I have had a few clients ask me about this recently, so thought it was time for a new post on this thorny topic.
The Brexit transition period ended on 31 December 2020, so UK organisations that process personal data must now comply with the following:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
UK DPA (Data Protection Act) 2018 overview
As revised by the DPPEC Regulations, the UK DPA 2018’s main provisions are as follows.
- Part 2, Chapter 2 supplements the UK GDPR and should be read alongside the Regulation by every UK organisation that processes personal data.
- Part 2, Chapter 3 sets out exemptions for manual unstructured processing and for national security and defence purposes.
- Part 3 sets out the regime for processing personal data for law enforcement purposes.Learn more about Part 3 processing
- Part 4 sets out the regime for processing personal data by the UK’s intelligence services. Learn more about Part 4 processing
(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)
Identifying which data processing regime applies to the processing you carry out is essential.
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit?
No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.
However the UK’s DPA 2018 has already enacted the EU GDPR’s requirements into UK law, and with effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.
This new regime is known as ‘the UK GDPR’.
UK organisations need to amend their GDPR documentation to align it with the requirements of the UK GDPR. In particular, Article 30 records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows must all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.
Any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR, and will reflect this in its process documentation.
Do you still process EU residents’ personal data?
If you are a UK organisation now bound by UK GDPR, you will also be bound by the EU GDPR. In addition, you may now need to:
- Appoint an EU representative;
- Identify a lead supervisory authority in the EU;
- Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
- Update your policies, procedures and other documentation in light of the these changes.
The EU GDPR’s requirements as originally implemented by Parts 3 and 4 of the DPA 2018 continue to apply – but no longer within the EU’s jurisdiction – for law enforcement and intelligence purposes.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making and profiling.
There are still six data processing principles and six lawful bases for lawful processing, and data controllers and processors are still obliged to ensure the security of the personal data they process.
However, there are some areas of divergence.
Important differences between the DPA 2018/UK GDPR and the EU GDPR
Child consent age
- EU GDPR: A child can consent to data processing at age 16.
- DPA 2018/UK GDPR: A child can consent at age 13.
Definition of personal data
- EU GDPR: Personal data can include IP addresses, Internet cookies and DNA
- DPA 2018/UK GDPR: More limited definition.
Processing of criminal data
- EU GDPR: Processors of criminal data must have official authority to do so.
- DPA 2018/UK GDPR: Processors of criminal data do not require official authority.
Automated decision making/processing
- EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
- DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.
Data subject rights
- EU GDPR: Protects data subjects to personal data processing.
- DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.
Privacy vs Freedom of Expression
- DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.
- EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
- DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.
- EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
- DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.