Updated July 1, 2021.
The UK left the EU on December 31, 2021.
After Brexit, the UK is no longer regulated domestically by the EU’s General Data Protection Regulation (GDPR), which governs processing of personal data from individuals inside the EU.
Instead, the UK now has its own version known as the UK-GDPR (United Kingdom General Data Protection Regulation).
The new UK-GDPR took effect on January 31, 2020.
In this blogpost, we take a look at the “new” UK data law.
UK-GDPR, quick summary
Brexit, UK-GDPR and UK adequacy decision 2021
Brexit is finally over, and the United Kingdom is no longer part of the European Union.
This means that the EU’s General Data Protection Regulation (GDPR) does not apply domestically to the UK any longer, as it has done since it came into effect in May 2018, when the UK was still a member state.
In anticipation of Brexit, a new domestic data privacy law called the UK-GDPR took effect on January 31, 2020, and – alongside the Data Protection Act of 2018 and the PECR – governs all processing of personal data from individuals located inside the United Kingdom.
The UK-GDPR is almost word for word completely identical to the EU’s GDPR: it requires your website to obtain the explicit consent from users before processing their personal data via cookies and third-party trackers; it requires you to safely store and document each valid consent; it requires your website to enable users to change their consent just as easily as they gave it; and it gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.
The UK-GDPR requires your website to obtain user consent prior to personal data processing, just like the EU’s GDPR.
After Brexit, the UK is now categorized as a “third country” by the EU under the GDPR.
However, on June 28, 2021, the EU adopted an adequacy decision for the UK, ensuring the continued free flow of personal data from individuals inside the EU to the UK.
The UK adequacy decision by the European Commission is limited to four years and will not be automatically renewed, but will require a new adequacy process to determine whether the UK still ensures an equivalent level of data protection in June 2025.
All of this means that yes, there are still two different GDPRs that you and your website has to deal with – one of them applies if you have users from inside the EU, the other if you have users from inside the UK.
UK-GDPR compliance with Cookiebot CMP
Get plug-and-play compliance with both the UK-GDPR and EU’s GDPR, including compliance with all other major data privacy laws around the world.
Cookiebot CMP is a world-leading solution for automated compliance on your website, built around a powerful scanner that detects and controls all cookies, trackers and third-party trojan horses in operation on your domain, so your users can give granular consent to their personal data being processed.
Cookiebot CMP consent banner enabling full compliance with the UK-GDPR and EU’s GDPR.
Through highly customizable consent banner and geo-targeting, Cookiebot CMP presents each of your website’s visitors with the correct and compliant data privacy solution to their specific region, whether it’s inside the EU, UK, California, South Africa, Singapore, New Zealand or elsewhere.
UK-GDPR – substance and scope
The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, only changed to accommodate domestic areas of law.
It was drafted from the EU GDPR law text and revised to United Kingdom instead of Union and domestic law rather than EU law.
European data law became domestic UK-GDPR on Exit Day.
This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.
However, the UK-GDPR does expand on -and deviate from- the EU GDPR in significant ways that will make changes to the legal landscape of data protection in the UK.
These changes are found in the UK government’s Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation).
This regulation changes and shapes the European GDPR into the domestic UK-GDPR, as well as revising the Data Protection Act 2018.
A Keeling Schedule is an unofficial document highlighting what has been changed in legislation. It is very helpful for getting a precise picture of how Britain is amending the European GDPR into the UK-GDPR – where it deviates and where it stays the same.
UK-GDPR expands and changes the European GDPR
The areas expanded on by the UK-GDPR are:
- National security
- Intelligence services
These areas are per definition outside the scope of the European GDPR, since it is an extra-national regulation from the EU without powers to govern matters of national security in member states.
However, the UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.
Another big change in the UK-GDPR is that the Information Commissioner, the leading data protection authority in the UK today, will become the leading supervisor, regulator and enforcer of the UK-GDPR.
The “Commissioner”, as the ICO is known in the new UK-GDPR, will have all responsibility of enforcement.
It means that where before under EU GDPR, the European Data Protection Board would have been the highest supervisory authority, the ICO now takes over all matters relating to regulation and enforcement of the UK-GDPR.
Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR.
In fact, the Secretary can make these decisions without the consultation of the ICO.
Because of the extraterritorial scope of the UK-GDPR, any website or company in the world that processes the personal data of individuals located inside the UK, are bound to comply with the UK-GDPR.
This also means that e.g. EU companies offering services in the UK need to appoint a representative, as has been the case in reverse from the European GDPR.
A representative is defined in the UK-GDPR as “a natural or legal person established in the United Kingdom who represents the controller or processor.”
Furthermore, when the UK-GDPR came into effect on January 31, 2020, it automatically recognized all EU countries as adequate, along with recognizing all existing EU adequacy decisions as UK adequate as well (e.g. the US Privacy Shield).
And lastly, a notable difference from the European GDPR to the new domestic UK-GDPR is that the age of valid consent is lowered to 13 years in the UK (16 years in the EU).
UK-GDPR and compliance for your website
Okay, so what does this mean for your company in the UK, or your website in the EU offering services to and collecting personal data of individuals in the United Kingdom?
Well, it means that leaving the European Union does not mean that you will see a lessening of requirements as to how you process personal data.
In fact, the global standard set by the European GDPR is now literally becoming the domestic standard of the United Kingdom. Protecting the privacy and personal data of your end-users and customers is the new law of the land.
It means that you will need to meet the same high GDPR standards as before, only these will be enforced by the ICO in UK and are subject to their audits.
Cookiebot CMP offers the leading consent management solution on the market today. We have built our patent-pending technology on the basis of the GDPR even before it became European law, and much before it would eventually seep into domestic British law.
Scans your website for free and find all cookies and similar trackers.
Cookiebot CMP blocks it all until the end-users have given their consent to which data they will allow to be collected on your platform – as required by both the UK-GDPR and EU’s GDPR.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
What is the UK-GDPR?
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK. The UK-GDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.
What are the differences between the UK-GDPR and EU’s GDPR?
There are very few substantial differences between the UK-GDPR and its EU equivalent. Essentially, the UK has lifted the entire structure of the EU GDPR and put it in place into UK law. However, the UK-GDPR changes key areas of the law concerning national security, intelligence services and immigration.
Who is liable under the UK-GDPR?
Any website, company or organization that processes personal data from individuals inside the UK is required to comply with the UK-GDPR – even if the website or company isn’t itself located within the UK.
How can my website become compliant with the UK-GDPR?
Using a consent management platform that can scan and detect all cookies, then automatically control them all until the user has given their consent which they will allow activated and process their personal data is a secure way of ensuring compliance with the UK-GDPR and EU-GDPR for your website.