The General Data Protection Regulation (GDPR) has been a cornerstone of data protection within the European Union (EU) since its enforcement in May 2018.
Following the United Kingdom’s (UK) departure from the EU, the UK implemented its own version of the GDPR, known as the UK GDPR. While both regulations share a common foundation, there are key differences that organizations must understand to ensure compliance in both jurisdictions.
Scope and Territorial Application
The EU GDPR applies to organizations operating within the EU, as well as those outside the EU that offer goods or services to, or monitor the behavior of, individuals within the EU. Similarly, the UK GDPR applies to organizations based in the UK and those outside the UK that process personal data in relation to offering goods or services to individuals in the UK or monitoring their behavior. Therefore, businesses operating across both regions must navigate both sets of regulations to remain compliant.
Regulatory Authorities
Under the EU GDPR, each member state has its own supervisory authority responsible for monitoring the application of the regulation. In contrast, the UK’s Information Commissioner’s Office (ICO) oversees the enforcement of the UK GDPR. Post-Brexit, the ICO no longer participates in the EU’s One-Stop-Shop mechanism, which previously allowed for a single lead supervisory authority for cross-border processing activities. Consequently, organizations handling data across both the EU and UK may need to engage with multiple supervisory authorities.
Data Transfers
A significant area of divergence is the regulation of international data transfers. The EU GDPR restricts the transfer of personal data to countries outside the European Economic Area (EEA) unless adequate safeguards are in place. Following Brexit, the UK is considered a third country under the EU GDPR. However, in June 2021, the European Commission adopted adequacy decisions for the UK, allowing data to flow from the EU to the UK without additional safeguards. It’s important to note that these adequacy decisions are subject to periodic review and could change.
Conversely, the UK has established its own framework for international data transfers. The UK government has recognized the EEA member states as providing adequate protection, permitting free data flow from the UK to the EEA. For transfers to other countries, the UK GDPR requires appropriate safeguards, similar to the EU GDPR‘s provisions.
Representation Requirements
Organizations not established in the EU but subject to the EU GDPR are required to appoint an EU representative. Similarly, under the UK GDPR, organizations outside the UK must appoint a UK representative if they are subject to the regulation. This means that businesses operating internationally may need to designate representatives in both the EU and the UK to comply with both regulations.
Enforcement and Penalties
Both the EU and UK GDPRs stipulate substantial fines for non-compliance, with penalties reaching up to €20 million or 4% of the annual global turnover, whichever is higher. While the frameworks for enforcement are analogous, organizations must be aware that enforcement actions are now conducted separately by the ICO in the UK and the respective supervisory authorities within the EU member states.
Practical Implications for Organizations
For businesses operating across both the EU and UK, it’s imperative to assess data flows and ensure compliance with both the EU and UK GDPRs. This includes reviewing and potentially updating data protection policies, appointing representatives where necessary, and establishing mechanisms for lawful data transfers between the two jurisdictions.
Navigating the complexities of dual compliance can be challenging. Organisations may benefit from consulting with data protection experts to develop tailored strategies that address the specific requirements of both regulations. One such expert is Keith Budden, the principal of Ensurety, a consultancy specializing in data protection and GDPR compliance. With extensive experience in guiding organizations through the intricacies of data protection laws, Ensurety offers services designed to help businesses achieve and maintain compliance in an evolving regulatory landscape.
In conclusion, while the EU and UK GDPRs share a common heritage, key differences have emerged post-Brexit that organizations must carefully consider. By understanding and addressing these distinctions, businesses can ensure robust data protection practices and avoid potential regulatory pitfalls in both jurisdictions.
