{"id":745,"date":"2022-01-17T09:58:00","date_gmt":"2022-01-17T09:58:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=745"},"modified":"2026-03-12T09:14:41","modified_gmt":"2026-03-12T08:14:41","slug":"gdpr-in-the-uk-2021-uk-adequacy-decision-update","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/gdpr-in-the-uk-2021-uk-adequacy-decision-update\/","title":{"rendered":"UK GDPR after Brexit"},"content":{"rendered":"\n

GDPR UK adequacy update 2021<\/h2>\n\n\n\n

Since the UK has left the EU, the question of personal data transfers has been top of the list for many websites, companies, and privacy organizations in both blocs.<\/p>\n\n\n\n

In the agreement signed by the UK and EU in end of December 2020, a provision allowed for the continued, unrestricted flow of data<\/a> between the two blocs for an interim period of six months<\/strong> (until June 2021).<\/p>\n\n\n\n

On June 28, 2021, the European Commission adopted an adequacy decision for the UK<\/a>, ensuring the continued free flow of personal data between the two blocs for the next four years.<\/p>\n\n\n\n

Under the EU\u2019s GDPR, adequacy decisions can be adopted by the EU if it deems that a third country (i.e. a country outside of the European Union) has an equivalent level of data protection. If so, personal data from EU residents can be transferred to the country freely (still requiring end-user consent, as always of course).<\/p>\n\n\n\n

Since the UK left the EU under Brexit, the UK is not covered by the GDPR anymore, and adequacy talks have been a point of importance to ensure continued flow for websites, companies, and organizations in both blocs.<\/p>\n\n\n\n

Particular to the UK adequacy decision from June 2021<\/a> is a so-called \u201csunset clause\u201d that strictly limits the free flow of data to a 4-year period from the effective date, after which the adequacy status of UK will not automatically be renewed. If the EU chooses to renew the agreements, a new adoption process will start.<\/p>\n\n\n\n

The UK already has in place a new domestic data privacy law called UK-GDPR that is exactly the same as the EU version and is supported by the UK\u2019s Data Protection Act of 2018.<\/p>\n\n\n\n

Compliance with the UK-GDPR and EU\u2019s GDPR remains an obligation for any website, company or organization who process personal data form either inside the UK or EU: the explicit consent of users must be obtained<\/strong> before any processing or transfer is allowed to take place.<\/p>\n\n\n\n

See the UK adequacy decision from June 2021<\/a><\/p>\n\n\n\n

See the ICO\u2019s consultation on data transfers to and from the U.K. from August 2021<\/a><\/p>\n\n\n\n

Learn more about GDPR and end-user consent<\/a><\/p>\n\n\n\n

GDPR compliance after Brexit in 2021<\/h2>\n\n\n\n

Cookiebot CMP for UK compliance<\/h3>\n\n\n\n

Being compliant with the EU GDPR, the new UK-GDPR and the supporting data protection legislations such as the Data Protection Act 2018 might seem a tad confusing, what with all the other messy stuff that comes with Brexit.<\/p>\n\n\n\n

Cookiebot CMP<\/a> by Usercentrics<\/a> is the world-leading GDPR compliance solution for websites of all shapes and sizes.<\/p>\n\n\n\n

Built around a powerful scanner that detects all cookies, trackers and trojan horses, our solution gives your users automatic control of their personal data, in full compliance with the requirements of both the EU and UK data privacy regime.<\/p>\n\n\n\n

Cookies are one of the most common ways<\/a> that websites process personal data, so it\u2019s super important in terms of data law compliance to both know what cookies are active on your website and to enable your end-users with a choice of prior consent as to which cookies they want active, when visiting your domain.<\/p>\n\n\n\n

By simulating visitors on your website \u2013 scrolling, clicking, exhausting all possible uses of your domain \u2013 our solution detects trackers present, both first party (your own website\u2019s) and third party (usually marketing cookies from ad tech companies that are privacy invasive).<\/p>\n\n\n\n

With highly customizable consent banner and automated geo-targeting, we take the hard part out of being compliant with the world\u2019s major data privacy laws.<\/p>\n\n\n\n

Cookiebot CMP <\/a>offers plug-and-play compliance with the EU\u2019s GDPR<\/a>, UK\u2019s GDPR<\/a>, California\u2019s CCPA\/CPRA<\/a>, Brazil\u2019s LGPD<\/a>, South Africa\u2019s POPIA<\/a>, Singapore\u2019s PDPA <\/a>and more.<\/p>\n\n\n\n

Learn more about the GDPR and consent<\/a><\/p>\n\n\n\n

What is GDPR?<\/h2>\n\n\n\n

The General Data Protection Regulation (GDPR) <\/a>is an EU law that took effect in May 2018 and is uniformly binding in all 27 EU nations. It controls how companies and organizations are allowed to handle personal data<\/strong>.<\/p>\n\n\n\n

Personal data<\/strong> is defined in the GDPR as anything that can be directly or indirectly identified to a natural person, such as names, physical addresses, IP addresses, location data, and information about physical, mental, economic, cultural or social facts.<\/p>\n\n\n\n

Sensitive personal data<\/strong>, however, is defined by the GDPR as data about religious convictions, political opinions and\/or sexual orientation.<\/p>\n\n\n\n

\"Flag
The GDPR protects the personal data of individuals inside the EU.<\/figcaption><\/figure>\n\n\n\n

The GDPR clarifies in total eight rights<\/strong> for individuals, including the right to request access to one\u2019s data (a so-called Subject Access Request or SAR), as well as to request their personal data deleted.<\/p>\n\n\n\n

However, the most important right that the GDPR empowers EU citizens with is the right to not have their data (personal or sensitive) collected and processed without prior consent<\/strong>.<\/p>\n\n\n\n

Here, the GDPR requires websites to -<\/p>\n\n\n\n

    \n
  1. obtain clear and unambiguous consent<\/strong> from its users,<\/li>\n\n\n\n
  2. prior<\/strong> to any processing of personal data,<\/li>\n\n\n\n
  3. after specifying all types of cookies<\/strong> and other tracking technology present and operating on its pages,<\/li>\n\n\n\n
  4. in easy-to-understand ways that enable users to consent<\/strong> and to revoke consent<\/strong> on each specific category of cookies,<\/li>\n\n\n\n
  5. to then be able to safely and confidentially document<\/strong> each user consent,<\/li>\n\n\n\n
  6. and to ask for renewed consent regularly<\/strong>, e.g. every six months.<\/li>\n<\/ol>\n\n\n\n

    This is the backbone of GDPR compliance.<\/p>\n\n\n\n

    In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test<\/a>.<\/p>\n\n\n\n

    GDPR in the UK after Brexit 2021<\/h3>\n\n\n\n

    The United Kingdom has been regulated by the European GDPR since it took effect in May 2018.<\/p>\n\n\n\n

    Upon leaving the EU on January 1, 2021, the UK is officially not a part of the EU\u2019s GDPR any longer, i.e. the EU\u2019s GDPR does not have any domestic jurisdiction in the UK as it had from May 2018.<\/p>\n\n\n\n

    The UK has passed its own version called the UK-GDPR, which alongside the Data Protection Act of 2018, is in effect now.<\/p>\n\n\n\n

    The new UK-GDPR is essentially the same as its European predecessor, only revised so as to cover areas of the domestic law that are not touched upon by the EU regulation. These include among others national security, the intelligence services and immigration.<\/p>\n\n\n\n

    Learn more about the UK-GDPR<\/a><\/p>\n\n\n\n

    Learn more about the Data Protection Act 2018<\/a><\/p>\n\n\n\n

    See IAPP's comprehensive Brexit privacy checklist<\/a><\/p>\n\n\n\n

    GDPR and the UK's other data laws<\/h2>\n\n\n\n

    The Information Commissioners\u2019 Office<\/a> has several data laws to enforce in the UK.<\/p>\n\n\n\n

    After Brexit on January 1, 2021<\/strong>, the following data laws has taken effect in the UK:<\/p>\n\n\n\n