The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 affects how you, as a website owner, must obtain and store your cookie contents and ask for cookie permission from any visitors coming to your site.
By Iffy Kukkoo
03 Dec, 2021
The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 affects how you, as a website owner, must obtain and store your cookie contents and ask for cookie permission from any visitors coming to your site. This applies to both UK & EU citizens.
The United Kingdom departed the European Union (EU) on January 31.
After leaving the EU, new domestic laws will be put in place to ensure that personal data safety is continued in the UK.
While, in many cases, the laws introduced by the EU are near identical to the ones that the UK has introduced, there are some things that you should take into consideration with GDPR after Brexit.
The UK is now classed as a ‘third country’ under the GDPR laws, which the European Union sets out. An agreement was signed in December 2020, which allows for a ‘transition’ or ‘interim’ period, which lasts until June 2021. This, until that date, allows for an unrestricted flow of data between the two blocs.
So what happens to data after June 2021?
While a new law has been created for GDPR and personal data in the UK, the law's core spine remains the same. The principles include:
The European Withdrawment Agreement signed by both the UK and the European Union includes specific regulations around the processing of personal data and the flow of that said data in the UK and the EU.
Referring to Articles 70-73 in the said agreement, state that the UK…
“Shall ensure an adequate level of protection of personal data essentially equivalent to that under the European Union law.”
This is important in ensuring that both parties approve a flow of data.
Article 45 of the GDPR regulations state that…
“The transfer of personal data to a third country or an EU organisation could take place where the Commission has concluded that the third country (UK) ensures an adequate level of protection.”
The decision must be reached before the transition period ends. If this is not achieved, then the United Kingdom would be classed as a third party country being referred by the EU when it comes to personal data.
Data would only be allowed to flow if both the controller and processors provided specific and strict guidelines for safeguarding and enforcing subject data rights. (GDPR, Article 46).
The GDPR changes made to the UK data privacy law are all contained in the UK Government’s Data Protection, Privacy and Electronic Communications Regulations of 2019.
This was put in place to ensure accordance with the EU withdrawal agreement.
As we previously stated, the UK-GDPR law that has been put in place is virtually the same as the previous European GDPR that UK businesses and websites had to abide by.
The UK-GDPR agreement merges two existing laws: the EU GDPR law and the Data Protection Act of 2018.
The interim period doesn’t end until then. However, you are going to need to comply with the new UK-GDPR and EU laws, but you won’t need to take any additional action when it comes to processing personal data from the EU.
You will still need to ask for consent before you are allowed to collect or process their personal data. This is typically done with a cookie banner when someone enters a website.
Alternatively, if you would like to learn more about the possible changes, you can read the guidelines that have been set out by the ICO (Information Commissioner’s Office).
The ICO are responsible for supervising and enforcing:
If you are a business, company or organisation operating in the UK, look at the privacy and compliance challenges you could face with GDPR in 2021.
What Happens If My Company Operates In Europe?
If your company operates in Europe, including selling goods and services in the EU, you will still be subject to the European Union GDPR law.
This also includes if you receive data from any European countries. You will need to establish a way to transfer consumer data to the United Kingdom without breaching GDPR laws.
The UK has already stated that they won’t restrict any data transfers from the United Kingdom to any European area. You will still need to take action if you receive personal data from any incoming source in the EU, however.
In practice, you should also consider binding our corporate rules (BCRs) or standard contractual clauses (SSCs) or data protection for an EU organisation or company that you exchange information with. This is essentially an agreement to comply with EU data rules as an individual organisation in the event that something changes.
You can find further information on the ICO Brexit hub or keep up to date with our blogs as we keep updating you further.
Iffy is our exclusive resident technology newshound editor, relentlessly exploring the beauties of the world from a 4th dimensional viewpoint. When not crafting, editing or publishing our IT content, she spends most of her time helping people understand life and its basic principles. You know, the little things around you, that you've failed to grasp each day.
Dee.ie IT blog has updates on IT Consultancy, IT Contractors and Software Development related posts, on how your business can be managed effectively using technology.
Feel free to read more and or reach out to share your thoughts, feelings and input on our articles, our team would love to hear from you!