- Home (UK)
- Knowledge Center
- Blog
- Don’t Be Caught Off Guard by Brexit’s GDPR Changes
Don’t Be Caught Off Guard by Brexit’s GDPR Changes
The effects of Brexit are still being felt, especially when it comes to personal data. The UK's separation from the EU brought with it some subtle, but significant, alterations to the General Data Protection Regulation (GDPR), and it's important to be aware of these changes to ensure your organisation remains compliant.
Firstly, the facts. The UK left the EU on December 31, 2020. The EU GDPR no longer applies in the UK, but the provisions were incorporated directly into UK law. The good thing is that there weren’t too many changes that deviate from EU GDPR. UK users still have all of the same rights they had before, and none of the key GDPR Principles have changed.
UK GDPR also applies to controllers and processors based outside the UK whose processing activities relate to offering goods or services to individuals in the UK and to those who monitor the behaviour or process data in the UK—whether the individual lives in the UK or not. Similarly, the EU GDPR applies to controllers based outside of Europe for the same processing scenarios applied to individuals in the EU.
So, now that the dust has settled, are you aware of the key changes to the legislation after Brexit? Here are the key points:
- The enforcement body that monitors the use of personal data within the UK has changed. The Information Commissioner’s Office oversees the UK regulation, whereas in the EU, the European Data Protection Board (EDPB), member state privacy authorities, and the European Commission are responsible for this area. While the ICO has proved to be an approachable and flexible regulatory body, with a remit to educate data controllers and ensure data subjects are able to exercise their rights efficiently, it still has the ability to fine organisations when they do not comply based on a structure similar to the EDPB.
- Perhaps the biggest change centres on the rules for international data transfers. The good news is that the EU GDPR adequacy decision considers the UK to be fully adequate, so no extra safeguards are required for sending personal data to the EU. However, for restricted transfers to third countries, two new sets of Standard Data Protection Clauses were issued by the Information Commissioner in March 2022, which are known as International Data Transfer Agreements (IDTA). IDTAs can be both tricky and daunting to roll out for an organisation. If you need help, CTG can train your staff and assist with the required preparation so your international transfers are accounted for and correctly documented. This is particularly helpful should the ICO audit your records of processing activities.
- Consent is also an area that differs between the UK and EU GDPRs. In the EU and EEA, an individual must be 16 years or older to give consent for the use of their personal data (with some exceptions). In the UK, the minimum age is 13. Consent can be a confusing area, and the nuances of the requirements can cause some organisations to put the wrong processes in place. At CTG, we can help walk you through your own consent mechanisms to ensure your accountability when it comes to using and protecting the personal data of your data subjects, clients, and customers is clear and concise.
On March 8, 2023, the UK government re-introduced the Data Protection and Digital Information Bill as the Data Protection and Digital Information (No. 2) Bill to Parliament, and it included fresh proposals for data protection reform in the UK.
Although the proposals were small, those of note covered increasing fines under Privacy and Electronic Communications Regulations (PECR), relaxing the rules regarding automated decision making outside of special category data, and limiting the requirements to keep a records of processing register. New rules regarding cookie consent have also been proposed. A full UK Government press release is available here, and we'll be blogging about the changes once they are approved after a second reading in Parliament later in 2023.
In short, many things regarding GDPR implementation in the UK have changed, and there could be more adjustments later this year. If you find yourself in a situation where you need assistance with data privacy, CTG is here to help.
AUTHOR
Andrew Stevenson
Data Privacy Consultant
Andy is a Data Privacy Consultant with more than 10 years’ experience in Data Protection, GDPR, Freedom of Information, and Law Enforcement Processing. He worked for the police for over 16 years and is interested in how privacy and information security applies to all walks of life—both business and personal. He has a certified practitioner’s qualification in Data Protection and GDPR.
-
Knowledge Center
View all of our resources, including videos, blog, news, whitepapers, and webinars
-
Blog
Unleashing the Power of Parallel Testing in Test Automation
-
News
Press Release: CTG Achieves AWS Service Delivery Designation for Amazon Connect
-
White Paper
CTG Report: The Rise of Digital Maturity—Digital Transformation in 2023
-
Webinar
Unleashing Microsoft 365 to Enable Digital Transformation and Improve Efficiency
-
Video
GDPR Solutions
Let’s discuss
How CTG can help you achieve your desired business outcomes through digital transformation.
Send us a short message by completing the contact form and we’ll respond as soon as possible, or call us directly.
Looking for a job?
We’re always on the lookout for great people who share our commitment to enabling our clients’ transformations.
Social media cookies must be enabled to allow sharing over social networks.