The GDPR Post-Brexit: The Past, Present, and Future of Data Privacy in The UK
As a result of the UK leaving the EU, millions of individuals and organizations fell into uncertainty regarding data privacy rights. Here's an overview of where things currently stand, what Brexit means for privacy in the UK, and where we're headed next.
The current legal status
Before the GDPR entered the picture, the UK relied on the Data Protection Act (DPA) 2018. After the GDPR was no longer relevant, a new law merged, the DPA, with leading EU GDPR principles to form the current legislation. This law, known as the UK GDPR, applies to businesses operating in the UK and relies on the GDPR to offer a deeper understanding of the logic and meaning of each existing article.
The EU GDPR may still be relevant for businesses operating in the European Economic Area (EEA) and those approaching consumers in the region or tracking their actions. In June 2021, the EU embraced “adequacy decisions” regarding the UK, enabling EEA data processing of personal data according to GDPR. Certain types of data do not fall within the scope of the GDPR adequacy decision, including immigration-related data.
The main principles of the UK GDPR
Seven principles form the base for the new law:
- Lawfulness, fairness, and transparency: Personal data must be processed lawfully and communicated openly to the data subject. There must be a valid reason for data use, and it cannot be misleading or dishonest.
- Purpose: The data must serve a clear and legitimate purpose communicated from the get-go to data subjects and backed by relevant documents.
- Minimization: Organizations must only collect and process data to the necessary extent based on the purpose mentioned above. The data will be relevant, directly linked to the purpose, and as limited as possible.
- Accuracy: Organizations should take all reasonable steps to ensure that the personal information processed by them isn't misleading and comes from a clear source. They should update the data when necessary.
- Storage: The processing organization shouldn’t hold onto data longer than necessary and must be able to justify the decision to keep it. Organizations should have a data retention policy and conduct periodic audits to learn which data is no longer necessary and delete it.
- Integrity and confidentiality: ‘The security principle’ demands that proper security measures protect personal data from unlawful processing, accidental loss, technical errors, and more.
- Accountability: This principle holds the organization responsible for actions involving personal data. It demands that companies protect this information and face penalties and fines should they fail to do so.
EU GDPR vs. UK GDPR
<hl>While EU GDPR forms the base for the UK version, there are still some differences to consider, including the following:<hl>
- Matters related to national security, intelligence services, and immigration were excluded from EU GDPR but are covered by UK law.
- UK GDPR defines personal data in a more limited manner.
- The Information Commissioner Officer (ICO) is the relevant authority under UK GDPR, which leads to additional modifications related to how requests and procedures are managed.
- Each law determines specific fines and penalties.
What the new law means for businesses
- First, organizations should check to see if they must comply with both laws. A dedicated EU representative must be appointed by organizations that offer services or goods to EU residents, even if companies technically no longer operate their business in the region.
- Similarly, EU organizations that take similar actions in regards to UK individuals should appoint a UK representative.
- All relevant policies must be updated according to the applicable laws.
- Some companies may have to separate their data based on region to ensure that each customers’ information is processed according to the applicable law.
Where things are headed
Recent updates coming from the UK discuss the possibility of a data privacy legislation reform. Some say that the country aims to establish a separate agenda as it moves away from the EU. The UK also plans to form data adequacy partnerships with the US, Australia, and other regions. The reform may try to adjust some practices that proved to be less effective, such as cookie popups and approval requests. Other reports claim that a data protection regulation reform can remove administrative burdens and offer a more agile path towards innovation. Organizations will be able to move faster under fewer restrictions while users’ privacy remains protected.
It’s interesting to see how things change in the data ownership arena when countries shift in different directions. But what is even more interesting is that no matter where we turn, the need for data privacy remains relevant. Businesses can use technologies like Mine PrivacyOps to get peace of mind, knowing that their privacy management and operations are handled.