UK GDPR – United Kindom’s Data Protection Law After Brexit

UK GDPR is the comprehensive data protection regulation in the United Kingdom. It is the UK’s version of the General Data Protection Regulation. Read this blog post to learn more about UK GDPR and how to comply with it.

After Brexit, the EU’s General Data Protection Regulation does not apply to the processing of personal data of UK citizens. So, the UK government implemented the GDPR principles and guidelines into UK law and introduced the UK GDPR, which is essentially identical to the EU’s GDPR. The law aims to ensure similar data protection standards and rights as the EU’s GDPR.

This article will provide you with an overview of the UK GDPR, its principles, rights, and obligations, and how to comply with it.

Let’s dive in.

The UK General Data Protection Regulation (UK GDPR) is the principal data protection regulation in the United Kingdom that regulates the processing of personal information of UK residents. It is identical to the EU’s GDPR and implements similar data protection standards in the UK.

The UK GDPR combines both the EU GDPR and the Data Protection Act (DPA) of 2018 to create a comprehensive data protection regulation in the UK. It came into effect on 01 January 2021. The UK GDPR is word by word similar to the EU’s GDPR, with the same rights to data subjects, key principles, and the same obligations for businesses handling the personal data of individuals.

Scope of the Act

The United Kingdom’s General Data Protection Regulation applies to any organization that operates in the UK and is involved in the processing of personal data of UK citizens regardless of whether the processing happens in the UK or not.

It also extends its reach to the processing of personal data by organizations outside the UK if the processing happens for offering goods or services within the UK or monitoring the behavior of individuals within the country.

Limitations of the Act

The UK GDPR does not apply to the following cases:

• If the processing is done by an individual for personal use or household purposes
• If the processing is done by a competent authority for any of the law enforcement purposes
• If the processing of personal data is covered by Part 4 of the 2018 Act, which is related to intelligence services processing.

• Personal data: Personal data refers to any information related to an identified or identifiable individual that can be used to directly or indirectly identify the individual.
• Processing: Processing refers to the set of operations carried out on personal data, whether or not by automated means. It includes collecting, recording, organizing, structuring, storing, adapting, or alternating personal data.
• Profiling: Profiling refers to the automated processing of personal data to analyze or predict various aspects of an individual personal life such as work performance, economic status, health, preferences, behavior, location, or movements.
• Controller: A controller is any person, public authority, agency, or organization that determines the means and purposes of processing personal data.
• Processor: A processor is any person, public authority, agency, or organization that processes personal data on behalf of the controller.
• Consent: Consent refers to any freely given, specific, informed, and unambiguous indication of a data subject’s agreement to the processing of their personal data by a clear affirmative action.

Similar to the EU GDPR, the UK GDPR also grants eight rights to data subjects to protect their personal data shared with businesses.

Below are the rights of data subjects under UK GDPR:

1. Right to Be Informed

Data subjects have the right to be informed about the processing of their personal data. Organizations collecting the personal data of individuals must inform them about what data they collect, why it is collected, how long it will be retained, and who else has access to it. They should also share the contact details of the controller and data protection officer, if applicable.

Organizations should inform users of their rights and how to exercise those rights or raise queries regarding their privacy rights.

2. Right to Access

Data subjects have the right to request a copy of the personal data held by businesses. Upon receiving the request, the data controller should provide a copy of the personal data in a readable electronic format.

3. Right to Rectification

Data subjects have the right to request the rectification of inaccurate personal data related to them. Upon receiving the request, the data controller should take the necessary actions to correct the data as soon as possible.

4. Right to Erasure (Right to Be Forgotten)

Data subjects have the right to request the erasure of their personal data held by businesses. A data controller should delete the personal data of data subjects under the following circumstances:

• When the personal data is no longer needed for the original purpose it was collected
• If the data subject withdraws consent for processing their personal data, and there is no other legal basis for processing the personal data
• When the data subject restricts processing, and there is no other legitimate interest in processing the personal data
• If the personal data has been processed unlawfully
• When erasure is required to comply with a legal obligation
• If the personal data was collected in relation to the offer of information society services

5. Right to Restriction of Processing

Data subjects have the right to restrict the processing of their personal data shared with businesses. Below are the circumstances with which a data subject can restrict the processing of their personal data:

• If the data subject contests the accuracy of the personal data, allowing the controller time to verify its accuracy.
• If the processing is unlawful, and the data subject requests restriction of processing instead of erasure.
• If the controller no longer needs the personal data for processing purposes but the data subject requires it for legal claims.
• When the data subject has objected to processing, pending verification, whether the controller’s legitimate grounds override those of the data subject.

6. Right to Data Portability

Data subjects have the right to receive their personal data in a structured and electronic format and request the transfer of their personal data to another controller.

7. Right to Object

Data subjects have the right to object to the processing of their personal data by businesses in certain circumstances such as direct marketing. The controller should not process the personal data unless they have legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.

8. Rights in Relation to Automated Decision-Making and Profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, such as profiling, which could have a significant impact on them.

This right does not apply if the automated decision is

• required to fulfill a contractual obligation or to enter into a contract with the data subject
• required by law with sufficient measures in place to safeguard the rights and interests of the data subject
• based on the explicit consent from the data subject

Here are the seven major principles of UK GDPR:

1. Lawfulness, fairness, and transparency: The data controller should collect or process the personal data of data subjects in a lawful, fair, and transparent manner.
2. Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and not further processed for purposes other than the original ones.
3. Data minimization: Only collect the minimum adequate amount of personal data required for the purpose it is intended.
4. Accuracy: Personal data collected must be accurate and up-to-date. Any inaccurate information should be either removed or rectified without delay.
5. Storage limitation: Personal data should not be stored for longer than is necessary for the purpose for which it was collected.
6. Integrity and confidentiality: Organizations should take appropriate measures to protect personal data from unauthorized access or accidental loss, destruction, or damage.
7. Accountability: Organizations should be accountable for processing the personal data of the data subjects and should comply with the principles.

Here are some general guidelines for businesses to comply with the UK GDPR:

• Understand the principles and obligations of the act and the rights of the data subjects.
• Do a complete audit of the data collection source points to identify what data you collect and its purpose.
• Only collect the minimum amount of data required for the purpose it is intended.
• Inform users about the data collection, what data is collected, its purpose, retention period, and who has access to it.
• Obtain explicit consent from users before collecting their personal data.
• Keep your privacy policy and cookie policy up-to-date.
• Use a consent management platform to obtain consent for cookies.
• Keep the personal data accurate and up-to-date.
• Allow users to opt out of data collection and withdraw consent anytime they want to.
• Implement privacy by design principles (PbD) and make privacy the default setting for your products and services.
• When collecting personal data of children, obtain consent from parents or legal guardians.
• Obtain additional consent from users for collecting sensitive personal data such as racial or ethnic origin, political opinions, health data, etc.
• When using third-party services, ensure that they have proper security measures and comply with the principles of the regulation.
• When sharing data with foreign countries, ensure that they have similar data protection regulations and have a lawful purpose for sharing the data.
• Implement proper security measures to protect personal data from unauthorized access and data breaches.
• Do regular risk assessments to identify and mitigate any potential risks.
• Keep records of your data processing activities and proof of your compliance measures.
• Regularly review and update your data collection practices and take appropriate measures to comply with the latest updates in the regulations.
• Develop a proactive plan to address any data breaches. Also inform the concerned authorities and affected individuals about the data breach.

When Did the UK GDPR Come Into Effect?

The United Kingdom’s General Data Protection Regulation came into effect on 01 January 2021.

What Are the Fines and Penalties for Non-compliance With UK GDPR?

The UK GDPR imposes heavy fines and penalties for non-compliance. The fines can reach up to £17.5 million or 4% of your total annual global turnover (whichever is higher).

Does the EU GDPR Applicable in the UK?

Yes. The EU GDPR applies globally to all countries, whether they are part of the EU or not. If any business that operates in the UK and offers products or services to EU citizens, the EU GDPR applies.

So, businesses in the UK need to comply with the EU GDPR and the UK GDPR if they collect or process the personal data of EU citizens.

Do I Need to Obtain Consent for Using Cookies?

Yes. Cookies collect information from your website visitors. If you are using tracking cookies, you must obtain prior consent from your visitors. Consider using a consent management platform to manage cookie consent effectively on your website.

Check out our GDPR Cookie Consent plugin, a native CMP for WordPress websites. 

After the UK’s exit from the European Union, the EU GDPR does not protect the consumer rights of UK citizens. So the UK Government has introduced the UK GDPR. The UK GDPR has similar principles, rights and obligations as the EU GDPR. It protects the privacy rights of consumers within the UK.

This article was intended to help you understand about UK GDPR and how to comply with it for your business. If you find this helpful, please let us know in the comments.

Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.