Since Brexit, the UK has had its own version of the GDPR - the UK GDPR. This has been enforced since January 2021 and accommodates domestic UK law, requiring all bodies and organisation that process the data of UK citizens to comply.

How does the UK GDPR work?

Both EU GDPR and UK GPDR are largely the same: they include the same legal obligations regarding consent for data processing, the same principles and data rights for subjects, and similar repercussions for breaches of the law. For the full breakdown of these principles, check out our EU GDPR article.

UK GDPR works in conjunction with the Data Protection Act (DPA) 2018. The DPA 2018 was originally the implementation of the EU GDPR, adjusted to accommodate domestic law. Today, the DPA sets out the framework for data protection law in the United Kingdom, and both the DPA and UK GDPR work in conjunction, e.g. the DPA lists certain exemptions, as well as setting out separate data protection rules for different authorities.

If your organisation only deals with the data of UK citizens, you need to abide by UK GDPR and the Data Protection Act (DPA) 2018. However, if you also handle and process the data of citizens in Europe, you need to also abide by the EU GDPR. As a result, data collection, storage and processing are particularly important.

How does the GDPR and UK GDPR differ?

There are some differences, particularly when it comes to who enforces rules and makes decisions related to data sharing.

UK GDPR

The age of consent for data processing is 13.
There are exceptions when it comes to data protection relating to immigration, intelligence services, and national security. For example, there can be an exemption from data protection principles when it is required to safeguard national security.
The Secretary of State has special powers over adequacy decisions.
The ICO is the final enforcer, supervisor, and regulator of data protection in the UK.

EU GDPR

The age of consent for data processing is 16.
National security, immigration, and intelligence are outside the scope of GDPR as they are domestic issues.
Adequacy decisions are decided by the EU Commission.
The European Data Protection Board (comprising independent Data Protection Authorities) and the European Commission are responsible for applying data protection laws across the EU.

What does this mean for international companies based in the UK?

According to EU GDPR, countries outside of the EU can only access and process EU data if they fulfil certain requirements. This signals that the country has a robust enough data protection system that is as strong as that of the EU. Countries not subject to the GDPR are considered “third countries”.

Data can only be transferred to third countries if certain provisions are in place:

An adequacy decision,
Appropriate safeguards (e.g. standard contractual clauses, binding corporate rules, approved codes of conduct (SCCs)) or,
Any relevant derogations specified in Article 49 of the GDPR.

If SCCs are relevant, companies should also take heed of the Schrems II judgment. This is where the European Court said that if SCCs are the chosen mechanism, the data exporter also must have an assessment of the third country to ensure it provides enough protection.

If it is found to be inadequate, the SCCs must be supplemented with additional measures, and if this is not possible, the data transfer must be suspended.

From a UK perspective, it is now considered a “third country”. As of June 2021, the UK received adequacy from the EU.

This means that data can freely flow between the UK and EU without additional contractual frameworks. However, this adequacy lasts four years, meaning it will be reviewed again in 2025 by the EU.

It is important that companies familiarise themselves with both EU and UK GDPR and ensure they are compliant.

In the past years, there has been an uptick in DPOs in the UK and EU enforcing GDPR requirements against organisations for breaches, with some of the largest fines amounting to €405m from some of the largest companies.

The future of the UK GDPR

This remains unclear, as the UK government has this year posited that they look to scrap UK GDPR and replace it with its own data privacy system. The UK government has argued that the country needs a new system with less “red tape” and less “bureaucratic” to have a more business-friendly system. This proposed new system looks to help businesses share data more easily, while still protecting consumers.

Should UK GDPR be scrapped, there is a risk of the UK’s adequacy being revoked come time for renewal if the new regime does not satisfy the European Commission, and in turn, this could affect cross-border data transfers with EU countries. However, we have yet to see substantive progress on this development and so, await any potential changes.

While the future of UK GDPR remains unclear, if you process data in the UK, you still need to be aware and have a good knowledge of both UK GDPR and the Data Protection Act 2018, as well as EU GDPR if you process the data of EU data subjects.

If you are sharing or processing video, running video analytics, or have any other use, to avoid GDPR pitfalls, redaction is a recommended means of anonymising this visual data so you can maximise its utility.

Does your video need to comply with EU and UK GDPR?

Find out more

What’s the difference between the GDPR and the UK GDPR?