The General Data Protection Regulation (GDPR) is an EU regulation covering data protection and privacy in the European Union. With the completion of Brexit and an agreed trade deal, EU regulations no longer apply to the UK. So, what does this mean for data protection in the UK?
What is GDPR?
GDPR covers the data protection and privacy rules that any business must comply with if it operates in either the EU or the European Economic Area (EEA). Several key principles of GDPR include limits on the amount of time data can be kept, limits on what data can be obtained, and that consent must be obtained from individuals before collecting their data.
It can be costly for a business to not follow GDPR rules, as violators can be fined up to €20 million or up to 4% of their annual worldwide turnover. This has resulted in over €250 million in fines since the regulation was brought in 2 and a half years ago, including a hefty €50 million fine for Google in 2019.
Does GDPR still apply to UK businesses?
As of the start of 2021, the UK is not a member of either the EU or the EEA, and therefore the EU GPDR is not a part of UK law. Nevertheless, any UK business that operates in these areas must still comply with the rules, or else they can face a large fine and/or be forced to cease operations in the EU and EEA.
Businesses must consider carefully whether they do operate in these areas as it is not as simple whether or not the business has an office in Europe. Any business that offers goods or services to individuals in Europe or monitors the behaviours of individuals in Europe must still comply with EU GDPR. If your business obtains data from Europe, these data sources must also comply with the rules – and similarly if you send data to others in Europe.
What about UK data protection laws?
At the end of the Brexit transition period, parliament incorporated the provisions of the EU GDPR directly into UK law. This sits alongside the Data Protection Act 2018, meaning that the rules that were in place for UK business before Brexit are still in place after Brexit – UK business must still follow the same rules.
It is unknown whether the UK government will consider changes to data protection regulations, and any changes could have a big effect on businesses. The negotiations between the UK and EU allow for data transfer between the two parties for the next four to six months, after which there will be an adequacy review of UK regulations.
If the findings of the review find that data protection regulations have been weakened in the UK, then data transfer between Europe and the UK may no longer be allowed to go ahead. This could have a severe impact on many businesses that operate in Europe and the UK, and some businesses may even have to stop operating in some regions.
So, for now, data protection rules have not changed due to Brexit, but if the UK government chooses to change these rules then it could have a big impact on businesses.
Comments