In today’s digital world data protection is so important, both to individuals and to the companies that are collecting and handling this data. And while it may only feel like yesterday that your business was gearing up for the new General Data Protection Regulations (GDPR), preparing the right literature and ensuring all the right security systems were in place – things are changing once again.
Now that Brexit is underway (and in theory is set to be completed by December 2020) many have been asking what this means for data protection in the UK. After all, GDPR is EU legislation and the UK will no longer be a member of the EU, so will they still be bound by these rules?
Luckily, as the referendum had already taken place before these new guidelines were implemented, governing bodies took this into consideration to try and make the transition as smooth and simple as possible after Brexit. In order to understand how leaving the EU will affect UK data protection, we’ll need to address some of the most common questions, including:
- Will UK businesses still need to comply with EU GDPR?
- Will there be a transition period?
- What’s the alternative to GDPR in the UK?
- What’s the difference between the EU and UK regulations?
- How will leaving the EU affect UK data protection?
In this guide, we’re going to take a look at each of these in more detail. Read on to find out more.
Will UK businesses still need to comply with EU GDPR?
As it stands, UK organisations that process personal data must comply with EU GDPR but they are also bound by the laws of the UK Data Protection Act (DPA) which also came into effect in 2018. Until 31st December 2020, businesses must continue to abide by both laws. After December 2020, there will be a transition period. Once this is over, EU GDPR will no longer directly apply to UK organisations.
That said, even after the UK leaves the EU, they must still comply with GDPR for two reasons. Firstly, any business that collects the data of EU citizens no matter their location, must comply with GDPR. And secondly, the DPA enacts the EU GDPR’s requirements in UK law, so businesses still need to comply with these regulations.
Will there be a transition period?
As mentioned above, after December 2020 (when the UK should have left the EU) there will be a transition period. In order to make this as smooth and simple as possible, the government have issued a statutory instrument called the Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2019. These amend the DPA to merge it with the requirements of EU GDPR. This will then form a new data protection regime that will work in context with the post-Brexit UK.
What’s the alternative to GDPR in the UK?
This is a bit of a trick question really as the alternative to EU GDPR is simply UK GDPR. At the moment it is the DPA, but the new data protection regime that will be created during the transition period will see the end of this as we know it and the new regime will become known as UK GDPR. So, in reality, while there will be two separate sets of legislation (EU GDPR and UK GDPR) these aren’t ‘alternatives’ as they have the same overall structure and goals.
What’s the difference between the EU and UK regulations?
It was important for the UK to create data protection laws that were equivalent to EU GDPR in terms of adequacy and strength. This is to ensure the uninhibited flow of data between the two. As such, changing the data protection laws too drastically could have caused problems for the UK further down the line.
So, for the most part, UK GDPR will be almost completely the same as EU GDPR to ensure the same level of security and care is paid to EU and UK citizens with regards to their personal data. That said, after Brexit there will be a few small differences. These are:
- As it stands, the Information Commissioner’s Office (ICO) is the supervisory body for GDPR. After the transition period this will no longer be the case for EU GDPR as the ICO is a UK organisation. So, after Brexit, the ICO will oversee UK GDPR, but EU laws will fall to a different supervisory body
- What’s more, under UK GDPR the Secretary of State has the power to determine or revoke decisions (which they did not have before). In fact, they now have the power to make these decisions without even consulting the ICO
- It is possible that if no Brexit agreement is reached before December 2020, the UK could become classified as a ‘third-country state’ under EU GDPR and would therefore be affected by data transfer restrictions
- Any country that collects, stores or processes personal data from UK citizens must now comply with UK GDPR (though as it’s essentially the same as the original EU legislation this shouldn’t be too difficult)
- Finally, one of the most notable differences between UK and EU GDPR is that the age of valid consent for sharing personal data in the UK is 13, whereas in the EU it’s 16
How leaving the EU affect UK data protection?
So in a nutshell, UK data protection will be changing from the current DPA that came into effect back in 2018, to a new GDPR regime that is specific to the UK. That said, the rules and regulations outlined within this new regime are essentially the same as the original EU GDPR and so it pays for everyone to remain compliant with these current laws.
There are a few small changes to UK GDPR, but none that will have a drastic impact on businesses or individuals across the nation. The UK has worked tirelessly with the EU to create data protection laws that are just as adequate in the hopes that Brexit will not affect data protection too much and that the transition period will be as smooth and simple as possible.