A new Data Protection Act 2018 replaced the old Data Protection Act 1998, to implement the provisions of the General Data Protection Regulation (GDPR) - the European legislation which came into force in May 2018.
Following Brexit, the UK government enacted the Data Proctection, Privacy and Electronic Communications (Amendents etc) (EU Exit) Regulations 2019 which amends the DPA, merging it with the requirements of the EU GDPR, this means the GDPR has been kept in UK law as the UK GDPR.
Personal data can continue to flow freely between the European Union and the United Kingdom in the same way as before Brexit, because the EU has now confirmed that UK data protection law provides an essentially equivalent level of protection to that guaranteed under EU law.
The EU has adopted two ‘adequacy’ decisions in 2021for the UK, pronouncing that UK data protection law is adequate to protect personal data to the standards required by the GDPR. This means (except for some immigration control purposes which are still under review) no restrictions apply to personal data transfers between the UK and EU for a minimum of four years. The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU and the UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
More information is available:
- International data transfers | ICO
- The UK GDPR | ICO
- Adequacy | ICO
- Commission adopts adequacy decisions for the UK (europa.eu)
Issues around personal data (where they are held and how they are used) are becoming ever more important; UK GDPR strengthens the rights of individuals to be informed about how their personal data are processed, to restrict the processing that is allowed and to require correction or deletion of personal data in certain circumstances.
The GDPR introducted increased fines for data breaches (the maximum fine increased to €20 million or 4% of an organisation's global turnover, if greater) and organisations are to be held more accountable for how they process and protect the personal data they hold. The UK GDPR requires the maintenance of detailed internal records of personal data processing, the preparation of data protection impact assessments for riskier processes and clearer privacy notices informing individuals about how their data will be used and ensuring that consent has been obtained in accordance with the rules where required.
The main changes introduced by the GDPR are:
- Transparency - more detailed and informative privacy notices are required; the purpose of, and legal basis for, processing must be explained.
- Consent - must be freely given, specific, informed and unambiguous; consent must be provided by clear affirmative action.
- Accountability - new requirements for demonstrating compliance; Privacy Impact Assessments required for new processing activities; data protection by design and default is expected.
- Children - new rules for consent to processing children's data
- Sensitive personal data - called 'special categories of data' - extended to cover genetic and biometric data.
- Pseudonymisation - use of data in this form is encouraged, e.g. where data is used for statistical, historical or research purposes.
- Subject access requests - no charge for these; response required within one month rather than 40 days.
- Breach - stricter time limits for notification.
- Right to be forgotten - data subjects can request deletion of data.
- Portability - data subjects can request that data is made available in a portable format (a structured, commonly used and machine-readable form).
- Data processors - now have direct statutory obligations, as well as data controllers.
- International transfers - new rules for transfer outside the EEA.
- Fines for breach - maximum increased from £500,000 to £17 million (€20 million), or 4% of an organisation's global turnover, if greater.