What law applies?
There's various legislation that regulates the use of personal data in the UK. Understanding what legislation needs to be adhered to is crucial for data protection compliance.
The EU GDPR was introduced to harmonise data protection rules across the whole of the European Union in May 2018, and it has direct effective in each EU Member State. The EU GDPR applied to all processing of personal data in the context of activities of an establishment of a controller or processor in the UK until the end of 2020.
Following the end of the Brexit transition period, the EU GDPR can still apply to a UK-based controller or processor where it is processing personal data of individuals in the EU in order to “target” them either by offering goods or services to them, or by monitoring their behaviour.
However, the fact of processing personal data of an individual in the EU alone is not sufficient to trigger the application of the EU GDPR to personal data processing activities of a UK-based controller or processor – the element of “targeting” individuals in the EU must be present for the EU GDPR to apply.
The Data Protection Act 2018 (DPA 2018) was introduced at the same time as the EU GDPR to supplement the EU GDPR requirements and standards, and to set out UK-specific rules where the EU GDPR gives Member States flexibility to confirm the position at a local level, within certain parameters. The DPA 2018 continues to apply to processing of personal data by UK organisations.
On 31 December 2020, at the end of the Brexit transition period, the EU GDPR became part of the new body of retained EU law, but the DP Brexit Regulations immediately amended this retained EU law version of the GDPR to create the UK GDPR. The DP Brexit Regulations also amended the Data Protection Act to refer to the UK GDPR instead of the original EU GDPR.
The UK Government has published “Keeling Schedules” to show how the DPA 2018 and the text of EU GDPR are amended by the DP Brexit Regulations for these purposes.
The full names of the DP Brexit Regulations are:
- Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419)
- Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (SI 2020/1586)
The 2019 Regulations themselves needed amendment in December 2020, because they had been written before the transition period was agreed. So, that’s why the similarly named 2020 Regulations were made on 17 December 2020.
Separate legislation regulates specific activities that concern the use of personal data. For example, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) include rules that regulate the use of internet cookies that track individuals’ online activity and that regulate the way organisations use individuals’ contact details to carry out unsolicited direct marketing.
Get in touch
Our team of legal experts are here to support you. Contact one of our lawyers today.
Key takeaways
> UK organisations need to ensure they comply with the UK GDPR and the DPA 2018 when processing personal data.
> It's possible for the EU GDPR to apply to UK organisations if they are “targeting” individuals in the EU, either by offering goods or services to them, or by monitoring their behaviour.
> Other legislation may also apply to UK organisations’ activities that involve personal data processing, such as the PECR.