UK-GDPR is the new national data law after Brexit


After many delays, the British Parliament has finally ratified the Withdrawal Agreement with the European Union. The UK left the European Union at the end of January 31, 2020.

The General Data Protection Regulation, which was a bizarre law until the UK left the European Union, is still applicable. No new laws or national data protection laws have been passed, so we don’t expect to see any major changes anytime soon.

The UK’s GDPR went into effect on January 1, 2021. It sheds light on the general data protection regime that applies to most businesses and organizations.

What are the differences between UK-GDPR and EU-GDPR?

The The UK GDPR is almost identical to the EU GDPR. To be more specific, you need to implement a consent mechanism to allow users to gain control over all personal data they share. The processing of personal data is prohibited unless the data subject has consented to the processing.

The goal is to impose a uniform data security law on everyone. It makes it easier for citizens to understand how their data is used, and most importantly, they can make complaints. When a company or organization works exclusively in the UK, it must comply with the law. This means adhering to the rules set by the UK GDPR.

Contrast in the age of valid consent of the GDPR

A notable difference between the two privacy and data security laws is that, in the UK, individuals must be at least 13 years old to give consent to the use of their personal data. Therefore, 13 is the lowest age allowed by the GDPR.

If someone sells ringtones to teenagers for their smartphones, personal data is collected upon completion of the purchase process. Children are granted additional protection because they are not fully aware of the risks or consequences of their actions.

Any information aimed at young people should be easily accessible, clear and written in plain language.

The introduction of ICOs to ensure a consistent application of the GDPR

Another notable difference between UK legislation and the EU-GDPR is that the Information Commissioner’s Office is responsible for promoting good practices in handling personal data. ICO, in short, is an independent supervisory authority, taking the lead in place of the European Data Protection Board.

In addition to providing advice and guidance on data protection, the ICO ensures that data controllers provide basic information about their company, manage disputes by determining whether a company / organization has complied with the GDPR or not and pursue the crimes committed under the GDPR.

Different rules on transfers of personal data between the UK and the EU

By cross-border processing, we mean processing of personal data that has a connection with more than one EU Member State. European countries that transfer data to the UK can do so according to the adequacy decision taken by the European Commission on June 28th.

The result is that personal data can flow from the EU to a third country without having to take additional precautions. The UK government has stressed the importance of international transfers of personal data in the context of global trade. After Brexit, a UK secretary of state rules on the adequacy decision.

What can you, as a company, do to be GDPR compliant?

If you are an established organization, there are several things you can change or implement in your business to ensure full compliance with data privacy and security law. Take reasonable steps to make sure your business is protected from any liability. You have to be compliant, but what does it really mean? Please read on to find out.

Understand what data you hold, where it comes from and where it is going

It is important to know the information you hold to identify people as it may represent personal data. Personal data is any type of information that can help identify a person, such as name, location data, IP address, political views, and more.

The list is not exhaustive. Whether or not information is considered personal data depends on the context in which it is collected. Record what personal data you hold as a business, how it was obtained, how it is stored, how you intend to use that personal data, and last but not least, where it is going.

Relying on consent to process someone’s personal data

If you rely on consent as the legal basis for processing personal data, the UK GDPR will make things more difficult for you. Consent must be unique, not to mention that it should be obtained retroactively. Separate the consent request from the general conditions.

Above all, you should avoid the technical jargon and confusing terminology. The consent request should include details such as the organization name, why you want the data, what you intend to do with it, and the fact that individuals can withdraw their consent at any time.

Know what constitutes a personal data breach

You, as well as your employees, should clearly understand what constitutes a personal data breach and put in place a system to prevent and intensify such incidents. Simply put, a data breach materializes when facts, statistics, and other information held by a business are stolen or accessed without authorization.

Malicious actors exploit this information in phishing scams to give the impression of legitimacy. The GDPR gives the right to seek compensation if the damage was suffered due to the violation of the data protection law.

Develop a culture where employees feel confident they recognize the mistakes they have made. In case you don’t know, this is the underlying cause of the problem.

Appoint a data protection officer

It may be necessary to appoint a data protection officer. The role of the DPO is to ensure that the company treats the personal data of its staff, customers, suppliers, and so on, in the manner required by law.

If you monitor or process sensitive data on a large scale, such as political opinions, data revealing ethnic origin or philosophical beliefs, you will need a data protection officer.

Starting with a basic knowledge and impact assessment of that data within the organization, they will oversee areas such as terms and conditions, website forms and policies, and third party contracts.


Please enter your comment!
Please enter your name here