How Will Brexit Affect GDPR?

The UK’s decision to end its five-decade long membership of the EU was a landmark event in European history.

Beyond the general political furore that swept across Europe, Brexit had huge implications for companies that do business across the Channel - with the free flow of data a vital component of Anglo-European trade.

However, many marketeers and companies are still confused about the relationship between the UK, GDPR, and data privacy regulations in general.

So, how will Brexit affect GDPR? In the absence of real clarity from the European Union, this article will shed some light on what remains an important issue.

Does GDPR Still Apply in the UK?

The short answer here is no. 

Since GDPR is an EU regulation, it stopped applying to the UK after December 31st, 2020.

However, any UK company that offers goods or services to - or monitors the behavior of - EU residents still has to comply with it. 

This is because the GDPR is an “extraterritorial” law that is designed to offer data protection for EU residents regardless of where their personal information is transferred globally.

So, What’s Changed for UK Companies?

By leaving the EU in January 2021, the UK became a “third country” - to use GDPR terminology.

Practically, this means that it has to prove that its laws meet European data protection standards in order for the personal data of EU residents to be transferred to the UK without adopting additional safety measures.

Thankfully, it was able to do so, with an “adequacy decision” by the European Commission on June 28th, 2021, allowing for cross-channel data transfers to continue flowing freely to the UK.

The other countries that have been fully awarded this designation are Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, and South Korea - so it’s a fairly exclusive club at present.

What this means is that, by meeting domestic data privacy requirements, UK companies are also complying with GDPR and don’t have to do much differently when they’re receiving personal data from the EU - beyond the points outlined below. 

How Can UK Companies Comply with GDPR?

UK companies that do business with EU residents or monitor their behavior will need to take the following steps to fully meet GDPR requirements:

1. Appoint a representative that is based in the EU
2. Identity their lead supervisory authority in the EU
3. Update policies, procedures, and documentation

In the future, companies may also need to update their contracts dealing with EU-UK data transfers, though the UK’s “adequacy agreement” with the EU means that this is not necessary at the moment.

Enough has been written about GDPR already to not go through these steps in detail, but you’re welcome to visit our GDPR Information Hub if you’re looking for comprehensive information.

Has the UK Introduced a Replacement to GDPR?

At present, no, but it does have its own UK-GDPR. 

This can’t be considered a complete replacement for GDPR since it’s a temporary measure that is only expected to last up until June 2025. 
What is the Difference Between UK-GDPR and EU-GDPR?

UK policymakers effectively fused the country’s Data Protection Act 2018 with GDPR, creating what is known as the UK-GDPR. This came into force the moment that the UK left the EU in January 2021.

The law applies to:

• UK companies that collect, store, or process the personal data of UK residents
• Non-UK companies that offer goods or services to UK residents, or monitor their behavior

The UK-GDPR is nearly identical to the EU law - unsurprisingly given that the UK had a lead role in creating the European legislation.

However, there are a small number of important differences between the two:

• The Information Commissioner (ICO) is now responsible for data protection regulation and enforcement in the UK, rather than the European Data Protection Board
• UK-GDPR allows for automated decision making when companies can show a legitimate justification - unlike the EU-GDPR, which allows data subjects to refuse such action
• UK-GDPR allows companies to ignore the access rights of data subjects if this restricts a legitimate need to process personal data for scientific, statistical, historical, or archiving purposes - something that is not allowed under the EU-GDPR
• Under UK-GDPR, the age of consent for data protection is 13, compared to 16 under GDPR
• UK-GDPR does not require official authorization for the processing of criminal data, unlike EU-GDPR requirements
• UK-GDPR has increased the maximum fine to £17.5 million, while the EU-GDPR can issue a maximum penalty of either €20 million (approximately £16.6 million) or 4% of a company’s annual global revenue - whichever is higher

What Other Data Laws Should UK Companies Consider?

Beyond the UK-GDPR and EU-GDPR, there are other components of the UK’s data protection framework that companies need to respect:

• Privacy and Electronic Communications Regulations (PECR) - a UK law adapted from the EU’s e-Privacy Directive
• Electronic Identification and Trust Services (UK eIDAS) - an adaptation of the EU eIDAS law that the UK has adapted for use domestically
• Network and Information Systems (BIS) - an EU legislation that has been incorporated into UK law
• Environmental Information Regulations (EIR) - a UK law adapted from EU legislation that continues to apply
• Freedom of Information Act 2000 (FOIA) - a UK law that continues to apply

Will UK Data Protection Laws Change Further?

This does look increasingly likely.

In September 2021, the UK government published a consultation outlining potential revisions to the country’s data protection framework.

In effect, this would weaken data protection laws so that the UK can enter into agreements with non-EU countries like Australia, South Korea and the US. 

This is part of the country’s broader strategy to focus more trade away from Europe after Brexit - something with obvious implications on data transfers across the Channel. 

One potential consequence of this is that the European Council could rescind its “adequacy agreement” for data transfers. 

If this were to happen, UK companies would have to sign Standard Contractual Clauses (SCCs) - arrangements that ensure they will handle data in accordance with GDPR requirements.

However, nothing has been formalized yet - so, that’s a blog for another day.

Still Uncertain About GDPR Compliance?

Given that the UK’s Brexit Referendum took place two years before GDPR came into force, the European Union certainly had enough time to incorporate this event into its official guidance.

That they didn’t is unsurprising given the ambiguity of the law as a whole - something that has given marketers around the world many a sleepless night.

However, new laws often have teething problems, and lawmakers today have a far better understanding of the practicalities of data privacy laws.

But if you’re looking for more information about GDPR compliance, we have created a useful and free Checklist that runs through all the steps a company needs to take to meet Europe’s data privacy requirements.