Taking A Closer Look at The Changes to GDPR Following Brexit

—By Gal Ringel, CEO & co-founder of Mine

Since the implementation of the General Data Protection Regulation (GDPR) three years ago, in May 2018, individuals have been able to reclaim their personal data and gain control over their digital footprint. The regulation, which was one of the first of its kind, has inspired the rollout of similar regulations globally, including the LGPD in Brazil and California’s CCPA.

Since the time that this data privacy movement began, the UK has left the European Union, changing the ways in which the GDPR is applicable in the UK. With this in mind, it’s essential consumers are aware of how to stay in control of their digital footprint and know the rights around their personal data. Furthermore, our research at Mine found a 55% increase in the size of people’s personal data since the pandemic, making it more vital than ever to know who has your data. Let’s explore what Brexit means for the UK within the context of the GDPR and take a closer look at how the UK’s privacy landscape could unfold in the future.

A Closer Look at Post-Brexit Regulation in the UK

With Brexit over, the GDPR, like many other regulations governing the EU, is no longer specifically applicable to the UK. The UK now has its own law, the Data Protection Law to govern the regulation. According to the Information Commissioner’s Office (the UK watchdog upholding information rights) the government planned to incorporate the GDPR into the UK’s existing act once the transition period ended in January.

For UK companies, there is actually no difference if they continue to work with European entities. When working with a European company that falls under the EU GDPR, UK companies have to comply with GDPR requirements or face a fine of up to 20 million Euros or 4% of their annual turnover, whichever is greater. This means that for any international corporation, the fact that the UK has effectively left the EU does not make much of a difference, as they still have to work under the GDPR as they have always known it.

In February 2021, the European Commission published draft decisions finding the UK to be adequate with regards to the GDPR. If this is then approved by the EU member states, the European Commission can formally adopt them as legal adequacy decisions. As a result, the UK will be able to allow the free flow of data under the EU GDPR transfer rules as it did before Brexit. Should the adequacy decision not be adopted, the UK must comply with the European GDPR transfer restrictions, which are currently in place for all other third countries, including Canada and the US.

What do the Changes Mean for Consumers?

While the shift in regulation policy in the UK since Brexit seems minor, there are important changes consumers should be aware of including changes to the definition of personal data, child consent ages, and data subject rights. More specifically, there are six important changes to be aware of in the UK, now that the European GDPR no longer apply:

  1. The child consent age for the UK GDPR will be lowered from 16 to 13
  2. Personal data has a more limited definition under the UK’s GDPR
  3. UK organisations will not need official authority to process criminal data
  4. There is an exemption from the GDPR if the processing of personal data is of public interest
  5. Data subject rights can be waived if they significantly inhibit an organisation’s need to process data for scientific, historical, statistical or archiving purposes
  6. If companies will continue to trade in the EU they will need to appoint an EU representative and lead supervisory authority in the EU

Since 2018, the UK has also been under the governance of the Data Protection Act (DPA), which actually goes beyond the scope of the GDPR. There are numerous ways in which the two differ, but they are more or less the same. One difference is that the DPA has additional lawful bases for processing sensitive personal data. More specifically this means it is acceptable to process personal data of subjects, albeit with adequate controls to ensure that data is protected.

This can be applied for employment, social security, and social protection purposes as well as health and social care purposes. Under this law, data that is collected for archiving, research and statistics purposes can also be processed, as it can be for public interest purposes or in light of any criminal conviction.

Future Gazing: A Look at UK Regulation in the Coming Years

Looking ahead, we know the UK already has a strong policy around data protection in place, one that creates room for the UK to become a global champion in this space. I believe the UK’s DPA and the EU’s GDPR will take on a much bigger meaning both for consumers and companies with the growing realisation that it is no longer just a compliance issue but rather also affects a company’s brand reputation, user experience and their customer’s trust.

If there is any downfall of the GDPR and similar regulations, it is that they can be difficult for consumers to implement. Before Mine, there was no way to see all the companies holding your data in one in one place, and then easily enforce your rights to be forgotten. Excitingly, we are only three years in and I have no doubt privacy regulations are going to continue to change the digital world as we know it. At Mine, in less than a year and a half, we have already helped 250,000 consumers take ownership of their data by sending over three million data deletion requests and we’re only getting started. We expect to see the global movement of data ownership expand as even more regions put similar regulations in place.