UK General Data Protection Regulation (UK GDPR): The Complete Guide for UK and International Companies

The UK General Data Protection Regulation (GDPR) allowed the United Kingdom to be an adequate country for international data transfers after Brexit. It is the UK's version of the EU General Data Protection Regulation.

Although the UK already had the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation, the "new" data protection law of the UK allowed the country to become an adequate country for free data flows across borders with the EU.

It has been in force since January 2021.

If you are familiar with the EU GDPR, you already know a lot about the UK version. Yet, we'd like to get into the details of what it requires from businesses so that you don't get into trouble with the supervisory authority.

How does the UK GDPR differ from the EU GDPR?

The UK GDPR is rewritten word for word from the EU GDPR, except for the fact that the UK introduced a few exceptions to the GDPR when it comes to data processing for national security, intelligence services, and immigration purposes.

The rest of the law regulates the processing of personal data in the same way as European law.

Does the UK GDPR apply to my business?

The UK law relies on the same extraterritorial principle of the EU law, which means that the UK GDPR applies to your organisation or business if:

• You are a UK business, or
• You target UK customers.
  

What is personal data under the UK GDPR?

The UK's GDPR defines personal data as any data that can identify a person.

The UK government just took the EU definition and put it into domestic law. As a result, whatever is personal data within the EU is also personal data in the UK.

What are the key principles of the UK GDPR?

The basic principles of processing personal data under the UK GDPR are:

• Lawfulness, transparency, and fairness mean that you need to be transparent to users, process their data only on valid grounds, and do it in a way that is fair and meets their reasonable expectations.
• Data minimization requires you to process only the minimum amount of data.
• Purpose limitation, which means processing the data only for the purposes for which it has been collected and for which the user has been informed,
• Integrity and confidentiality require you to apply appropriate safeguards for data protection and technical and organizational measures.
• Accountability means that you need to prove compliance.
• Accuracy, which means that you have to ensure your data is accurate.
• Storage limitation, requiring you to delete the personal data you no longer need.

The same principles are embedded in the DPA 2018 as well.

What are the UK GDPR data subject rights?

The same as in the EU GDPR, the UK GDPR rights of the data subject include:

• Right to be Informed
• Right of Access
• Right to Rectification
• Right to Erasure (‘Right to be Forgotten’)
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights in relation to automated decision-making and profiling

If you are familiar with EU law, you are right to assume that data subjects can submit requests at any time and receive a response within 30 days. If there is no response, penalties follow.

What are the legal basis for processing of personal data?

The UK GDPR's legal grounds for data processing are:

• Explicit consent
• Execution of a contract
• Legitimate interests
• Public interests
• Vital interests
• Compliance with the laws.

In most commercial cases, you'll need consent for data processing.

Do I need to obtain cookie consent?

Cookie consent is necessary for data collection where the cookies are not essential for the functioning of the website.

Before using non-essential cookies, you must obtain consent. And the consent must be:

• Freely given. You must not condition access to the website with consent or bundle consent with the Terms and Conditions.
• Informed. The consent is valid only if the data subject knows what they are giving consent for. That makes the privacy policy essential for any controller.
• Specific. You need separate consent for each processing purpose. One general consent for all purposes where the user is not given the option to choose is invalid.
• Unambiguous. No pre-ticked boxes are allowed. "By browsing this website, you allow the use of cookies" is not valid. The user has to take affirmative action for valid consent.

Also, you must allow users to withdraw it as easily as they gave it.

The EU GDPR requires the same, so if your cookie banner complies with the GDPR of the EU, it already meets the requirements of the UK regulations as well.

What should a UK GDPR Privacy Policy contain?

The privacy policy is a document in which you are transparent with your users about your privacy practices. You need to outline:

• Why do you process data?
• What categories of data do you process?
• The legal basis for data processing (consent, legitimate interests, and others)
• Data subject rights and how to exercise them
• Information on international data transfers
• With whom do you share personal information?
• Your contact details
• The contact details of the Data Protection Officer and the legal representative, if any

You are not limited to this information, however. This is the bare minimum needed to avoid issues with the Information Commissioner's Office, but you can always add more information.

What is a data processing agreement, and do I need one?

A Data Processing Agreement (DPA) is a contract between the controller and the processor on data processing. It outlines the responsibilities of each party regarding the processing of data on behalf of the controller.

Usually, a DPA will contain written instructions on the processing, categories of data to be processed, purposes of processing, confidentiality clauses, subprocessor clauses, etc.

If you are a data processor for another company, make sure you include a DPA in all your contracts. If you are the data controller, make sure to have a written agreement with your processor.

Who enforces the UK GDPR, and what are the penalties?

The Information Commissioner's Office (ICO) enforces the UK GDPR compliance.

If they take action against you and find that you have violated the law, you are under the threat of penalties of up to 4% of the annual revenue or GBP 10 million, whichever is higher.