After Brexit, as the UK\u2019s withdrawal from the EU is commonly known, the UK passed the United Kingdom General Data Protection Regulation (UK-GDPR)<\/a> to protect the personal data of its citizens and residents. The new UK-GDPR took effect on January 1, 2021 so that there was no gap between the EU GDPR and UK-GDPR. Alongside the Data Protection Act of 2018 (DPA)<\/a> and the Privacy and Electronic Communications (EC Directive) Regulations 2003<\/a>, it governs the processing of personal data belonging to individuals located in the UK.<\/p>\n\n\n\n Since Brexit and the passing of the UK-GDPR, the EU GDPR no longer applies in the UK, as it applies only to the processing of personal data of individuals located in the EU and EEA.<\/p>\n\n\n\n We look at the key provisions of the UK-GDPR, including its scope, main principles, and key obligations related to consent, data processing, and data subject rights.<\/p>\n\n\n\n The UK-GDPR is the UK's data protection regulation that governs the processing of personal data belonging to individuals located in the UK, including both citizens and residents. They are known as \u201cdata subjects\u201d under the UK-GDPR, identified or identifiable natural persons. The UK-GDPR protects the personal data of individuals only, and not other legal entities.<\/p>\n\n\n\n \u201cPersonal data\u201d under the UK-GDPR means \u201cany information relating to an identified or identifiable natural person\u201d <\/em>who can be directly or indirectly identified using it. <\/em>Examples of personal data include:<\/p>\n\n\n\n Processing includes both automatic and manual \"collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction\"<\/em> of personal data.<\/p>\n\n\n\n The UK-GDPR is almost word for word identical to the EU GDPR, which was adapted after Brexit to suit UK-specific requirements. It provides the main principles, rights, and obligations for data protection in the UK.<\/p>\n\n\n\n Under Art. 3 UK-GDPR<\/a>, the regulation applies to the following:<\/p>\n\n\n\n The UK-GDPR thus has extraterritorial scope and applies to entities located outside the UK if the regulation's requirements are met.<\/p>\n\n\n\n A person or entity that processes personal data may be either a data controller or data processor under the UK-GDPR. A data controller is a \u201cnatural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.\u201d <\/em>When two or more data controllers jointly determine the purposes and means of processing personal data, they are known as \u201cjoint controllers\u201d under the regulation.<\/p>\n\n\n\n A data processor is a \u201cnatural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.\u201d<\/em>If any one of these circumstances applies to you, the UK-GDPR applies to you and you must comply with its requirements.<\/p>\n\n\n\n Art. 2 UK-GDPR<\/a> specifies that the regulation does not apply to the processing of personal data:\u00a0<\/p>\n\n\n\n The processing of personal data for law enforcement and intelligence services purposes is governed by the DPA, which supplements the UK-GDPR. The DPA expands the scope of data protection in the UK to include national security and intelligence services, which are outside the scope of the EU GDPR as it doesn\u2019t have jurisdiction over national security within member states.<\/p>\n\n\n\n Schedule 2<\/a> of the DPA also contains exemptions to some provisions of the UK GDPR for the processing of personal data for certain purposes. These exemptions include, among others:<\/p>\n\n\n\n The UK-GDPR sets out seven key principles (Art. 5 UK-GDPR<\/a>) that you must uphold when processing your users\u2019 personal data.<\/p>\n\n\n\n Art. 6 UK-GDPR<\/a> provides six legal bases for processing personal data under the UK-GDPR. One of these must apply and be provable for the data processing to be lawful:<\/p>\n\n\n\n Legitimate interest is not a legal basis for processing carried out by public authorities performing their tasks. The Interactive Advertising Bureau\u2019s Transparency and Consent Framework v2.2 (IAB TCF v2.2)<\/a> has also removed legitimate interest as a basis for data processing related to advertising and content personalization. Under the IAB TCF v2.2, explicit consent is the only acceptable legal basis for processing personal data for these purposes.<\/p>\n\n\n\n Consent under the regulation means \u201cany freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.\u201d<\/em><\/p>\n\n\n\n Recital 32<\/a> explains consent under the UK-GDPR further. Although the recital is not legally binding, it provides important context to help understand the law and what does, and does not, constitute legally valid consent.<\/p>\n\n\n\n It may be via a written statement, including by electronic means, or an oral statement. It may include checking a box on a website or choosing technical settings on an electronic service that the user requests, such as an ecommerce store, streaming service, social media platform, or digital marketplace. Silence, pre-checked boxes and inactivity are not considered valid consent. When there are multiple purposes for processing, the user must give explicit consent for all of them, or if they make granular consent selections only for some of them, processing may only proceed for those selected.<\/p>\n\n\n\n The UK-GDPR gives users the right to withdraw consent at any time once it has been given (Art. 7 UK-GDPR<\/a>). The method for withdrawing consent should be as easy as the method for giving it.<\/p>\n\n\n\n When it comes to processing the personal data of a child under the age of 13 years, you must obtain consent from the parent or legal guardian for it to be legally valid (Art. 8 UK-GDPR<\/a>).<\/p>\n\n\n\n If you collect personal data from users online, such as from your website or app, the UK-GDPR requires you to obtain explicit consent from users before processing their personal data via cookies and other website tracking<\/a> technologies. Websites often display cookie banners<\/a> requesting this consent or cookie walls<\/a> that at times deny access without consent. These cookie banners serve as the initial point of contact between the website and its visitors, informing users about data collection practices and setting the stage for compliance with the UK GDPR.<\/p>\n\n\n\n The transparency of these banners varies widely, with some sites clearly explaining user rights and options while others fall short. Many sites allow users to customize their consent choices, specifying which types of data they are comfortable sharing. However, a significant number of these cookie banners still do not meet UK-GDPR compliance standards, meaning they don't fully adhere to legal requirements for user consent and data protection. Cookie walls that block site access unless consent is given are prohibited under many global data privacy regulations, and are not recommended.<\/p>\n\n\n\n To be UK-GDPR compliant, your cookie banner should:<\/p>\n\n\n\n Implementing robust cookie consent<\/a> practices that prioritize transparency, user control, and clear communication can help you achieve compliance with the UK-GDPR\u2019s consent requirements.<\/p>\n\n\n Data subjects have eight rights under the regulation (Chapter 3 UK-GDPR<\/a>). These are the same as the rights under the EU GDPR.<\/p>\n\n\n\n Controllers are responsible for compliance with all the obligations laid out by the UK-GDPR. This includes not only their own compliance but also ensuring that any processors they work with adhere to the regulation.<\/p>\n\n\n\n A vital obligation for controllers is informing data subjects about your data processing activities (Arts. 13<\/a> and 14<\/a> UK-GDPR). The UK-GDPR requires you to inform them of:<\/p>\n\n\n\n This information is commonly provided in a privacy policy<\/a> or privacy notice. If you collect data through the website cookies and other tracking technologies, you should include a cookie policy<\/a> that details the use of cookies, including the types of cookies, their purposes, what personal data they collect, who has access to the personal data collected, how long the cookies will stay on users\u2019 browsers for, and how users can set or change their cookie preferences. A cookie policy can be a separate policy or part of the privacy policy.<\/p>\n\n\n\n Your privacy policy must be written in clear, plain language, without using legal jargon, so that anyone can understand it without legal or technical knowledge. It must be clearly accessible for users to find and is commonly shared through a link in a website\u2019s footer and on the cookie banner.<\/p>\n\n\n You must use appropriate technical and organizational measures to comply with the regulation, and be able to show you have complied (Art. 24 UK-GDPR<\/a>). Examples of appropriate measures include, among other actions:<\/p>\n\n\n\n If you are not an entity registered in the UK, you may be required to appoint a designated representative in the country (Art. 27 UK-GDPR<\/a>), whether you are a controller or processor. However, you remain liable for violations of the UK-GDPR, even after appointment of a representative. The provisions of Art. 27 don\u2019t apply to a public authority or body or when data processing happens occasionally and doesn\u2019t include large-scale processing of:<\/p>\n\n\n\n The UK-GDPR requires both controllers and processors to appoint a Data Protection Officer (DPO) in specific cases (Art. 37 UK-GDPR<\/a>), including:<\/p>\n\n\n\n Controllers and processors both must maintain records of processing activities containing information about, among other things (Art. 30 UK-GDPR<\/a>):<\/p>\n\n\n\n These records demonstrate your compliance with the UK-GDPR and must be made available to supervisory authorities upon request.<\/p>\n\n\n\n If you appoint a third-party processor to process personal data on your behalf, you must enter into a written contract with the processor that is binding on them (Art. 28 UK-GDPR<\/a>). This contract or Data Processing Agreement (DPA) must set out:<\/p>\n\n\n\n Processors cannot process personal data without instructions from the controller (Art. 29 UK-GDPR<\/a>). They must also assist in complying with the regulation, including deleting personal data, ensuring confidentiality of the data, and implementing appropriate security measures.<\/p>\n\n\n\n In the event of a data breach, you must notify the Commissioner without undue delay and not later than 72 hours after you become aware of it (Art. 33 UK-GDPR<\/a>). If there is a further delay, you must inform the Commissioner why there has been a delay. In case the breach may result in a high risk to the rights and freedoms of natural persons, you must also communicate the breach to the affected data subjects without delay (Art. 34 UK-GDPR<\/a>).<\/p>\n\n\n\n The UK-GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) in situations where processing is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies (Art. 35 UK-GDPR<\/a>). The DPIA must be conducted before the processing takes place, and you must consult your DPO when carrying it out.<\/p>\n\n\n\n Chapter 5 UK-GDPR<\/a> addresses the transfer of personal data from the UK to third countries or international organizations, whether during processing or after it has been processed.<\/p>\n\n\n\n Transferring personal data outside of the UK needs additional measures to ensure its protection. These measures often include a specific adequacy agreement, which verifies that the destination country or organization provides an adequate level of data protection comparable to that provided under the UK-GDPR (Art. 45 UK-GDPR<\/a>). It allows for the free flow of personal data from the UK to the designated country without requiring additional safeguards. The UK has two adequacy agreements currently in place, with the European Economic Area (EEA) and South Korea<\/a>.<\/p>\n\n\n\n When assessing whether the level of protection of the third country or international organization is adequate, the considerations include:<\/p>\n\n\n\n You may transfer personal data outside the UK in the absence of an adequacy agreement, but only if you have provided appropriate safeguards and can ensure data subject rights and legal remedies are available (Art. 46 UK-GDPR<\/a>).<\/p>\n\n\n\n Data transfers can be done to a third country or international organization when there\u2019s no adequacy agreement or appropriate safeguards in place only if one of the following conditions is fulfilled (Art. 49 UK-GDPR<\/a>):<\/p>\n\n\n\n Art. 83 UK-GDPR<\/a> outlines two levels of penalties for violations of the UK-GDPR.<\/p>\n\n\n\n Infringement of the following provisions are subject to fines up to GBP 8.7 million, or up to 2 percent of the total worldwide annual turnover for the preceding financial year, whichever is higher:<\/p>\n\n\n\n Infringements of the following provisions are subject to fines up to GBP 17.5 million, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher:<\/p>\n\n\n\n The Commissioner, who heads the Information Commissioner's Office (ICO), is responsible for enforcement of the UK-GDPR (Art. 57 UK-GDPR<\/a>). The ICO is the UK's independent authority set up to uphold information rights in the public interest.<\/p>\n\n\n\n The Commissioner has various powers under the UK-GDPR, including (Art. 58<\/a>):<\/p>\n\n\n\n The UK data protection law provides data subjects with multiple remedies if their rights have been violated.<\/p>\n\n\n\n Under Art. 77 UK-GDPR<\/a>, data subjects have the right to lodge a complaint with the Commissioner, who shall inform them of the progress and outcome of the complaint. Art. 78 UK-GDPR<\/a> provides the right to an an effective judicial remedy in the following cases:\u00a0<\/p>\n\n\n\n Art. 79 UK-GDPR<\/a> gives data subjects a private right of action against controllers and processors where they believe their rights have been infringed as a result of processing of their personal data in violation of the UK-GDPR. Lodging a complaint with the Commissioner does not prevent them from also exercising a private right of action.<\/p>\n\n\n\n Any person who has suffered \u201dmaterial or non-material damage\u201d as a result of a violation by the controller or processor has the right to receive compensation from the violating party for the damage suffered (Art. 82 UK-GDPR<\/a>). The controller or processor are not liable if they can prove they are not responsible for the event that caused the damage.<\/p>\n\n\n\n If you\u2019re a data controller or processor under the UK-GDPR, you can take steps to comply with its requirements.<\/p>\n\n\n\n To satisfy regulatory requirements, you must know which cookies your website uses and list them accurately on your cookie consent banner. Tools like Cookiebot CMP can scan your website to detect all cookies and other trackers and generate a detailed audit report to help you meet this requirement. By understanding and clearly listing these cookies, you can provide transparency to your users and adhere to legal standards.<\/p>\n\n\nWhat is the UK-GDPR?<\/h2>\n\n\n\n
\n
Who does the UK-GDPR apply to?<\/h2>\n\n\n\n
\n
\n
![\"\"](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/06\/cb_blog_body_770x513_brexit_gdpr_202406_1.svg\")
<\/figure>\n\n\n\nExemptions from the UK-GDPR<\/h3>\n\n\n\n
\n
\n
What are the principles of the UK-GDPR?<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/06\/cb_blog_body_770x513_brexit_gdpr_202406_2.svg\")
<\/figure>\n\n\n\nWhat are the legal bases for processing data under the UK-GDPR?<\/h2>\n\n\n\n
\n
What is considered UK-GDPR compliant consent?<\/h2>\n\n\n\n
Cookies and the UK-GDPR compliance<\/h3>\n\n\n\n
\n
\n Obtain valid consent with the help of a UK-GDPR compliant cookie banner. Sign up for your free Cookiebot CMP trial. <\/h2>\n
What are the rights of data subjects under the UK-GDPR?<\/h2>\n\n\n\n
\n
What are the obligations of controllers under the UK-GDPR? An overview of key requirements<\/h2>\n\n\n\n
\n
\n Instantly create your privacy policy with the Cookiebot\u2122 Privacy Policy Generator <\/h2>\n
\n
\n
\n
\n
\n
Data transfers outside the UK under the UK-GDPR<\/h2>\n\n\n\n
\n
\n
![\"\"](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/06\/cb_blog_body_770x513_brexit_gdpr_202406_3.svg\")
<\/figure>\n\n\n\nPenalties under the UK-GDPR<\/h2>\n\n\n\n
\n
\n
Who is responsible for enforcing the UK-GDPR?<\/h2>\n\n\n\n
\n
Remedies for data subjects under the UK-GDPR<\/h2>\n\n\n\n
\n
Steps to achieve UK-GDPR compliance<\/h2>\n\n\n\n
1. Audit your website\u2019s use of cookies<\/h3>\n\n\n\n
\n Scan your website for free to find out which cookies and tracking technologies it uses. <\/h2>\n