On June 28, 2021, the EU adopted an adequacy decision for the UK<\/a>, ensuring the free flow of personal data between the two blocs for a four-year period (until June 2025).<\/p>\n\n\n\n For UK websites, companies and organizations processing personal data from individuals inside the EU, this UK adequacy decision means unrestricted business-as-usual for the next four years.<\/p>\n\n\n\n After June 2025, the EU will have to engage in a new adequacy process to determine whether the UK still ensures an equivalent level of data protection for the adequacy decision to be renewed.<\/p>\n\n\n\n See the UK adequacy decision from June 2021<\/a><\/p>\n\n\n\n See the ICO\u2019s consultation on data transfers to and from the U.K. from August 2021<\/a><\/p>\n\n\n\n What happens to GDPR after Brexit in the UK?<\/p>\n\n\n\n We will look at the changes made to the legal landscape of UK data law, but first let\u2019s recap the European General Data Protection Regulation (GDPR).<\/p>\n\n\n\n Our consent management platform (CMP)<\/a> is a world-leading solution for achieving full data privacy compliance on your website.<\/p>\n\n\n\n With a powerful scanner that detects all cookies, trackers and trojan horses on your domain and maps exactly where in the world you send data to, Cookiebot CMP<\/a> takes the hard and difficult part out of privacy protection and compliance.<\/p>\n\n\n\n Cookiebot CMP<\/a> offers plug-and-play compliance with the EU\u2019s GDPR<\/a>, UK-GDPR<\/a>, California\u2019s CCPA\/CPRA<\/a>, South Africa\u2019s POPIA<\/a>, Brazil\u2019s LGPD<\/a>, Singapore\u2019s PDPA<\/a> and many other data privacy laws.<\/p>\n\n\n\n Learn more about GDPR and consent<\/a><\/p>\n\n\n\n The European regulation known as GDPR (General Data Protection Regulation)<\/strong> is a law in all EU member states that govern the protection of personal data<\/strong> and the ways it is allowed to be collected and processed by websites, companies, organizations and more.<\/p>\n\n\n\n GDPR<\/strong> has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.<\/p>\n\n\n\n GDPR<\/strong> sets up a data protection regime in the EU that requires companies and websites (known as \u201ccontrollers\u201d and \u201cprocessors\u201d in the law) to have a legal basis in order to process the personal data of individuals (\u201cdata subjects\u201d) inside the EU.<\/p>\n\n\n\n The most common legal basis for processing is prior consent \u2013 this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.<\/p>\n\n\n\n Learn more about GDPR and cookie consent<\/a><\/p>\n\n\n\n The European Withdrawal Agreement signed by the UK and EU includes specific provisions on the processing of personal data and the flow of information between the UK and EU.<\/p>\n\n\n\n In particular, Articles 70-73<\/strong> of the Agreement state that the UK \u201cshall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.\u201d<\/em><\/p>\n\n\n\n Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed<\/strong> adequate<\/strong> by the EU and thus ensure the free, uninhibited flow of data between the two countries.<\/p>\n\n\n\n Article 45<\/strong> of the GDPR rules that \u201ca transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country (\u2026) ensures an adequate level of protection.\u201d<\/em><\/p>\n\n\n\n In December 2020, a provision for an interim six month-period of free personal data flow<\/a> between UK and EU was agreed to, which means that for websites, businesses and organizations in the UK, all remains the same as it was before Brexit<\/strong> when it comes to the processing of personal data from inside the EU.<\/p>\n\n\n\n On June 28, 2021, an adequacy decision was given by the EU to the UK, acknowledging the country\u2019s data protection level as equivalent as the bloc\u2019s own and thereby ensuring free flow of data for a period of four years (until June 2025).<\/p>\n\n\n\n See the UK adequacy decision from June 2021<\/a><\/p>\n\n\n\n The GDPR\/Brexit changes made to UK data privacy law are all contained in the government\u2019s Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019<\/a><\/em>, also known as the DPPEC regulations. <\/p>\n\n\n\n They took effect on January 31, 2020, in accordance with the now-passed EU Withdrawal Agreement.<\/p>\n\n\n\n The DPPEC regulation<\/strong>s do two major things:<\/p>\n\n\n\n In order to keep the promise in the Withdrawal Agreement\u2019s Articles 70-73, the UK has decided to create a whole \u201cnew\u201d domestic law known as the UK-GDPR<\/strong> (United Kingdom General Data Protection Regulation).<\/p>\n\n\n\n The new UK-GDPR<\/a> is essentially the same as the European GDPR.<\/p>\n\n\n\n It is literally made from the same law text as the EU GDPR but amended so as to substitute the parts of text that read EU<\/em> and Union law<\/em> with UK<\/em> and domestic law<\/em>.<\/p>\n\n\n\n The UK-GDPR<\/a> merge the two pre-existing regimes for personal data protection \u2013 namely that established by the European GDPR and that established by the Data Protection Act 2018 (specifically the parts of that law known as the \u201capplied GDPR\u201d).<\/p>\n\n\n\n The DPA2018\u2019s<\/a> \u201capplied GDPR\u201d section is the one that extended the GDPR\u2019s standards to areas that were out of scope of EU law and the GDPR, namely that of law enforcement<\/strong>, intelligence services <\/strong>and immigration<\/strong> (among others).<\/p>\n\n\n\n But let\u2019s be clear: there are more things that don\u2019t change than do change<\/strong> after Brexit with GDPR.<\/p>\n\n\n\n The UK-GDPR <\/a>after Brexit will be the same as the EU's GDPR<\/a> with slight changes, most of which are of superficial nature.<\/p>\n\n\n\n The core provisions of the GDPR for which it has become known all over the world all remain the same under the new domestic UK-GDPR, including:<\/p>\n\n\n\n Check out more on the new UK-GDPR after Brexit.<\/a><\/p>\n\n\n\n The changes made to the GDPR after Brexit in order to create the new domestic version are visible in the following Keeling Schedule, which is a document comprising all the changes of the DPPEC regulations made to the GDPR.<\/p>\n\n\n\n Keeling Schedule for the new domestic post-Brexit GDPR.<\/a><\/p>\n\n\n\n The new and amended Data Protection Act 2018<\/a> also took effect on January 31, 2020.<\/p>\n\n\n\n The DPA2018<\/a> will no longer rely on the EU GDPR, but on the UK-GDPR<\/a> instead. It will instead refer to the new domestic GDPR after Brexit.<\/p>\n\n\n\n UK citizens will now be protected by a comprehensive data protection regime that is made up of the UK-GDPR<\/a> on the one hand that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018<\/a> on the other hand, supplementing the domestic GDPR and extending beyond it as well.<\/p>\n\n\n\n More on the new and amended Data Protection Act 2018 here.<\/a><\/p>\n\n\n\n Keeling Schedule for the Data Protection Act 2018.<\/a><\/p>\n\n\n\n Here\u2019s a short recap of what happened on January 1, 2021:<\/p>\n\n\n\n According the UK government, \u201cno, or no significant, impact on the private, voluntary or public sector is foreseen\u201d<\/em> as a consequence of the changes made to UK data protection law.<\/p>\n\n\n\n Now, with regards to the GDPR after Brexit in the EU \u2013 there are no changes<\/strong>.<\/p>\n\n\n\n If a website based in the UK has visitors from the EU, it still has to comply with the European GDPR after Brexit just as it did before.<\/p>\n\n\n\n That\u2019s because the EU GDPR has extraterritorial scope and applies to any website, company or organization in the world that collects or processes data from inside Europe.<\/p>\n\n\n\n The biggest change here will be who is the supervisor and enforcer.<\/p>\n\n\n\n Since the EU GDPR won\u2019t apply domestically to the UK after the transition period of Brexit, data law in the UK will not<\/em> be supervised or enforced by the European Data Protection Board (EDPB)<\/a>, the main power of supervision and enforcement today.<\/p>\n\n\n\n Rather, it will be the Information Commissioner (ICO)<\/a> that will supervise and enforce the domestic UK-GDPR and Data Protection Act 2018 on UK soil.<\/p>\n\n\n\n What does all of this Brexit and GDPR stuff ultimately mean for you and your website and its use of cookies and similar tracking technology?<\/p>\n\n\n\n It means that until June 2021<\/strong>, the interim provision allows unrestricted personal data flow between UK and EU.<\/p>\n\n\n\n Your website will need to comply with the GDPR (both UK and EU versions) just as before, but no additional measures need to be taken when processing personal data from the EU:<\/p>\n\n\n\n You still need the prior consent<\/strong> of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.<\/p>\n\n\n\n Learn more about GDPR and consent on your website<\/a><\/p>\n\n\n\n Cookiebot CMP<\/a> scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary, and therefore compliant, until the user has given their consent as to which they want to activate.<\/p>\n\n\n\n This way, your website can be sure to be in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.<\/p>\n\n\n\n Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.<\/p>\n\n\n\n In short, before Brexit, under Brexit and after Brexit, our solution ensures your website full EU and UK-GDPR compliance<\/a>, as well as compliance with the Data Protection Act 2018<\/a>.<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":" GDPR and Brexit - 2021 update On January 1, 2021, the United Kingdom formally and effectively left the European Union. Although the UK is now \u201ca third country\u201d under the EU\u2019s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in […]<\/p>\n","protected":false},"author":9,"featured_media":1023,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1001","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2022\/05\/hero_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=1001"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1001\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/1023"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=1001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=1001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=1001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Illustration](\"\/media\/4238\/image-1.jpeg?width=450&&mode=max\")
\n
Compliance with GDPR after Brexit<\/h2>\n\n\n\n
Reminder: what is the GDPR?<\/h2>\n\n\n\n
GDPR after Brexit in the UK<\/h2>\n\n\n\n
![\"Illustation](\"\/media\/4241\/image-2.jpeg?width=450&&mode=max\")
Brexit, GDPR and the DPPEC regulations<\/h3>\n\n\n\n
\n
![\"Illustration](\"\/media\/4239\/image-3.jpeg?width=450&&mode=max\")
\n
The amended Data Protection Act 2018<\/h3>\n\n\n\n
Brexit and GDPR in short<\/h3>\n\n\n\n
\n
![\"Illustrated](\"\/media\/4240\/image-4.jpeg?width=450&&mode=max\")
GDPR, Brexit and your website<\/h2>\n\n\n\n