Logo Logo
Cookiebot

After Brexit, the United Kingdom General Data Protection Regulation (UK-GDPR) and Data Protection Act 2018 affect how you as a website owner must obtain and store cookie consents from your visitors from the UK & EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR compliant.

ICO and GDPR enforcement: what happens after Brexit to the GDPR in UK?

Updated June 24, 2020.


The United Kingdom is protected by several data privacy laws that regulate how the personal information of individuals inside the UK are allowed to be handled. One of them is the European General Data Protection Regulation (GDPR).

However, the UK left the EU on January 31, 2020.

After Brexit, a new domestic UK-GDPR (United Kingdom General Data Protection) will take effect, along with an amended version of the Data Protection Act 2018.

The EU GDPR will still apply for the duration of the transition period – likely until December 31, 2020.

Read this article to know more about the European GDPR, the “new UK-GDPR”, the amended Data Protection Act 2018, the PECR and how to be compliant all around with Cookiebot.


What is GDPR?


The General Data Protection Regulation (GDPR) is an EU law that took effect in May 2018 and is uniformly binding in all 27 EU nations. It controls how companies and organizations are allowed to handle personal data.

Personal data is defined in the GDPR as anything that can be directly or indirectly identified to a natural person, such as names, physical addresses, IP addresses, location data, and information about physical, mental, economic, cultural or social facts.

Sensitive personal data, however, is defined by the GDPR as data about religious convictions, political opinions and/or sexual orientation.



GDPR in the UK is enforced by ICO, GDPR's watchdog on the Isles

The GDPR protects the personal data of individuals inside the EU.



The GDPR clarifies in total eight rights for individuals, including the right to request access to one’s data (a so-called Subject Access Request or SAR), as well as to request their personal data deleted.

However, the most important right that the GDPR empowers EU citizens with is the right to not have their data (personal or sensitive) collected and processed without prior consent.

Here, the GDPR requires websites to -

  1. obtain clear and unambiguous consent from its users,
  2. prior to any processing of personal data,
  3. after specifying all types of cookies and other tracking technology present and operating on its pages,
  4. in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
  5. to then be able to safely and confidentially document each user consent,
  6. and to ask for renewed consent regularly, e.g. every twelve months.

This is the backbone of GDPR compliance.

In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.

Try Cookiebot free for 30 days... or forever if you have a small website.


GDPR in the UK after January 31, 2020

The United Kingdom has been regulated by the European GDPR since it took effect in May 2018 and it will continue to apply for the duration of the transition period until December 31, 2020.

However, on January 31, 2020, a new UK-GDPR took effect domestically alongside an amended version of the Data Protection Act 2018.

The new UK-GDPR is essentially the same as its European predecessor, only revised so as to cover areas of the domestic law that are not touched upon by the EU regulation. These include among others national security, the intelligence services and immigration.

By implementing the GDPR into domestic law, the UK ensures an adequate level of data protection that secures future, unrestricted data flows between the UK and EU after the end of the transition period (December 31, 2020).


GDPR compliance after January 31, 2020

Being compliant with the EU GDPR, the new UK-GDPR and the supporting data protection legislations such as the Data Protection Act 2018 might seem a tad confusing, what with all the other messy stuff that comes with Brexit.

Cookiebot specializes in the part of GDPR compliance that has to do with websites, cookies and the collection and processing of personal data online.

Cookies are one of the most common ways that websites process personal data, so it’s super important in terms of data law compliance to both know what cookies are active on your website and to enable your end-users with a choice of prior consent as to which cookies they want active, when visiting your domain.

Whether your company or website processes the personal data of individuals in the EU or UK, the requirements for processing are the same.

You must obtain the consent of your end-users prior the any processing.

Cookiebot is a consent management solution that scans your website to find all cookies and similar tracking technologies, then blocks them until the end-user has made their choice of consent as to what of their data, they wish to share.

Cookiebot does this by simulating visitors on your website – scrolling, clicking, exhausting all possible uses of your domain to activate and find all trackers present, both first party (your own website’s) and third party (usually marketing cookies from ad tech companies that are privacy invasive).

Cookiebot offers full customization of the interface, e.g. a cookie banner, that your end-users interact with when giving their consent.

Try Cookiebot for free today.


GDPR and the UK's other data laws


The Information Commissioners’ Office has several data laws to enforce in the UK.

After Brexit January 31, 2020, the following data laws has taken effect in the UK:

PECR is the UK’s national implementation of the European ePrivacy Directive. It deals with the protection of personal data in relation to electronic communications, specifically cookies and online marketing communications.

Visit the ICO to read more about the PECR.

Since it’s a national implementation, i.e. a domestic UK law, the PECR will still apply after Brexit.



ICO and GDPR: enforcement of PECR, DTA and GDPR in the UK

ICO enforces PECR, DPA2018 and the new UK-GDPR.



ICO and cookies - updated guidelines to the PECR

ICO updated its guidelines regarding the use of cookies, and hence processing of user data, according to the PECR. It has done so in order to align it with the consent standards of the GDPR.

ICO has ruled that the only form of valid consent on websites are consents given prior to the initial tracking, obtained through cookie banners without any pre-ticked checkboxes.

Read more about the updated guidelines on ICO’s own website.

Website owners and operators are no longer allowed to collect or process personal information if users simply close a cookie banner or choose to keep browsing on a site after the popping up of a cookie banner.

Instead, users must affirmatively consent by clicking and ticking the boxes of all categories of cookies apart from the strictly necessary ones on which a website functions.



GDPR in UK: compliance via Cookiebot consent banners.

This is how a compliant cookie banner in the UK looks, according to the new guidelines by the ICO


Who enforces GDPR in the UK?


The responsibility of enforcing the EU GDPR on UK soil lies with the Information Commissioner’s Office (ICO).

It will remain the responsibility of the ICO to enforce the EU GDPR until it is no longer applicable at the end of the transition phase on December 31, 2020.

It is the national data protection authorities (the so-called DPAs) of each EU nation that has the responsibility of enforcing the GDPR in their country, although special responsibility and power falls to the Irish DPA for being the lead regulator of the GDPR in EU.

This is because a provision in the GDPR specifies that the law’s lead regulator must be the DPA of the country that houses a tech company’s data controller, which is the case for Ireland when it comes to both Facebook and Google.



ICO enforces the GDPR in the UK

ICO is the data authority and enforcer of the GDPR in the UK.



ICO and GDPR

ICO is the enforcer of the GDPR in the UK with the power to conduct criminal investigations and issue fines, as was witnessed last year when it raided the offices of Cambridge Analytica, the disgraced data firm that abused the personal information of 87 million people, obtained through Facebook, to influence both British and US elections.

After Brexit, the ICO will become the enforcer, supervisor and regulator of the domestic UK-GDPR.


GDPR fines UK

According to the GDPR, UK websites and companies who fail to comply with its requirements can be fined up to €20 million or four percent of a company’s annual global turnover, whichever is greater.

So far the GDPR fines in UK vary a lot in form and strength.

ICO has enforced the GDPR in the UK on numerous occasions already.

A lot of the monetary penalties issued by ICO a year after the date of effect of the GDPR in the UK center around unsolicited direct marketing, which is unlawful according the to GDPR. Prior consent from its customers or users is required before a company or website can undertake direct marketing.

ICO has stated that it prefers to work with organizations to improve their practices, rather than seeking maximum fines.

Its GDPR enforcement has so far taken shape as monetary penalties, but also guidance to companies and organizations in order to improve their practices and sometimes “a stern letter can be enough”, ICO stated.


How to comply with the GDPR in the UK


If you process personal data of individuals in the UK, you must comply with the GDPR, the Data Protection Act 2018 and the PECR.

After Brexit, you must comply with the new UK-GDPR, the Data Protection Act 2018 and the PECR.

Cookiebot enables full compliance both before, during and after Brexit.

Try Cookiebot for free today.


Summary


So, to sum up -

GDPR and the UK

The EU’s GDPR will apply to the UK until the end of the transition period on December 31, 2020.

After Brexit, the new UK-GDPR will take effect and mean the same data protection and requirements apply as before under EU law.

ICO and GDPR

The ICO is the UK’s data protection authority with the power to enforce the EU’s GDPR on UK soil.

ICO has updated their guidelines to the PECR (the national implementation of the ePrivacy Directive) to meet the standards of consent specified in the GDPR. After Brexit, ICO will be the enforcer of the domestic UK-GDPR.

Data Protection Act 2018 and PECR

An amended version of the Data Protection Act 2018 will come into effect on January 31, 2020.

PECR is a domestic law in the UK regulating electronic communication and will continue to apply after Brexit January 31, 2020.

Cookiebot ensures compliance for your website today and after Brexit.

Try Cookiebot for free today.



FAQ


Does the GDPR apply in UK after Brexit?

The EU’s General Data Protection Regulation applies to any processing of personal data from individuals inside the European Union, but after Brexit, will no longer apply to the processing of personal data from individuals inside the UK. After Brexit, the new UK-GDPR will take effect and have domestic application equivalent to the EU’s GDPR.

Learn more about GDPR and consent


Who will enforce the UK-GDPR?

The Information Commissioner’s Office (ICO) is the lead supervisory body and enforcer of the UK-GDPR. It is the responsibility of the ICO to enforce the EU’s GDPR in UK until it is no longer applicable after December 31, 2020. The ICO has the power to conduct criminal investigations, adopt guidelines and issue fines for non-compliance.

Learn more about the UK-GDPR


What is personal data under the UK-GDPR?

Personal data is anything that can be used to identify a living individual, either directly or indirectly. Personal data includes names, addresses, driver’s license, passport number, health data, location data, information about religious beliefs and political convictions, but also cookies, IP addresses, search and browser history.

Learn more about GDPR after Brexit


How do I control cookies on my website?

Cookies are difficult to control – many cookies will secretly load other cookies, and many of those will change on repeated visits. Using a consent management platform can help your website control its cookie setup and ensure compliance with data privacy laws like the EU’s GDPR and UK-GDPR.

Try Cookiebot free for 30 days.


Resources


New UK-GDPR

New and amended Data Protection Act 2018

GDPR and Brexit

General Data Protection Regulation (GDPR) official law text

ePrivacy Directive 2009 official law text

UK Data Protection Act 2018 official law text

Privacy and Electronic Communications Regulations (PECR)

ICO

ICO enforces data laws in the UK

ICO’s updated guidelines

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free