Brexit & GDPR: Here Is What You Need To Know
For starters, to understand how Brexit affects GDPR in the United Kingdom, you have to understand what GDPR really is and how it is connected to Brexit.
What is GDPR?
GDPR, which stands for General Data Protection Regulation, is a piece of legislation that came to force in May of 2018. Basically, it was aimed at giving people more control over their data, including limiting how data can be used by organisations. The issue of data has become increasingly pertinent, especially in the modern era where more and more businesses, particularly social media companies, are processing the data in large quantities. Moreover, GDPR did also set out to safeguard any crucial data that’s being shared between the member states, and that all the EU citizens are assured of their data rights no matter where the data is based.
The GDPR principles were adopted into law in the UK through the Data Protection Act of 2018, replacing the Data Protection Act of 1998. In the previous legislation, for any violation, an organisation would be fined a maximum of 500,000 pounds. Under the new regulations, the law also slaps hefty fines to any organisation that violates the data laws, and here we are talking of penalties of up to 20 million pounds, or up to 4 percent of the organisation’s annual turnover – whichever is higher. Remember, the GDPR regulations applied to all EU member states, so, since Brexit happened, and the UK is no longer a member of the EU, do the regulations still apply in the country? Well, we will find out!
Is the post-Brexit UK still bound to GDPR?
The answer is, yes, in part! The UK was, in fact, one of the main architects of GDPR, and was fully committed to the establishment of the robust data protection laws that exist today. Other than that, even as the Brexit process was underway, the UK government maintained that the GDPR regulations would be absorbed into the country’s laws, which is exactly what happened as it was included as part of the withdrawal agreement. What this meant was that the UK’s Data Protection Act of 2018 and GDPR will be working in tandem in data cases. However, since January 2021, the EU GDPR ceased to apply in the UK, since it was more of an EU regulation. But that didn’t mean that data protection laws ceased to apply in the country. It just meant that the regulations will be a little different than in other EU member states. A few amendments were made to reflect the country’s status outside of the EU. Essentially though, everything to do with the original GDPR, the core data protection principles, obligations, and the associated rights remained the same, now under UK GDPR.
What are some of the key changes?
In as much as most of the key data protection policies enshrined under the EU GDPR remained the same, there were a few changes made to the UK GDPR. They included the following:
- If you have a website, before you process users’ personal data via cookies and third-party trackers, you have to obtain explicit consent from the users.
- You will also be required to document every valid consent.
- You will need to give users an option to change their consent if they wish to.
- The website also needs to give a set of rights to UK users, which includes the right to correct personal data and the right to delete.
Essentially, the UK GDPR does expand on a few issues and deviate from others, compared to the EU GDPR. And it is crucial for businesses, especially those that deal with users’ data, to be aware of what it means for their businesses, particularly on the legal landscape of data protection going forward. The UK government gave businesses a keeling schedule, an unofficial document that contains all the legislation changes, which was aimed at assisting them to navigate the new UK GDPR after Brexit.
GDPR and Brexit: how is international data transfer affected?
As part of the Brexit deal, the EU did agree to delay data transfer restrictions in and out of the UK by several months, which means that personal data can flow freely during this time. However, since the UK is no longer a part of the EU, it will be classed as a ‘third country’ under the GDPR in Europe. Basically, third countries are nations that fall outside of the EU GDPR zone. And any data transfers to such countries from the EU member states are subject to restrictions unless an ‘adequacy’ status is granted by the European Commission. Now, once the delay imposed on the UK by the EU comes to an end, the UK will become a third country, and so, it will be subjected to the same regulations. The adequacy will guarantee a super clear and all-encompassing agreement that will permit the transfer of personal data. The adequacy decision will be officially initiated after the UK becomes ‘third country’ in Europe. It’s a process that takes about 28 months to be completed, and the adequacy can be revoked at any time the EU feels that their data is no longer in safe hands.
We must mention that for a country to be awarded the adequacy by the European Commission, it must prove beyond reasonable doubt that it has an adequate level of data protection in place. Countries such as Argentina, Israel, Japan, and New Zealand, are some of the third countries to be granted the adequacy. If the UK after Brexit is granted the adequacy, then there will be a flow of personal data without any hindrances or restrictions.
GDPR after Brexit: dealing with EU citizens
As we’ve mentioned above, after Brexit, it meant that the UK moved out of the EU, and so, it won’t be within the scope of the European Court of Justice, which means that any data regulation cases largely fall on the Information Commissioner’s Office. Now, when it comes to dealing with EU residents, UK companies are required to adhere to GDPR in full, regardless of the domestic law, or the country being out of the EU. As a matter of fact, so many companies were forced to completely overhaul their practices irrespective of the Brexit agreement. And in the event of a data security incident, UK companies are required to collaborate with the EU data protection authority, which means it might be a good idea to keep updated with all the regulations in the bloc.
How do you ensure that your organisation meets the requirements?
With the Brexit deadline having already passed, it is crucial for organisations to be compliant with the UK GDPR to avoid any disruptions or violations. Here is how you can ensure that you are compliant:
For starters, you need to amend your GDPR documentation. In other words, you need to ensure that your existing GDPR policies are in line with the new UK GDPR requirements. Focus more on Article 30 records, DSARs, DPIAs, and privacy notices, and not forgetting trans-border data flow documentation. Make sure that they all echo the country’s independent jurisdiction as well as the full scope of the new regulation.
Secondly, you need to have effective consent management on your site. Yes, after Brexit, the UK pulled away from the EU GDPR, but you know what, any business operating in the UK will be expected to meet the same high GDPR standards. And to ensure that this is done, the ICO will enforce the same and will be conducting regular audits. Make sure that the consent management scans and detects all cookies and that you are also able to control them before you even get consent from users to process their personal data. Remember also, as we mentioned above, make sure that you make it easy for all users to change their request and consent, as well as delete their personal data if necessary.
Thirdly, organisations, especially the ones in the UK and have an EU presence ought to assess whether the present data transfer practices will still be justified under GDPR, of course, putting into consideration the implications of Brexit.
Fourthly, be prepared for anything that may come up. Since you don’t know whether the EU will grant adequacy to the UK, it’s recommended that you are ready for anything. In case the country isn’t granted adequacy, then organisations that rely on data flow in and out of the UK need to keep abreast of updates from the ICO. This ensures that your data processing is aligned to the regulatory landscape of data privacy.
What role will ICO have?
Basically, ICO stands for Information Commissioners Office, which is an office that’s mandated with governing the data protection legislation in the UK. But since it’s no longer an EU supervisory authority, it means that if an organisation is to process data for EU citizens, an EU representative must be present. What’s more, ICO has stated clearly that any organisation that processes data for EU citizens, it must follow the EU GDPR regulations.
Other data regulations that have been affected
There have been several other data regulations that were affected by Brexit, and we saw the need of mentioning them here to enlighten you. They include the following:
PECR – PECR stands for Privacy and Electronic Communications Regulations, are EU laws that were established within the legal framework of the UK and cover marketing, cookies, and electronic communications. And despite the UK having left the EU, these laws will continue to apply in the UK. The EU, however, is expected to update PECR in its upcoming ePrivacy regulation, within a year, which means it won’t apply in the UK automatically.
NIS – there is also the Networks & Information systems (NIS) which are also derived from the EU but were based on UK law. And so, the rules continue to apply in the UK despite Brexit.
eIDAS – we also have the electronic identification, authentication, and trust services regulation, which is also a law in the EU, but since the Brexit, it has also been exported into the UK law. Both versions – that of the UK and the EU – have in fact blended really well together, thereby forming an amended version referred to as the UK eIDAS regulations. Businesses will also be required to adhere to these laws in any of the EU member states, which is of course out of the UK’s jurisdiction.
DPA – the Data Protection Act of 2018 will still apply in the UK, and will, in fact, supplement the UK GDPR.
FOIA – it stands for Freedom of Information Act 2000 and is also based under UK law, which means that it will continue to apply post-Brexit.
EIR – unless repealed or amended, the Environmental Information Regulations will still continue to apply in the UK.
Let’s conclude by saying that the General Data Protection Regulation (GDPR) largely remains applicable in the UK after Brexit – that is, even though there were some changes that were made to the laws. So, if you have business in the UK and deal with data processing, better remain updated on everything that’s going on in the region, especially if you have EU clients. Remember also, if you deal with EU clients, you will be subjected to EU GDPR, which is outside UK’s jurisdiction.