Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 affect how you as a website owner must obtain and store cookie consents from your visitors from the UK & EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR compliant.

GDPR and Brexit: new data laws in the UK after Exit Day.

Updated April 21, 2021.


The United Kingdom has left the European Union.

After Brexit, “GDPR” means several things in the UK, as new domestic data laws are in effect.

In this blogpost, we give you an overview of what has changed and what will remain the same with the GDPR after Brexit in 2021.


GDPR and Brexit - 2021 update


On January 1, 2021, the United Kingdom formally and effectively left the European Union.

Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs.

This GDPR/Brexit interim data transfer agreement means that – even though the UK is no longer part of the EU and therefore not under the EU’s GDPR – personal data is allowed to be transferred between the UK and EU unrestricted as before.

The EU Commission has released a draft adequacy decision that, if approved, would grant the UK the status of providing adequate data protection and thus ensure the free and uninterrupted flow of data between the two blocs.

The draft adequacy decision is unique in that it is time-limited to four years and only renewed if the UK proves in 2025 to still have adequate data protection.

Subsequently, the European Data Protection Board (EDPB) released an opinion on the draft adequacy decision, noting that there are “key areas of strong alignment between the EU and the UK data protection frameworks” and welcoming the EU Commission’s decision to offer the UK a time-limit adequacy decision that is only renewed after close monitoring of how the UK’s data protection laws will develop in the coming years, now independent of any EU-wide regulatory framework such as the GDPR.

See ICO’s statement of the interim data transfer agreement

Learn more about the data flow grace period between the UK and EU

See the EU Commission’s draft UK adequacy decision

See the EDPB’s opinion on the draft UK adequacy decision



GDPR and Brexit: leaving the EU, UK drafts its own new data laws.

GDPR/Brexit: Upon independence from the EU, the UK has adopted the same data regulations as before its exit.



What happens to GDPR after Brexit in the UK?

We will look at the changes made to the legal landscape of UK data law, but first let’s recap the European General Data Protection Regulation (GDPR).


Compliance with GDPR after Brexit

Cookiebot consent management platform (CMP) is a world-leading solution for achieving full data privacy compliance on your website.

With a powerful scanner that detects all cookies, trackers and trojan horses on your domain and maps exactly where in the world you send data to, Cookiebot CMP takes the hard and difficult part out of privacy protection and compliance.

Cookiebot CMP offers plug-and-play compliance with the EU’s GDPR, UK-GDPR, California’s CCPA/CPRA, South Africa’s POPIA, Brazil’s LGPD, Singapore’s PDPA and many other data privacy laws.

Scan your website for free to see if your website is compliant

Try Cookiebot consent management platform (CMP) for free

Learn more about GDPR and consent


Reminder: what is the GDPR?


The European regulation known as GDPR (General Data Protection Regulation) is a law in all EU member states that govern the protection of personal data and the ways it is allowed to be collected and processed by websites, companies, organizations and more.

GDPR has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.

GDPR sets up a data protection regime in the EU that requires companies and websites (known as “controllers” and “processors” in the law) to have a legal basis in order to process the personal data of individuals (“data subjects”) inside the EU.

The most common legal basis for processing is prior consent – this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.

Learn more about GDPR and cookie consent


GDPR after Brexit in the UK


The European Withdrawal Agreement signed by the UK and EU includes specific provisions on the processing of personal data and the flow of information between the UK and EU.

In particular, Articles 70-73 of the Agreement state that the UK “shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.”

Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries.

Article 45 of the GDPR rules that “a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country (…) ensures an adequate level of protection.”

In December 2020, a provision for an interim six month-period of free personal data flow between UK and EU was agreed to, which means that for websites, businesses and organisations in the UK, all remains the same as it was before Brexit when it comes to the processing of personal data from inside the EU.



GDPR and Brexit: without the EU, UK needs new domestic data laws.

GDPR after Brexit is fortified in UK law upon Exit Day.



This adequacy decision must be achieved before the end of the interim period in June 2021, or the UK risks being classified by the GPDR as a third country by the EU.

This would mean that personal data transfers are only allowed if the controller or processors has provided safeguards and enforceable data subject rights (GDPR Article 46).

As mentioned earlier in the article, an adequacy agreement between the EU and UK seems to be moving closer with a draft by the EU Commission backed up an opinion from the European Data Protection Board (EDPB).


Brexit, GDPR and the DPPEC regulations

The GDPR/Brexit changes made to UK data privacy law are all contained in the government’s Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, also known as the DPPEC regulations. 

They took effect on January 31, 2020 in accordance with the now-passed EU Withdrawal Agreement.

The DPPEC regulations do two major things:

  1. create a whole "new" domestic law known as UK-GDPR.
  2. revise the Data Protection Act 2018.

In order to keep the promise in the Withdrawal Agreement’s Articles 70-73, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation).

The new UK-GDPR is essentially the same as the European GDPR.

It is literally made from the same law text as the EU GDPR but amended so as to substitute the parts of text that read EU and Union law with UK and domestic law.

The UK-GDPR merge the two pre-existing regimes for personal data protection – namely that established by the European GDPR and that established by the Data Protection Act 2018 (specifically the parts of that law known as the “applied GDPR”).

The DPA2018’s “applied GDPR” section is the one that extended the GDPR’s standards to areas that were out of scope of EU law and the GDPR, namely that of law enforcement, intelligence services and immigration (among others).



Brexit and GDPR: data law changes coming on Exit Day.

Brexit means GDPR-like regulation will become domestic law in the UK after January 1, 2021.



But let’s be clear: there are more things that don’t change than do change after Brexit with GDPR.

The UK-GDPR after Brexit will be the same as the EU's GDPR with slight changes, most of which are of superficial nature.

The core provisions of the GDPR for which it has become known all over the world all remain the same under the new domestic UK-GDPR, including:

Check out more on the new UK-GDPR after Brexit.

The changes made to the GDPR after Brexit in order to create the new domestic version are visible in the following Keeling Schedule, which is a document comprising all the changes of the DPPEC regulations made to the GDPR.

Keeling Schedule for the new domestic post-Brexit GDPR.


The amended Data Protection Act 2018

The new and amended Data Protection Act 2018 also took effect on January 31, 2020.

The DPA2018 will no longer rely on the EU GDPR, but on the UK-GDPR instead. It will instead refer to the new domestic GDPR after Brexit.

UK citizens will now be protected by a comprehensive data protection regime that is made up of the UK-GDPR on the one hand that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018 on the other hand, supplementing the domestic GDPR and extending beyond it as well.

More on the new and amended Data Protection Act 2018 here.

Keeling Schedule for the Data Protection Act 2018.


Brexit and GDPR in short

Here’s a short recap of what happened on January 1, 2021:

According the UK government, “no, or no significant, impact on the private, voluntary or public sector is foreseen” as a consequence of the changes made to UK data protection law.



GDPR after Brexit means both old and new, as same things become different.

GDPR after Brexit means both old and new, as same things become different.



Now, with regards to the GDPR after Brexit in the EU – there are no changes.

If a website based in the UK has visitors from the EU, it still has to comply with the European GDPR after Brexit just as it did before.

That’s because the EU GDPR has extraterritorial scope and applies to any website, company or organization in the world that collects or processes data from inside Europe.

The biggest change here will be who is the supervisor and enforcer.

Since the EU GDPR won’t apply domestically to the UK after the transition period of Brexit, data law in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today.

Rather, it will be the Information Commissioner (ICO) that will supervise and enforce the domestic UK-GDPR and Data Protection Act 2018 on UK soil.


GDPR, Brexit and your website


What does all of this Brexit and GDPR stuff ultimately mean for you and your website and its use of cookies and similar tracking technology?

It means that until June 2021, the interim provision allows unrestricted personal data flow between UK and EU.

Your website will need to comply with the GDPR (both UK and EU versions) just as before, but no additional measures need to be taken when processing personal data from the EU:

You still need the prior consent of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.

Learn more about GDPR and consent on your website

Cookiebot CMP scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary, and therefore compliant, until the user has given their consent as to which they want to activate.

This way, your website can be sure to be in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.

Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.

In short, before Brexit, under Brexit and after Brexit, Cookiebot CMP ensures your website full EU and UK-GDPR compliance, as well as compliance with the Data Protection Act 2018.

Keep calm and try Cookiebot CMP free for 30 days... or forever if you have a small website.


FAQ


Will the GDPR apply in UK after Brexit?

If your website processes personal data from users inside the EU, you are required to comply with the EU’s GDPR, even if your website is located and operated from inside the UK after Brexit. The UK-GDPR applies domestically in the UK and requires the same data protection and consent from your users as the EU’s.

Learn more about GDPR and consent


What is the UK-GDPR?

The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s domestic data privacy law that replaces the EU’s GDPR after Brexit. The UK-GDPR is essentially the same law as the EU’s GDPR only changed to accommodate domestic areas of law. The UK-GDPR will regulate personal data and require the same legal bases for processing of personal data.

Learn more about the UK-GDPR


What is the Data Protection Act 2018?

The Data Protection Act 2018 (DPA2018) is a domestic law governing the use of personal data and flow of information in the UK. Together with the UK-GDPR it forms the legal regime of data privacy in the United Kingdom. The DPA also governs data processing for law enforcement authorities and intelligence services.

Learn more about the Data Protection Act 2018


How can websites be compliant with the UK-GDPR?

Your website is required to obtain the prior consent from users before processing any of their personal data. To ensure compliance on your website, a consent management platform scans and detects all cookies and trackers in operation, then keeps them deactivated until your users have given their consent.

Try Cookiebot free for 30 days… or forever if you have a small website


Resources


What is the GDPR?

What is the UK-GDPR?

What is the Data Protection Act 2018?

Interim period until June 2021 for unrestricted data flow between UK and EU

ICO’s statement of the interim period until June 2021

Draft UK adequacy decision by the EU Commission from February 2021

See the EDPB’s opinion on the draft UK adequacy decision

EPRS report on EU-UK private-sector data flows (pdf)

See IAPP's comprehensive Brexit privacy checklist

The DPPEC regulations

Keeling Schedule for the new UK-GDPR

Keeling Schedule for the amended Data Protection Act 2018

The Information Commissioner’s Office (ICO)

New Google Consent Mode 

Cookiebot™ CMP integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free