The UK GDPR, New Data Privacy for British citizens

The UK General Data Protection Regulation, also known as UK GDPR for short, is a British data protection law that was recently adopted on January 1st, 2021. As the UK recently left the European Union at the end of 2020 and subsequently is no longer under the jurisdiction of the General Data Protection Regulation or GDPR, the country needed to make slight alterations in the ways in which it protected the personal data rights of their citizens. To this end, the UK GDPR law largely mirrors that of the EU’s GDPR law, albeit with some changes to the territorial scope of the law, as well as some provisions.

What is the scope and application of the UK GDPR?

In terms of the scope and applicability of the UK GDPR, the law applies to the processing of personal data under the following circumstances:

• When data processing is carried out in the context of activities in relation to an establishment of a data controller or processor, in a country or territory that is not an EU member state, whether or not said data processing takes place in said country or territory.
• The personal data pertains to a data subject who is in the UK when data processing takes place.
• The data processing activities are related to the offering of goods or services within the UK, whether said offerings are for payment or not, and the monitoring of a data subject’s behavior within the UK.

As it relates to the material and personal scope of the law, the UK GDPR has no national variation from the General Data Protection regulation, as the material and personal scope of the latter are still consistent with the former.

What are the requirements of data controllers under the UK GDPR?

In accordance with the EU’s GDPR law, the UK GDPR adopts the same data principles as it pertains to the safeguarding of the personal data of data subjects. These data principles include transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity and confidentiality, and accountability. Alternatively, there are various changes that were made in relation to the obligations of data controllers under the UK GDPR. These changes include:

• Data processing notification– Under the UK GDPR, data controllers are required to both register with the Information Commissioner’s Office or ICO for short, as well as an annual data protection fee ranging from £40 ($54) to £2,900 ($3,931). This price range is predicated on the various tiers on which a particular data controller will fall under the law, depending on a variety of factors including the number of staff, the annual turnover of the business or organization, and whether the data controller in question is charity, public authority, or commercial entity. Alternatively, there are some businesses and organizations that are exempt from this fee, such as non-profit organizations and judicial functions.
• Data transfers– The UK GDPR places increased restrictions on the transfer of personal data to third parties. Under the law, such transfers are only permitted when such a transfer is necessary for law enforcement purposes, the transfer is based on the finding of adequate data protection measures with respect to a third-party country, or where other appropriate safeguards are in place, the transfer is for specified special circumstances, or the transfer is related to a relevant authority or international organization in a third-party country, such as an international body that carries out functions related to law enforcement.
• Children’s data– Under the UK GDPR, the age of consent as it relates to information society services is lowered from 16 to 13. As such, when data controllers collect, process, or disclose the personal data of children under the age of 13, “the consent of the holder of parental responsibility for the child must be obtained in order for the processing to be lawful”.
• Special categories of personal data– Similar to the EU’s GDPR law, the UK GDPR prohibits the processing of special categories of personal data, unless this data processing is within the limits listed within the exceptions outlined by the law. Some of these exceptions include when “processing is necessary for reasons of public interest in the area of public health on the basis of domestic law” or “processing is necessary for reasons of substantial public interest on the basis of domestic law”.

What are the rights of data subjects under the UK GDPR?

As is the case with the scope of the law, as well as the obligations of data controllers, the rights of data subjects under the UK GDPR are largely similar to those offered to data subjects under the EU’s GDPR law. These rights include the rights to be informed, to access, rectification, erasure, data portability, the right not to be subject to automated decision making, and the right to object or opt-out. However, there are some variations between the two laws as it relates to the rights that are offered to data subjects. These variations in regards to the UK GDPR include:

• The right to be informed– The UK GDPR provides data subjects with the right to be informed as it relates to the collection, processing, and disclosure of their personal data. However, the UK GDPR includes further exceptions to this right, such as “conflicts with journalistic, academic, artistic, or literary purposes, which are in the public interest” or instances in which the disclosure of personal data would “expose a person to proceedings for an offence by revealing evidence of the commission of that offence”.
• The right to access– The UK GDPR provides data subjects the right to access any personal data that a data controller may possess pertaining to them, subject to certain exceptions. Some of these exceptions include instances in which the accessing of a data subject’s personal data would “affect the price of, or decision to act with, a corporate finance instrument” or “prejudice the proper discharge of specified functions of the Bank of England”.
• The right to rectification– The UK GDPR provides data subjects with the right to rectify their personal data, subject to various exemptions. Some of these exemptions include rectification requests that would “prejudice the proper discharge of a specified function designed to protect the public” or “prevent compliance with a legal obligation to disclose the personal data”.

What are the penalties for violating the UK GDPR?

While the UK GDPR mirrors many of the provisions and regulations of the EU’s GDPR law, the UK obviously needed a new way to punish data controllers who were found to be in violation due to the country’s decision to leave the EU in 2020. As such, the Information Commissioner’s Office or ICO has the authority to enforce the UK GPR, and data controllers who are found to be in non-compliance with the law are subject to monetary penalties similar to those imposed under the EU’s General Data Protection Regulation, which includes “he higher maximum amount is £17.520 million or 4% of annual worldwide turnover (whichever is higher) and the standard maximum amount is £8.710 million or 2% of annual worldwide turnover, depending on the provision breached.

As the UK made the groundbreaking decision to leave the European Union at the end of 2020, they subsequently needed to create a legal framework that would provide the same level of data protection to British citizens as those offered to citizens of EU member states under the General Data Protection Regulation. As such, the UK GDPR was passed in January of this year, for the purpose of achieving this exact goal. In turn, data subjects within the UK can rest assured that their personal data and privacy are still being protected at all times, despite the fact they are no longer a part of the EU.