Following Brexit, the UK implemented its own data regulation guidelines this 2021 more commonly known as the UK GDPR. But how is this any different from the EU GDPR?
What is UK GDPR?
The UK GDPR supersedes the former data protection regulation of the European Union that took effect in May 2018. Along with the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA) 2018, it was implemented from 1 January 2021 under the EU Withdrawal Agreement Act 2020.
Starting 2021, the EU recognizes the UK as a third country, which would mean the UK would have to undergo the robust privacy and security law of the bloc. However, there has been a temporary unrestricted flow of personal data up to June 2021 between the two parties until the adequacy decision from the EU becomes finalized. As of this writing, the members of the European Parliament (MEP) are urging the European Commission to give their citizens higher privacy rights as the current draft risks their personal data for indiscriminate access.
Who does UK GDPR apply to?
The law applies to all UK-based organizations that collect, store, and process the personal data of people residing in the UK.
Non-UK entities are also subject to the local GDPR if they are offering goods or services, or monitoring the behavior of individuals in the state.
For both instances, you have two data protection laws to abide to:
- For those processing domestic personal data, you have to follow the DPA 2018 and the UK GDPR.
- For those processing domestic personal data and providing goods and services to, or monitoring behavior of EU residents, you must adhere to the DPA 2018, UK and EU GDPR.
All UK organizations bound by the EU GDPR are required to have an appointed EU representative to act on your behalf about the GDPR compliance and to deal with supervisory authorities about the matter. You will also have to keep your policies and processes in the loop with the new changes that may come.
Is UK GDPR different from EU GDPR?
The UK GDPR is a more intensive version of the EU GDPR. Although the former is relatively similar to the latter, there have been changes and expansion from the EU GDPR that further changes the legal measures of data flow in the UK, thus localizing it to what we know as the UK GDPR.
All changes made are found in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC).
Changes in the UK GDPR you may want to note are:
- Protection of personal data can be bypassed under matters of national security or immigration.
- The Information Commissioner's Office (ICO) will be the governing body to regulate and supervise the UK GDPR.
- The Secretary of State is granted the powers to approve or revoke adequacy decisions for the UK, even without the consultation with the ICO.
- EU-based companies supplying services and goods to the UK are also required to appoint a representative, as is the case from the EU GDPR.
- UK GDPR allows the consent of processing data from a minor as long as they are at least 13 years of age.
- Processing personal data for the sake of public interest is more lenient in the UK GDPR than the EU GDPR.
- Automated decision making is allowed in the UK GDPR as long as there is a legitimate ground to do so, whereas the EU GDPR gives the subjects an option to refuse.
Breach of UK GDPR
For non-compliance in the UK GDPR, your company is looking at a maximum fine of £17.5 million. On the other hand, breaching the EU GDPR results in a fine amounting to €20 million or 4% of annual global turnover – whichever is greater.
There are new key principles to study under the new regulations. The implications of the UK GDPR this 2021 impact practices from all verticals, and can have an adverse effect in your back-end support, such as in your finances.
This is where we come in. D&V Philippines can help you keep up with new UK rulings and post-Brexit changes through our experienced finance and accounting experts. You can check out our whitepaper, Your Talent Sourcing Partner to know how our talents can take care of your business needs.