When Brexit came into effect on January 1, 2021, the UK was no longer regulated by the EU General Data Protection Regulation. Currently, it does not yet have its own data protection law, but it is applying what is called the post-Brexit UK-GDPR and this will last until June 27, 2025.
Find out in this article the main differences between the UK-GDPR and the EU-GDPR and how Didomi can help you build the groundwork for privacy-conscious growth.
Why is data regulation becoming so widespread?
The General Data Protection Regulation (GDPR) has now been in place for over 3 years. Its purpose is to protect personal data of EU citizens and to regulate EU companies and individuals who handle personal data.
This landmark law spearheaded a movement. Gartner now predicts that, by year-end 2023, 75% of the world’s population will have its personal data covered under modern privacy regulations
But, legislation aside, have you ever wondered how your customers perceive privacy? Or the financial and business implication of this?
In the last decade, consumer concerns about how their personal data may be used (or, more importantly, misused) have been on the sharp increase.
On average, 80% of consumers across Europe pay attention to privacy before making a purchase. Consumers are willing to act on privacy. Therefore, there’s ethical, reputational and monetary incentive for companies to act. And, of course, GDPR non-compliance can result in large sanctions.
So, from a consumer perspective, the GDPR protects privacy rights. And, from a company perspective, this landmark regulation allows enterprises to ensure their data practices promote transparency and protection, also protecting sensitive information against data breach.
Ultimately, it’s a win-win situation.
What are the differences between the EU-GDPR and the UK-GDPR?
So, you might be wondering what the differences are between the EU-GDPR and the UK-GDPR. And, you might also be wondering why we need a UK-GDPR.
The GDPR was approved in May 2018, when the UK was still part of the European Union. But, once Brexit came into effect on January 1, 2021, things have shifted.
What is the ICO’s role?
A major change to the UK-GDPR is that the Information Commissioner will now be responsible for promoting good practice in handling personal data. This means that, whereas previously it was the European Data Protection Board that took the lead, it is now the ICO that deals with all matters relating to the UK-GDPR's regulation and enforcement.
Cross-border data processing
Also, the rules on transfers of personal data between the UK and the EU have changed. In particular, European companies transferring data to the UK can do so according to an adequacy decision taken by the European Commission on June 28, for which data can continue to flow between the two countries.
Is it really as simple as that? Not really… In fact, companies must have a representative that is implemented in the UK and controls and processes the data there. Your representative may be an individual, or a company or organisation established in the EU, and must be able to represent you regarding your obligations under the EU-GDPR.
UK companies who have an organization in the EU, have customers in the EU or track individuals in the EU, must follow the EU-GDPR requirements. But the way they will interact with European authorities in terms of data protection will change. And, as in the previous case, they must have a representative in the EU who handles data on the territory.
The age of valid consent
Finally, another major difference between the two regulations is that the age of valid consent to data collection has been lowered to 13 in the UK, compared to 16 in Europe. So, in the UK, consent is only considered valid when collected from individuals over 13 years of age.
Are you post-Brexit GDPR compliant?
What does Brexit change in terms of data privacy? The UK's data protection system continues to be based on the same rules that were applicable when the UK was an EU Member State:
It requires your website or application to ask for the user's consent before collecting and processing data via cookies.
It requires that your organisation does not collect more data than is actually required.
It requires that it is as easy for your users to revoke consent to the use of data as it is to give it.
It requires you to clarify how long data is stored and how you handle users' personal data.
It requires you to adopt clear and simple language.
"What I really want to do is make privacy easy. And I think I can translate that to the UK. I want to make data protection easy – easy for industry to implement at low cost, easy for consumers to exercise privacy-friendly choices in their marketplace, and easy for people to access remedies when things go wrong." - John Edwards, former US Senator & the next UK Information Commissioner
Didomi helps companies become compliant in both the EU and the UK
We’re coming to the end of our summary of the GDPR and how it applies in the UK and Europe.
But, how can companies ensure they respect both the UK and EU-GDPR in an effective and fool-proof manner at every point of data collection? And how can organizations’ data be managed effectively, without affecting annual gross revenue?
Compliance should not be a matter of guesswork, and that’s why Didomi is here to help.
In fact, this moment of change in the UK could not have come at a better time for Didomi. We have recently expanded into the UK and are proud to be able to help all organisations be in compliance with local legislation.
Didomi is committed to adjusting its solutions as local markets evolve in both Europe and the UK.
It’s important to remember that all of these evolutions have one main aim in mind: giving UK residents greater transparency and control over the use of their personal data.
And, with 88% of consumers saying that the extent of their willingness to share personal information is based on how much they trust a company (PwC Protect.me Survey, 2017), the commercial benefit of optimal consent management technology should not be underestimated.
At Didomi, we believe that a compliant user data collection comes before everything else and must be at the core of your strategy if you want to build both a sustainable and trust-based relationship.
We allow companies to show exemplary compliance and reduce legal risk by collecting consent across every touchpoint. For this reason, we offer preference and consent management solutions that allow companies to prepare the groundwork for privacy-conscious growth, without sacrificing on data collection.
For more information about our products and how to comply with the UK-GDPR, get in contact with me. As Sales Director UK&I, I would be happy to answer any questions you might have.