GDPR Regulations In Britain: Are Businesses Bound By Two GDPR Laws After Brexit?

The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 affects how you, as a website owner, must obtain and store your cookie contents and ask for cookie permission from any visitors coming to your site.

GDPR Regulations In Britain: Are Businesses Bound By Two GDPR Laws After Brexit?

By Iffy Kukkoo

03 Dec, 2021


The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 affects how you, as a website owner, must obtain and store your cookie contents and ask for cookie permission from any visitors coming to your site. This applies to both UK & EU citizens.

The United Kingdom departed the European Union (EU) on January 31.

After leaving the EU, new domestic laws will be put in place to ensure that personal data safety is continued in the UK. 

While, in many cases, the laws introduced by the EU are near identical to the ones that the UK has introduced, there are some things that you should take into consideration with GDPR after Brexit.

What Happens To GDPR Laws After Brexit?

The UK is now classed as a ‘third country’ under the GDPR laws, which the European Union sets out. An agreement was signed in December 2020, which allows for a ‘transition’ or ‘interim’ period, which lasts until June 2021. This, until that date, allows for an unrestricted flow of data between the two blocs.

So what happens to data after June 2021?

  • An agreement is hoped to be met before the transition period ends so that data flow can continue between the United Kingdom and other European countries.
  • New laws have been put in place to ensure that data is still protected in the United Kingdom. This includes an updated version of the Data Protection Act and a brand new GDPR law called UK-GDPR.
  • For any British companies and websites that still operate in the EU, the EU’s GDPR laws will still apply for processing personal data from visitors.

While a new law has been created for GDPR and personal data in the UK, the law's core spine remains the same. The principles include:

  • The processing of data and lawfulness of processing that data (Article 5). The rules around processing special sections of personal data (Article 9). This includes identifying factors such as religious beliefs, political opinions and sexual orientation.
  • Asking for consent with the processing of your personal data (Article 7).
  • The right to access, forget, portability, and rectify your data (Article 15-22).

Enjoying the blog? Have a look at the implications GDPR has on CCTV.

The Legalities Of GDPR Laws In Britain After Brexit

The European Withdrawment Agreement signed by both the UK and the European Union includes specific regulations around the processing of personal data and the flow of that said data in the UK and the EU.

Referring to Articles 70-73 in the said agreement, state that the UK…


Shall ensure an adequate level of protection of personal data essentially equivalent to that under the European Union law.

Articles 70-73

This is important in ensuring that both parties approve a flow of data.

Article 45 of the GDPR regulations state that…


The transfer of personal data to a third country or an EU organisation could take place where the Commission has concluded that the third country (UK) ensures an adequate level of protection.

Articles 45

The decision must be reached before the transition period ends. If this is not achieved, then the United Kingdom would be classed as a third party country being referred by the EU when it comes to personal data.

Data would only be allowed to flow if both the controller and processors provided specific and strict guidelines for safeguarding and enforcing subject data rights. (GDPR, Article 46).

Our privacy promise to you Do you need some help?

DPPEC Regulations

The GDPR changes made to the UK data privacy law are all contained in the UK Government’s Data Protection, Privacy and Electronic Communications Regulations of 2019.

This was put in place to ensure accordance with the EU withdrawal agreement. 

As we previously stated, the UK-GDPR law that has been put in place is virtually the same as the previous European GDPR that UK businesses and websites had to abide by.

The UK-GDPR agreement merges two existing laws: the EU GDPR law and the Data Protection Act of 2018.

What Does This Mean For British Websites?

Ultimately, how does this concern you if you run or own a website within the UK? You will need to make possible changes around the use of cookies and any tracking technology used.

Bottom line, you have until June 2021.

The interim period doesn’t end until then. However, you are going to need to comply with the new UK-GDPR and EU laws, but you won’t need to take any additional action when it comes to processing personal data from the EU.

You will still need to ask for consent before you are allowed to collect or process their personal data. This is typically done with a cookie banner when someone enters a website.

Alternatively, if you would like to learn more about the possible changes, you can read the guidelines that have been set out by the ICO (Information Commissioner’s Office).

The ICO are responsible for supervising and enforcing:

- The Data Protection Act

- Privacy and Electronic Communications Regulations (PECR)

- Environmental Information Regulations

- The re-use of Public Sector Information Regulations

If you are a business, company or organisation operating in the UK, look at the privacy and compliance challenges you could face with GDPR in 2021.

What Happens If My Company Operates In Europe?

If your company operates in Europe, including selling goods and services in the EU, you will still be subject to the European Union GDPR law.

This also includes if you receive data from any European countries. You will need to establish a way to transfer consumer data to the United Kingdom without breaching GDPR laws.

The UK has already stated that they won’t restrict any data transfers from the United Kingdom to any European area. You will still need to take action if you receive personal data from any incoming source in the EU, however.

In practice, you should also consider binding our corporate rules (BCRs) or standard contractual clauses (SSCs) or data protection for an EU organisation or company that you exchange information with. This is essentially an agreement to comply with EU data rules as an individual organisation in the event that something changes.

You can find further information on the ICO Brexit hub or keep up to date with our blogs as we keep updating you further.

For updates on GDPR, compliance with privacy laws, and data regulations that have been put in place for the United Kingdom, follow our IT blog.


Posted By: Iffy Kukkoo
Resident Editor-In-Chief

Iffy is our exclusive resident technology newshound editor, relentlessly exploring the beauties of the world from a 4th dimensional viewpoint. When not crafting, editing or publishing our IT content, she spends most of her time helping people understand life and its basic principles. You know, the little things around you, that you've failed to grasp each day. IT blog has updates on IT Consultancy, IT Contractors and Software Development related posts, on how your business can be managed effectively using technology.

Feel free to read more and or reach out to share your thoughts, feelings and input on our articles, our team would love to hear from you!

Our privacy promise to you
Have a Question or Need an Answer? Ask our Live Chat and we will include it in our FAQ’s to make things easier for others

Our IT Blog

Latest Blog Post

How to improve your businesses Software Maintenance?

Latest Blog Post

What is the Difference Between a CTO & IT Consultant?

All Posts