Brexit and Data Protection | UK GDPR Law

Share on facebook
Share on twitter
Share on linkedin
Share on email
GDPR vs Data Protection Act

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

Gain an easy understanding of the UK-GDPR and differences between the GDPR and Data Protect Act laws.

With recent legal developments taking into account data privacy, it shows the importance of protection of individuals personal information for businesses. The UK left the EU on 31st January 2020. The current transition period ends on 31st December 2020, DPA 2018 takes centre stage with all matters of data privacy. Let’s dive into the beef first and then related GDPR, DPA information including the basics and gdpr vs dpa. 

The UK-GDPR | GDPR in the post-brexit era

After the transition period (from 01.01.2021), the EU GDPR will no longer apply directly in the UK. UK’s equivalent of GDPR is called ‘UK-GDPR’. The DPA (Data Protection Act) 2018 puts EU GDPR’s requirements into practice that will work in the UK. UK businesses processing EU residents data shall adhere to GDPR and may need to:

  1. update their contracts governing EU-UK data transfers
  2. update policies, procedures and documentation reflecting the latest changes.
  3. appoint an EU representative

After transition period ends, The Data Protection Act shall take over the GDPR reigns within the UK. DPA controls how your information can be used, including 8 Data protection principles and provides you the rights to question its usage. Protection compliance may not be a new term for UK businesses. It is around since 1998 that is well before Y2K scare. For any matters related to the UK’s data protection legislation, ICO will remain the independent supervisory body. If you think whether PECR and NIS still apply, the answer is yes. More information around data protection at the end of the transition period is available at the ICO website.

How are EU data transfers affected by post-brexit situation?

The UK shall become a third country once transition period ends on 31st December,2020. Third country relates to UK falling outside of the GDPR zone that is consisting of EU member states plus Norway, Liechtenstein and Iceland. As per the GDPR law, personal data transfers are restricted to third countries, unless any exceptions or data is protected in another way.

The European Commission decides whether a third country has an adequate level of data protection. This effect, known as adequacy decision, will ensure that personal data transfers can be done without any further safeguards. The UK government are seeking such adequacy decision from the EU that will ensure the free flow of personal data. 

What are the differences between GDPR and Data Protection Act (DPA)?

GDPR (General Data Protection Regulation) for the EU came into effect on 25th May 2018. It is the toughest privacy and security law in the world. The primary impression of the GDPR is its applicability being same everywhere. There are exceptions to this as GDPR allows wiggle room for member states. It is important to note that GDPR not only applies to EU organisations, it also applies to non-EU organisations if they are dealing with EU residents’ data. Under GDPR, EU member states notifications to the European Commission must contain information around these provisions:

  • on data protection authorities (Article 51(4)),
  • on penalties (Article 84(2)),
  • on reconciling the right to data protection with the right to freedom of expression and information (Article 85(3)).

In short, the above provisions mean GDPR within the EU may vary from country to country.

For the subtle differences…

DPA(Data Protection Act 1998) GDPR (General Data Protection Regulation)
Basics The Data Protection Act 2018 defines how personal information can be used by oragnisations, businesses or even by the government. EU General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of European Union residents. It came into effect since May, 2018.
Geography Only applies the UK. The Data Protection Act 2018 is the UKs implementation of the General Data Protection Regulation (GDPR). Applies to the entire EU. UK is included in the GDPR until transition period deadline (31.12.2020).
Authority Enforced by the Information Commissioner's Office (ICO), UK. Once transition periods end on 31.12.2020, ICO's GDPR guidance will continue to apply (aligned with GDPR). Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA
Brexit applicability DPO 2018 supplements the GDPR within UK and shall come into full effect once transition period ends on 31.12.2020. The GDPR is an EU regulation and since Brexit meant UK has left the EU, GDPR won't apply after the transition period ends. If your business operates inside the UK, you will need to comply with UK data protection law. The EU version of GDPR will apply to any of your businesses operating (offering services or monitoring the behavior of EU residents) in EU.
Personal data definition DPA 2018 provides limited definition of personal data. GDPR applies to personal data, that is any piece of information that identifies an individual. This also includes other information that is not personal, for instance, location data, generic information, online identification markers (IP addresses, cookies) and more.
Main Principles Key Data Protection Act principles are: Lawfulness, fairness and transparency Purpose limitation Data minisation Accuracy Storage limitation Integrity and Confidentiality (security) Accountability Key GDPR principles are: Lawfulness, fairness and transparency Purpose limitation Data minisation Accuracy Storage limitation Integrity and Confidentiality (security) Accountability
Consent age A child's consent age is 13 years. A child's consent age is 16 years.
Opt-in Data collection does not requires an opt-in, allows data automated profiling with legitimate reasons to do so. The need for consent from an individual underpins GDPR, this means data subjects have right to refuse automated decision making/profiling.
Data subject rights DPA 2018 allows data subject rights to be waived in case of scientific or historical research purposes, statistical purposes and archiving purposes. GDPR protects data subjects rights to personal data processing.
Exemptions An exemption to data processing exists if it is in the public interest to do so. Does not apply to individuals processing data for personal or household use.
Privacy Impact Privacy Impact Assessment is not mandatory Privacy Impact Assessments (PIAs) are mandatory and carried out when there is a risk to ensure organisations meet an individual's privacy expectations.
Data Breach notification Data controllers are required to notify the commissioner within 72 hours of a breach. GDPR introduces a duty on all organisations to report a breach within 72 hours of becoming aware of the breach
Data breach fines under DPA and GDPR DPA 2018 provides for maximum fines of up to 17m GBP, or 4% of global tunrover consistent with the GDPR GDPR providers for maximum fines of up to 20m Euro, or 4% of global turnover whichever is greater
GDPR Data Protection Officer DPA does not extends GDPR requirements for Data Protection Officer Every organisation does not need to employ a data protection officer (DPO). A DPO is mandatory under these circumstances: The organisation is a Public authority or body The organisation deals with data processing operations on a large scale that involve regular and systematic monitoring. The organisation processes special categories of data such as personal information on health, religion, race or sexual orientation).
Fees Under Part 3 of the DPA 2018 no fees can be requested. In case of manifestly unfounded and excessive requests, data controller may charge a reasonable fee and justify the cost. All requests are free of charge, unless any manifestly unfounded and excessive where a 'reasonable fee' can be charged.

Discuss your concerns today

As data privacy remains at the forefront of challenges dealt by businesses, our GDPR Penetration testing and data privacy services offer great value and service quality enabling you to collect, process or share personal records securely.



  1. GDPR Individual Country Notifications
  2. UK Govt Legilastion
  3. DPA Factsheet 2018

Article Contents