Brexit and Data Protection | UK GDPR Law

GDPR vs Data Protection Act

Gain an easy understanding of the UK-GDPR and differences between the GDPR and Data Protect Act laws.

With recent legal developments taking into account data privacy, it shows the importance of protection of individuals personal information for businesses. The UK left the EU on 31st January 2020. The current transition period ends on 31st December 2020, DPA 2018 takes centre stage with all matters of data privacy. Let’s dive into the beef first and then related GDPR, DPA information including the basics and gdpr vs dpa. 

The UK-GDPR | GDPR in the post-brexit era

After the transition period (from 01.01.2021), the EU GDPR will no longer apply directly in the UK. UK’s equivalent of GDPR is called ‘UK-GDPR’. The DPA (Data Protection Act) 2018 puts EU GDPR’s requirements into practice that will work in the UK. UK businesses processing EU residents data shall adhere to GDPR and may need to:

  1. update their contracts governing EU-UK data transfers
  2. update policies, procedures and documentation reflecting the latest changes.
  3. appoint an EU representative

After transition period ends, The Data Protection Act shall take over the GDPR reigns within the UK. DPA controls how your information can be used, including 8 Data protection principles and provides you the rights to question its usage. Protection compliance may not be a new term for UK businesses. It is around since 1998 that is well before Y2K scare. For any matters related to the UK’s data protection legislation, ICO will remain the independent supervisory body. If you think whether PECR and NIS still apply, the answer is yes. More information around data protection at the end of the transition period is available at the ICO website.

How are EU data transfers affected by post-brexit situation?

The UK shall become a third country once transition period ends on 31st December,2020. Third country relates to UK falling outside of the GDPR zone that is consisting of EU member states plus Norway, Liechtenstein and Iceland. As per the GDPR law, personal data transfers are restricted to third countries, unless any exceptions or data is protected in another way.

The European Commission decides whether a third country has an adequate level of data protection. This effect, known as adequacy decision, will ensure that personal data transfers can be done without any further safeguards. The UK government are seeking such adequacy decision from the EU that will ensure the free flow of personal data. 

What are the differences between GDPR and Data Protection Act (DPA)?

GDPR (General Data Protection Regulation) for the EU came into effect on 25th May 2018. It is the toughest privacy and security law in the world. The primary impression of the GDPR is its applicability being same everywhere. There are exceptions to this as GDPR allows wiggle room for member states. It is important to note that GDPR not only applies to EU organisations, it also applies to non-EU organisations if they are dealing with EU residents’ data. Under GDPR, EU member states notifications to the European Commission must contain information around these provisions:

  • on data protection authorities (Article 51(4)),
  • on penalties (Article 84(2)),
  • on reconciling the right to data protection with the right to freedom of expression and information (Article 85(3)).

In short, the above provisions mean GDPR within the EU may vary from country to country.

For the subtle differences…

File could not be opened. Check the file’s permissions to make sure it’s readable by your server.

As data privacy remains at the forefront of challenges dealt by businesses, our GDPR Penetration testing and data privacy services offer great value and service quality enabling you to collect, process or share personal records securely.



  1. GDPR Individual Country Notifications
  2. UK Govt Legilastion
  3. DPA Factsheet 2018

Article Contents

Sharing is caring! Use these widgets to share this post
Scroll to Top