Is GDPR Changing Now the UK Has Left the EU?

Is GDPR Changing Now the UK Has Left the EU
Is GDPR Changing Now the UK Has Left the EU

This article will examine the changes to GDPR that you might need to know about now that the UK has left the European Union.

The UK has seen some major changes in just a few short years, and it can sometimes be hard to keep up. On the 25th of May 2018, the General Data Protection Regulation Act (GDPR) was introduced for the UK and the EU (European Union).

This act made it compulsory for website owners to request and obtain permission to store cookies which contain website users’ personal information. When we talk about personal data, or personal information, this means any kind of information about a person or individual who is ‘identified’ or ‘identifiable’ such as name, age, occupation etc.

Since 2018, anybody, whether a business or an individual, found to have committed a data protection act breach could face prosecution and in some cases, a hefty fine. In 2020, online shopping giant, Amazon, was fined a staggering 746 million Euros for breaching the GDPR Act after failing to gain consent for cookies. Amazon is just one in a long line of companies who have been penalised for breaching data protection laws in recent years.

So, what are the changes? Let’s delve into detail…

Two Major GDPR Changes for the UK Up Until 2025

Hot on the heels of the new GDPR Act came BREXIT – The UK’s departure from the EU which it had been a member since 1961. In January 2020, the United Kingdom officially left the EU, meaning that the UK would now need to negotiate trade deals with other countries.

Two major changes include:

1.    A Business-as-Usual Agreement

To begin with, an agreement has been made that things will be ‘business as usual’ regarding GDPR and the UK until 2025. This agreement, which is designed to create an interim period for the UK, means that free flow of personal data between the UK and EU countries can continue.

This essentially ensures that the UK is still subject to GDPR laws which are standard across the EU.

2.    Introduction of UK-GDP

After June 2025, things may start to look a little different as a new law will be put into place which will be known as UK-GDP. While this may have a fancy new name, there’s no need to panic as the rules and regulations will more or less remain the same as they were before BREXIT and, these include the following:

  • Article 5 which relates to the lawfulness of processing personal data
  • Article 9 which relates to special categories of personal data
  • Articles 15-22 which regulate the right to access, the right to be ‘forgotten’ and, finally, the right to rectification

Changes to GDPR After June 2025

The main change after June 2025, will be that data may only be transferred between the UK and EU countries under three certain circumstances which are laid out as follows:

  • If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
  • If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
  • If an approved ‘code of conduct’ is in place between the EEA and the third country.

The first major change in the UK-GDPR law will be the age of consent. As things stand, the GDPR age of consent in the European Union is 16, however, under the new UK law, the age will be lowered to 13.

The second change relates to enforcement of GDPR rules. At the moment, GDPR laws are regulated and enforced by the European Data Protection Board. After June 2025, GDPR laws in the UK will be regulated and enforced by the Information Commissioner (ICO).

UK Businesses Need Not Panic About Changes to GDPR Laws

There isn’t a great deal for UK business to worry about in terms of changes to GDPR. While, should you wish to, you can plough through all 541 pages of the withdrawal agreement, which covers minute details of GDPR laws, businesses will ultimately remain within the law as long as they carry on as they have been.

This means paying close attention to the way in which a business uses cookies and, the way in which data is handled. Data handling includes the collation, storing and sharing of personal data. Companies and individuals also need to ensure proper management of the way in which platforms scan and detect cookies to ensure that they remain compliant.

It’s still important to keep staff up to date with GDPR training…

Although the UK’s exit from the European Union has been headline stuff for some years – and rightly so – the good news is that, when it comes to GDPR, very little is likely to change.

Despite the exit, the United Kingdom will continue to share many values with countries within the EU, which includes a commitment to environmental issues, a commitment to protecting human rights and, a commitment to ensuring that individual’s personal data is protected by legislation.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.