UK-GDPR law after Brexit

The GDPR post-Brexit

Although the United Kingdom (UK) formally withdrew from the European Union (EU) on 31 January 2020, it remained subject to EU law, including the General Data Protection Regulation (EU GDPR), until the end of the transition period on 31 December 2020.

After Brexit, as the UK’s withdrawal from the EU is commonly known, the UK passed the United Kingdom General Data Protection Regulation (UK-GDPR) to protect the personal data of its citizens and residents. The new UK-GDPR took effect on January 1, 2021 so that there was no gap between the EU GDPR and UK-GDPR. Alongside the Data Protection Act of 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, it governs the processing of personal data belonging to individuals located in the UK.

Since Brexit and the passing of the UK-GDPR, the EU GDPR no longer applies in the UK, as it applies only to the processing of personal data of individuals located in the EU and EEA.

We look at the key provisions of the UK-GDPR, including its scope, main principles, and key obligations related to consent, data processing, and data subject rights.

What is the UK-GDPR?

The UK-GDPR is the UK’s data protection regulation that governs the processing of personal data belonging to individuals located in the UK, including both citizens and residents. They are known as “data subjects” under the UK-GDPR, identified or identifiable natural persons. The UK-GDPR protects the personal data of individuals only, and not other legal entities.

“Personal data” under the UK-GDPR means “any information relating to an identified or identifiable natural person” who can be directly or indirectly identified using it. Examples of personal data include:

• names
• ID numbers
• phone numbers
• online identifiers, such as an IP address
• information collected via tracking cookies
• sensitive personal details, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership

Processing includes both automatic and manual “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of personal data.

The UK-GDPR is almost word for word identical to the EU GDPR, which was adapted after Brexit to suit UK-specific requirements. It provides the main principles, rights, and obligations for data protection in the UK.

Who does the UK-GDPR apply to?

Under Art. 3 UK-GDPR, the regulation applies to the following:

• a person or entity in the UK that processes personal data, whether or not the processing takes place in the UK
• a person or entity located outside the UK that processes the personal data of UK citizens or residents, when the processing activities are related to:
  • goods and services offered to UK citizens and residents, even if no payment takes place
  • the monitoring of their behavior within the UK
• a person or entity that processes personal data in a place where the law of the UK (or part of the UK) applies by virtue of public international law

The UK-GDPR thus has extraterritorial scope and applies to entities located outside the UK if the regulation’s requirements are met.

A person or entity that processes personal data may be either a data controller or data processor under the UK-GDPR. A data controller is a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” When two or more data controllers jointly determine the purposes and means of processing personal data, they are known as “joint controllers” under the regulation.

A data processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”If any one of these circumstances applies to you, the UK-GDPR applies to you and you must comply with its requirements.

Exemptions from the UK-GDPR

Art. 2 UK-GDPR specifies that the regulation does not apply to the processing of personal data: 

• by an individual in the course of a purely personal or household activity
• by a competent authority for law enforcement purposes
• by intelligence services, such as MI5

The processing of personal data for law enforcement and intelligence services purposes is governed by the DPA, which supplements the UK-GDPR. The DPA expands the scope of data protection in the UK to include national security and intelligence services, which are outside the scope of the EU GDPR as it doesn’t have jurisdiction over national security within member states.

Schedule 2 of the DPA also contains exemptions to some provisions of the UK GDPR for the processing of personal data for certain purposes. These exemptions include, among others:

• crime and taxation risk assessments
• legal professional and parliamentary privilege
• immigration
• Bank of England functions
• judicial appointments, independence, and proceedings
• journalism, academia, art, and literature, to balance freedom of expression with privacy rights
• research and statistics
• health data and social work data in certain circumstances 
• child abuse data
• corporate finance
• exam scripts and marks

What are the principles of the UK-GDPR?

The UK-GDPR sets out seven key principles (Art. 5 UK-GDPR) that you must uphold when processing your users’ personal data.

• Lawfulness, fairness, and transparency: you must have a legal basis for processing personal data and must provide clear and transparent information about your data processing activities to users.
• Purpose limitation: you must not process personal data for any purpose other than the ones for which you have obtained explicit, informed consent, unless you obtain new consent if purposes change.
• Data minimization: you must only process that data that is adequate, relevant, and limited to what you need for the intended purposes.
• Accuracy: you must keep users’ personal data up to date and accurate, and correct or delete inaccurate data without delay.
• Storage limitation: you must keep personal data only for as long as necessary for the intended purposes.
• Integrity and confidentiality: you must safeguard personal data and protect it against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• Accountability: you must be responsible for the personal data you process and be able to demonstrate compliance with these principles.

What are the legal bases for processing data under the UK-GDPR?

Art. 6 UK-GDPR provides six legal bases for processing personal data under the UK-GDPR. One of these must apply and be provable for the data processing to be lawful:

1. with the explicit consent of the data subject
2. to perform a contract you have entered into with the data subject
3. to comply with a legal obligation
4. to protect the vital interests of the data subject or of another person
5. to perform a task carried out in the public interest or in the exercise of official authority you may have
6. where you have legitimate interests, except where they infringe upon the interests or fundamental rights and freedoms of the data subject

Legitimate interest is not a legal basis for processing carried out by public authorities performing their tasks. The Interactive Advertising Bureau’s Transparency and Consent Framework v2.2 (IAB TCF v2.2) has also removed legitimate interest as a basis for data processing related to advertising and content personalization. Under the IAB TCF v2.2, explicit consent is the only acceptable legal basis for processing personal data for these purposes.

What is considered UK-GDPR compliant consent?

Consent under the regulation means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Recital 32 explains consent under the UK-GDPR further. Although the recital is not legally binding, it provides important context to help understand the law and what does, and does not, constitute legally valid consent.

It may be via a written statement, including by electronic means, or an oral statement. It may include checking a box on a website or choosing technical settings on an electronic service that the user requests, such as an ecommerce store, streaming service, social media platform, or digital marketplace. Silence, pre-checked boxes and inactivity are not considered valid consent. When there are multiple purposes for processing, the user must give explicit consent for all of them, or if they make granular consent selections only for some of them, processing may only proceed for those selected.

The UK-GDPR gives users the right to withdraw consent at any time once it has been given (Art. 7 UK-GDPR). The method for withdrawing consent should be as easy as the method for giving it.

When it comes to processing the personal data of a child under the age of 13 years, you must obtain consent from the parent or legal guardian for it to be legally valid (Art. 8 UK-GDPR).

Cookies and the UK-GDPR compliance

If you collect personal data from users online, such as from your website or app, the UK-GDPR requires you to obtain explicit consent from users before processing their personal data via cookies and other website tracking technologies. Websites often display cookie banners requesting this consent or cookie walls that at times deny access without consent. These cookie banners serve as the initial point of contact between the website and its visitors, informing users about data collection practices and setting the stage for compliance with the UK GDPR.

The transparency of these banners varies widely, with some sites clearly explaining user rights and options while others fall short. Many sites allow users to customize their consent choices, specifying which types of data they are comfortable sharing. However, a significant number of these cookie banners still do not meet UK-GDPR compliance standards, meaning they don’t fully adhere to legal requirements for user consent and data protection. Cookie walls that block site access unless consent is given are prohibited under many global data privacy regulations, and are not recommended.

To be UK-GDPR compliant, your cookie banner should:

• provide clear information about the use of cookies and their purposes
• obtain explicit consent before any non-essential cookies are stored on the user’s device
• enable users to make granular choices about the types of cookies they are willing to accept
• be user-friendly, ensuring that users can easily navigate the options and provide (or withdraw) explicit consent

Implementing robust cookie consent practices that prioritize transparency, user control, and clear communication can help you achieve compliance with the UK-GDPR’s consent requirements.

What are the rights of data subjects under the UK-GDPR?

Data subjects have eight rights under the regulation (Chapter 3 UK-GDPR). These are the same as the rights under the EU GDPR.

• Right to be informed about how you collect and use their personal data (Arts. 13 and 14)
• Right of access to their personal data and to receive a copy of it (Art. 15)
• Right of rectification or correction of inaccurate data you may hold, including completion of incomplete data (Art. 16)
• Right of erasure of their personal data in certain circumstances, such as when they revoke consent and there’s no other lawful basis for processing, among others — also known as the “right to be forgotten” (Art. 17)
• Right to restrict processing in certain circumstances, such as when the processing is unlawful or you no longer need the personal data, among others (Art. 18)
• Right to data portability or to receive the personal data they have provided to you in a “structured, commonly used and machine-readable format” (Art. 20)
• Right to object to the processing of their personal data in certain circumstances, such as when it is used for direct marketing (Art. 21)
• Rights related to automated decision-making, including profiling to provide data subjects with the right to not have decisions made about them automatically by computers (e.g. AI tools) if those decisions can significantly affect their legal rights or have other major impacts on their life (Art. 22)

What are the obligations of controllers under the UK-GDPR? An overview of key requirements

Controllers are responsible for compliance with all the obligations laid out by the UK-GDPR. This includes not only their own compliance but also ensuring that any processors they work with adhere to the regulation.

A vital obligation for controllers is informing data subjects about your data processing activities (Arts. 13 and 14 UK-GDPR). The UK-GDPR requires you to inform them of:

• what personal data you process
• the purposes for processing personal data
• the legal basis for processing
• how long you will retain the data for
• the recipients or categories of recipients of the personal data, if any
• information about international transfer of personal data, if applicable
• information about users’ rights under the regulation, including the right to revoke consent
• your contact information
• the contact details of your Data Protection Officer (DPO), if you are required to appoint one

This information is commonly provided in a privacy policy or privacy notice. If you collect data through the website cookies and other tracking technologies, you should include a cookie policy that details the use of cookies, including the types of cookies, their purposes, what personal data they collect, who has access to the personal data collected, how long the cookies will stay on users’ browsers for, and how users can set or change their cookie preferences. A cookie policy can be a separate policy or part of the privacy policy.

Your privacy policy must be written in clear, plain language, without using legal jargon, so that anyone can understand it without legal or technical knowledge. It must be clearly accessible for users to find and is commonly shared through a link in a website’s footer and on the cookie banner.

You must use appropriate technical and organizational measures to comply with the regulation, and be able to show you have complied (Art. 24 UK-GDPR). Examples of appropriate measures include, among other actions:

• establishing and maintaining data protection policies that provide a framework for how personal data is handled and protected within the organization
• conducting regular audits and reviews of data processing activities to help identify and mitigate risks associated with data processing, enabling ongoing compliance
• training staff on data protection practices to educate employees about their responsibilities and the importance of protecting personal data

If you are not an entity registered in the UK, you may be required to appoint a designated representative in the country (Art. 27 UK-GDPR), whether you are a controller or processor. However, you remain liable for violations of the UK-GDPR, even after appointment of a representative. The provisions of Art. 27 don’t apply to a public authority or body or when data processing happens occasionally and doesn’t include large-scale processing of:

• special categories of data under the regulation, such as health data, racial or ethnic origin, political opinions
• personal data related to criminal convictions and offenses

The UK-GDPR requires both controllers and processors to appoint a Data Protection Officer (DPO) in specific cases (Art. 37 UK-GDPR), including:

• if you are a public authority or body carrying out data processing
• your data processing operations require regular, systematic, and large-scale monitoring of data subjects
• your data processing activities consist of large-scale processing of special categories of data under the regulation or personal data relating to criminal convictions and offenses
• You must publish the details of your DPO in your privacy policy and communicate them to the Information Commissioner, referred to as the Commissioner in the regulation.

Controllers and processors both must maintain records of processing activities containing information about, among other things (Art. 30 UK-GDPR):

• name and contact details of the controller, joint controller, processor, or Data Protection Officer, if appointed
• any personal data is transferred to third countries or international organizations 
• technical and organizational security measures

These records demonstrate your compliance with the UK-GDPR and must be made available to supervisory authorities upon request.

If you appoint a third-party processor to process personal data on your behalf, you must enter into a written contract with the processor that is binding on them (Art. 28 UK-GDPR). This contract or Data Processing Agreement (DPA) must set out:

• the subject matter and duration of the processing
• the nature and purpose of the processing
• the type of personal data and categories of data subjects 
• your obligations and rights

Processors cannot process personal data without instructions from the controller (Art. 29 UK-GDPR). They must also assist in complying with the regulation, including deleting personal data, ensuring confidentiality of the data, and implementing appropriate security measures.

In the event of a data breach, you must notify the Commissioner without undue delay and not later than 72 hours after you become aware of it (Art. 33 UK-GDPR). If there is a further delay, you must inform the Commissioner why there has been a delay. In case the breach may result in a high risk to the rights and freedoms of natural persons, you must also communicate the breach to the affected data subjects without delay (Art. 34 UK-GDPR).

The UK-GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) in situations where processing is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies (Art. 35 UK-GDPR). The DPIA must be conducted before the processing takes place, and you must consult your DPO when carrying it out.

Data transfers outside the UK under the UK-GDPR

Chapter 5 UK-GDPR addresses the transfer of personal data from the UK to third countries or international organizations, whether during processing or after it has been processed.

Transferring personal data outside of the UK needs additional measures to ensure its protection. These measures often include a specific adequacy agreement, which verifies that the destination country or organization provides an adequate level of data protection comparable to that provided under the UK-GDPR (Art. 45 UK-GDPR). It allows for the free flow of personal data from the UK to the designated country without requiring additional safeguards. The UK has two adequacy agreements currently in place, with the European Economic Area (EEA) and South Korea.

When assessing whether the level of protection of the third country or international organization is adequate, the considerations include:

• rule of law and respect for human rights and fundamental freedoms 
• existence of one or more independent supervisory authorities
• existing international commitments of the third country or international organization, or obligations arising from legally binding conventions

You may transfer personal data outside the UK in the absence of an adequacy agreement, but only if you have provided appropriate safeguards and can ensure data subject rights and legal remedies are available (Art. 46 UK-GDPR).

Data transfers can be done to a third country or international organization when there’s no adequacy agreement or appropriate safeguards in place only if one of the following conditions is fulfilled (Art. 49 UK-GDPR):

• the data subject has given explicit consent after being informed of the potential risks of the transfer 
• the transfer is necessary for you to perform a contract with the data subject
• the transfer is necessary for the conclusion or performance of a contract in the data subject’s interest with another person or entity
• for reasons of public interest
• for establishing, exercising, or defending legal claims
• to protect the data subject’s or another person’s vital interests, particularly when the data subject is physically or legally incapable of consenting
• the transfer is made from a public register intended to provide information to the public, and access to this register is granted based on domestic law

Penalties under the UK-GDPR

Art. 83 UK-GDPR outlines two levels of penalties for violations of the UK-GDPR.

Infringement of the following provisions are subject to fines up to GBP 8.7 million, or up to 2 percent of the total worldwide annual turnover for the preceding financial year, whichever is higher:

• obligations of the controller and processor under Arts. 8, 11, 25 to 39, 42, 43
• obligations of the certification body under Arts. 42 and 43
• obligations of the monitoring body under Art. 41(4)

Infringements of the following provisions are subject to fines up to GBP 17.5 million, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher:

• basic principles for processing, including conditions for consent, under Arts. 5, 6, 7, and 9
• data subjects’ rights under Arts. 12 to 22
• transfers of personal data to a recipient in a third country or an international organization under Arts. 44 to 49
• any obligations under Schedule 2, Parts 5 or 6 of the DPA or regulations made under section 16(1)(c) of the DPA
• noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the Commissioner under Art. 58, or failure to provide access in violation of Art. 58

Who is responsible for enforcing the UK-GDPR?

The Commissioner, who heads the Information Commissioner’s Office (ICO), is responsible for enforcement of the UK-GDPR (Art. 57 UK-GDPR). The ICO is the UK’s independent authority set up to uphold information rights in the public interest.

The Commissioner has various powers under the UK-GDPR, including (Art. 58):

• investigative powers, including ordering controllers and processors to provide necessary information, notifying controllers and processors of alleged violations of the regulation, and obtaining access to personal data and premises for their tasks
• corrective powers, including issuing warnings and reprimands, ordering compliance with data subject requests, imposing limitations or bans on processing, and imposing administrative fines
• authorization and advisory powers, including advising controllers and processors, issuing opinions to Parliament and the government, accrediting certification bodies, and authorizing contractual clauses and binding corporate rules for data transfers

Remedies for data subjects under the UK-GDPR

The UK data protection law provides data subjects with multiple remedies if their rights have been violated.

Under Art. 77 UK-GDPR, data subjects have the right to lodge a complaint with the Commissioner, who shall inform them of the progress and outcome of the complaint. Art. 78 UK-GDPR provides the right to an an effective judicial remedy in the following cases: 

• against a legally binding decision of the Commissioner
• where the Commissioner does not handle a complaint
• where the Commissioner does not inform the data subject on the progress or outcome of a complaint lodged under Art. 77 within three months

Art. 79 UK-GDPR gives data subjects a private right of action against controllers and processors where they believe their rights have been infringed as a result of processing of their personal data in violation of the UK-GDPR. Lodging a complaint with the Commissioner does not prevent them from also exercising a private right of action.

Any person who has suffered ”material or non-material damage” as a result of a violation by the controller or processor has the right to receive compensation from the violating party for the damage suffered (Art. 82 UK-GDPR). The controller or processor are not liable if they can prove they are not responsible for the event that caused the damage.

Steps to achieve UK-GDPR compliance

If you’re a data controller or processor under the UK-GDPR, you can take steps to comply with its requirements.

1. Audit your website’s use of cookies

To satisfy regulatory requirements, you must know which cookies your website uses and list them accurately on your cookie consent banner. Tools like Cookiebot CMP can scan your website to detect all cookies and other trackers and generate a detailed audit report to help you meet this requirement. By understanding and clearly listing these cookies, you can provide transparency to your users and adhere to legal standards.

2. Create a comprehensive privacy policy

Creating a detailed privacy policy that’s easily accessible to users can help meet the UK-GDPR’s transparency requirements. Whenever there are changes in your data handling practices, make sure to update your privacy policy. 

Your privacy policy should include: 

• types of personal data collected
• legal basis and purposes for processing this data
• how long you will keep the data for 
• data subjects rights, and how they can exercise these rights
• how they can withdraw consent
• contact details for the DPO, if you have appointed one

3. Obtain explicit user consent

User consent must meet all the UK-GDPR’s criteria to be considered valid and must be obtained without manipulation. If you handle the personal data of users in the UK, you can use a consent management platform (CMP) or cookie consent solution like Cookiebot CMP to obtain explicit, informed, and legally valid consent.

A UK-GDPR compliant cookie banner from Cookiebot CMP helps you secure user consent that meets regulatory standards. It enables you to collect opt-in consent from users and records this consent as required by the regulation. Cookiebot CMP also supports granular consent collection, enabling users consent to certain purposes while rejecting others. It also provides an easy way for users to change or withdraw their consent at any time, and records that information as well to provide an audit trail.

4. Maintain records of data processing activities

Both data controllers and processors must keep detailed records of processing activities. The information required differs slightly depending on whether you’re a controller or a processor, as outlined in Art. 30 UK-GDPR of the GDPR. These records are a mandatory requirement and are essential to demonstrate compliance with the UK-GDPR.

What are the differences between the UK-GDPR and EU GDPR?

The UK-GDPR is nearly identical to the European GDPR, with changes to accommodate domestic areas of law. It was drafted from the EU GDPR law text and revised to “United Kingdom” instead of “Union” and “domestic law” rather than “EU law”.

Some sections of the EU GDPR that are not applicable to the UK have been removed. Chapter 7 of the EU GDPR, which contains provisions for cooperation and consistency between multiple supervisory authorities or Data Protection Authorities of different EU nations, as well as the establishment of the European Data Protection Board, has been removed entirely from the UK-GDPR. Similarly, Art. 81 of the EU GDPR, which deals with suspension of proceedings when there are two or more proceedings on the same subject before different EU member states, has also been removed. These are two examples of EU GDPR provisions that have been removed from the UK-GDPR as they do not apply to UK law and legal procedures.

A notable difference between the UK-GDPR and EU GDPR is that the age for obtaining valid consent is lowered to 13 years in the UK from 16 years in the EU. For data subjects under 13 years old, you need to obtain consent from a parent or legal guardian.

You can see the differences between the UK-GDPR and EU GDPR in a Keeling Schedule, an unofficial document highlighting what has been changed in legislation. It is very transparent for getting a precise picture of how the UK has amended the regulation — where it deviates and where it stays the same.

FAQ