their applicability. The EU GDPR applies to every organization, both within the EU and outside. Every company that wants to collect and process the data of EU citizens has to abide by EU GDPR, regardless of where the company is based.

On the other hand, UK GDPR has a much narrower application. It applies to any company that collects the personal data of UK citizens. It applies to companies registered in the UK and outside UK borders.

Businesses collecting data from both the UK and the EU citizens must follow both EU GDPR and UK GDPR.

Who are the relevant Regulatory Authorities?

The relevant regulatory authorities that enforce GDPR rules and regulations also differ.

In the EU, each country must establish one or more regulatory bodies that will oversee and enforce EU GDPR rules and regulations. These are known as Supervisory Authorities.

On top of at least one Supervisory Authority in each member country, EU GDPR is also governed by the European Data Protection Board (EDPB). The board ensures that all member countries apply GDPR consistently. It also solves any disputes that may arise between them. EDPB also promotes cooperation between different Supervisory Authorities.

In the UK, the regulatory authority which governs, oversees, and enforces the UK GDPR is the Information Commissioner’s Office (ICO). The ICO has similar functionality as one of the Supervisory Authority. The UK's Department for Science, Innovation, and Technology sponsors the operation of the ICO.

What is the difference between UK GDPR and EU GDPR?

There are several differences between the UK GDPR and the EU GDPR. The first two, applicability and supervisory authorities, are covered in detail. However, there are several other differences a company collecting customer data both in the UK and EU should consider.

UK GDPR is Adapted to the UK’s legal framework

Since EU GDPR collects multiple countries under the same umbrella, its GDPR law has references to EU institutions. UK GDPR localizes this to institutions inside the country.

The EU GDPR focuses on all the countries under its jurisdiction. The UK GDPR outlines processes for cooperation between the UK and EU institutions.

Most of the standards for data protection are the same in the EU and UK GDPR, but the UK GDPR has several differences. It has exemptions for certain public authorities. It also mandates appointments of data protection officers. The UK also has stricter requirements for data breach notifications than its EU counterpart.

Personal data transfers

Personal data transfers in the EU are much simpler under the EU GDPR. In essence, EU GDPR considers all countries in its jurisdiction as the same market. This means that companies in the EU can transfer data to other EU countries. However, they need to stay compliant with the general data protection principles.

Brexit caused the UK to be considered a separate jurisdiction in the eyes of EU GDPR, similar to Canada or the US. As a result, more safeguards are set in place for transferring data between the two entities. For example, companies transferring data to the UK may have to use standard data protection clauses or binding corporate rules to keep the data safe.

Differences for representatives

Another significant difference between the two lies in how these two laws treat representatives. Namely, the EU GDPR requires third-country companies that collect personal data from their citizens to have a representative in the country where they collect the data.

The UK requires a representative, but they don’t have to be located in the UK. Similarly to the EU GDPR, this representative acts as the point of contact. Its main goal is to ensure smooth cooperation between the organization and relevant regulatory bodies. But, the UK doesn’t require a local presence.

Companies operating under both GDPRs may have to establish separate representatives depending on the jurisdictions involved.

OSS mechanisms

Companies navigating EU GDPR often worry about being involved with many Supervisory Authorities. However, EU GDPR has a provision called the OSS mechanism, which allows a more streamlined process for companies.

The OSS mechanism allows companies to deal with only one Supervisory Authority. It still leaves the process open to suggestions from another Supervisory Authority if the situation calls for it.

The UK GDPR has no such provisions, being localized to a single country. The Information Commissioner’s Office (ICO) is the only equivalent to Supervisory Authority. It is responsible for all UK GDPR decisions.

Amendments and updates

The process for amending and updating the GDPR also varies. With the EU GDPR, all changes happen through the EU legislative process. It is a process that involves collective decision-making, and several regulatory bodies.

But, the UK GDPR is under the UK’s government. The UK government has the authority to make amendments and updates to the GDPR. While it strives to maintain a high level of data security similar to the one offered by the EU GDPR, it can make amendments to it independently.

Penalties and fines

The last difference lies in penalties and fines. Both EU and UK GDPR may decide to fine companies ignoring the GDPR rules with fixed fees. Or, they can take on a percentage of the company’s annual revenue. The fee will depend on which is higher.

Under EU GDPR, companies can be fined €10 million, or 2% for smaller infractions. The fee can go up to €20 million, or 4% for more serious infractions.

The UK GDPR recognizes smaller and larger infractions as well. Smaller infractions are fined with £8,700,000, or 2%. The more significant ones may cost the company £17,500,000, or 4%.

Compliance Considerations and Challenges

Navigating both EU GDPR and UK GDPR can be challenging, so companies should be aware in detail of the difference between the two. Here are some challenges you might face when navigating the GDPR in these two countries:

1. Dual Applicability

While there are many similarities between the two, it is important to consider both when creating the data security policy. Companies operating in both the UK and EU should ensure their data protection practices follow both EU and UK standards.

2. Data transfers

Since there are no upon-agreed terms about data transfer between the UK and the EU, you should try to implement an appropriate data transfer mechanism. This could mean creating binding corporate rules or relying on standard contractual clauses.

3. Different requirements

There are significant differences between the two GDPRs, so it’s important to understand what they are. When collecting data from both UK and EU citizens, you need to be mindful of both GDPRs and their differences to maintain compliance.

4. Increased accountability

The main reason for following GDPR could be that you want your customers and clients to trust you. For other companies, it’s to avoid hefty penalties and fees. If the latter is important to you, you should consider and plan that you will be accountable under both GDPRs.

Why is it important to stay compliant with both EU and UK GDPR?

As mentioned before, it’s important to stay compliant with EU and UK GDPR if you are collecting data from UK or EU residents.

One of the main reasons why you should consider following GDPR in your company is that it allows you to build trust with your clients. It also promotes transparency and good communication between you. Good communication and trust will be beneficial for your business reputation.

GDPR can also help you streamline your data protection and gathering processes. With its emphasis on gathering only the necessary data, it can help guide your company through the best security and storage practices. This will help you avoid gathering and managing unnecessary data, and save you from having to set complex and expensive processes for managing it.

However, probably the biggest benefit for companies includes maintaining compliance with the law. In other words, it helps with avoiding hefty fees and penalties that may occur. If your clients and customers are unhappy with how you handle their data, they may start legal action against you.

In the UK, the penalties for non-compliance with the GDPR go up to £17.5 million. In the EU, the fees can accumulate up to €20 million.

Best practices for companies navigating UK GDPR and EU GDPR

As a company that has to navigate through both UK and EU GDPRs, there are a couple of best practices you can follow to maintain compliance. There are, of course, significant differences depending on what type of business you run, but generally you should:

1. Understand in depth the differences between the UK and EU GDPR

2. Determine whether your business requires compliance with both, or just UK or EU GDPR.

3. Implement any required data protection measures. Keep them in line with the recommendations set forth by the relevant GDPR rules and regulations.

4. Lastly, you should review and update your data security policies regularly, and stay on top of any changes in the GDPR.

If you are unsure which GDPR applies to your company and line of business, you may also consider hiring experts to handle it for you. Consult with relevant authorities to ensure that your business complies with UK GDPR, EU GDPR, or if needed, both.

FAQs

Does the UK still follow EU GDPR?

The UK follows the UK GDPR, which shares many similarities with the EU GDPR. If you are a company operating in the UK, but collecting data about customers from the EU, you’ll still need to adhere to the EU GDPR.

What are the 7 principles of GDPR in the UK?

The seven principles of GDPR in the UK include Lawfulness, fairness, and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality, and Accountability.

Does UK GDPR only apply to UK citizens?

Yes, UK GDPR applies to the UK citizens. Every company needs to follow through with the UK GDPR requirements when processing the data of UK residents.

What is considered UK GDPR-compliant consent?

The UK GDPR has clear standards on what compliant consent means. The ask for consent must be worded clearly and unambiguously. It must involve users and site visitors clicking through an opt-in. The UK GDPR strictly prohibits pre-ticked opt-in boxes. It also requires websites to put in place “granular” consent options for different processing options.