GDPR was introduced in May 2018, however when the UK formally left the EU on 31 December 2020 EU GDPR is no longer law in the UK. In this article we’ll give you a brief history of why there are two GDPRs and what areas of law it covers.
We will also discuss who supervises UK GDPR and how to make sure your website is compliant with this new regulation.
| Does the GDPR apply in the UK after Brexit? |
|---|
| The simple answer is no. The UK GDPR replaced the EU GDPR after Brexit and came into force on the same day as the UK left the EU. There are some key differences between the two sets of regulations that businesses need to be aware of, particularly around data transfers and supervisory authority contact details. |
Essentially the UK has taken GDPR and made it its own, so if you’re already GDPR compliant there shouldn’t be too much additional work to do. The UK Information Commissioner’s Office (ICO) has said that they will “continue to enforce and uphold the law” after Brexit and have also published detailed guidance.
Cutting edge payroll software
- Powerful and easy to use
- HMRC & RTI compliant
- Used by payroll pros
The CRM platform to grow your business
- Great for entrepreneurs
- Powerful data analytics
- Manage sales and data
Powerful web builder and advanced business tools
- Great for startups
- Powerful web page builder
- E-commerce available
Supercharged content planning
- Great for marketing
- Better than lists or sheets
- Manage social media
Create a new website in 10 minutes. Easy.
- Launch your website fast
- Powerful data intuitive
- No coding skills needed
UK GDPR vs EU GDPR – key differences
There are a few key areas where the UK GDPR differs from the EU GDPR:
- Data transfers: The UK will no longer be part of the EU’s free movement of data, so businesses will need to put in place alternative arrangements for data transfers between the UK and EU.
- Supervisory authority contact details: The supervisory authority contact details for the UK will need to be updated on your website.
- Lead supervisory authority: If you have customers in more than one EU country, you will need to appoint a lead supervisory authority. This is no longer required under the UK GDPR.
What does the UK GDPR cover?
GDPR along with the Data Protection Act 2018 set out the rules for how personal data must be collected, processed and stored by organisations operating in the UK. It also gives individuals new rights over their personal data, including the right to be forgotten and the right to data portability.
It applies to any organisation that processes the personal data of individuals in the UK, regardless of whether they are based in the UK or not. This includes businesses, charities, public bodies and sole traders. Organisations must comply with it unless they can demonstrate that they meet one of the exemptions set out in the law.
The UK GDPR covers the same areas as the EU GDPR, including:
- Data protection principles
- Rights of data subjects
- Conditions for consent
- Data processors and controllers
- Data transfers
Who supervises UK GDPR?
The supervisory authority is the Information Commissioner’s Office (ICO). The ICO is responsible for enforcing the it whereas the EU GDPR is enforced by the European Commission. The ICO in its role of enforcing GDPR is able to hand out fines.
How to make sure you website is compliant
If you have customers in the UK, you need to make sure your website is compliant . You can do this by ensuring that you have a data protection policy in place that sets out how you collect, use, and store personal data. You should also make sure you have a process in place for dealing with subject access requests (SARs).
There are a few key things you need to do to make sure your website is compliant with it:
- Update your privacy policy: You will need to update your privacy policy to reflect the changes in UK GDPR. This includes specifying the legal basis for processing data, providing contact details for the ICO, and specifying the rights of data subjects.
- Update your cookies policy
- Make sure you have a valid legal basis for processing data: You will need to specify the legal basis for processing data in your privacy policy. The most common legal basis for processing data is consent, but there are other legal bases that can be used.
- Update your supervisory authority contact details: You will need to update the supervisory authority contact details on your website. The ICO can be contacted at ico.org.uk.
- Make sure you have adequate security measures in place: You will need to put in place adequate security measures to protect the personal data you process. This includes ensuring that your website is secure and that data is encrypted.
- Keep records of your data processing activities: You will need to keep records of your data processing activities, including the purposes for which data is processed, the categories of data subjects, and the categories of personal data.
By following these steps, you can be sure that your website is compliant.
FAQs
The UK GDPR is very similar to the EU GDPR, but there are a few key differences. The most notable difference is that the supervisory authority for the UK GDPR is the Information Commissioner’s Office (ICO) whereas the EU GDPR is supervised by the European Commission.
The penalties for non-compliance with UK GDPR are the same as those for EU GDPR. Organizations can be fined up to €20 million or up to four percent of their global annual revenue, whichever is greater. Individuals can also be fined up to €20 million or up to four percent of their global annual revenue, whichever is greater.
Yes, there are a few exemptions set out in the law. However, you will need to demonstrate that you meet one of the exemptions set out in the law.
There are a few key things you need to do, including updating your privacy policy, updating your cookies policy, making sure you have a valid legal basis for processing data, and keeping records of your data processing activities. You should also update the supervisory authority contact details on your website.