The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and the The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. (DPA) have some key differences which may impact the UK’s relationship with the EU, post-Brexit. The GDPR became enforceable on 25thMay 2018. As a European regulation, it is directly effective in EU Member States, meaning that all UK organisations must comply with it.
The GDPR does however give Member States limited scope to shape how certain aspects of the Regulation apply in their country. The DPA 2018 enacts the GDPR into UK law, and in doing so has included various ‘derogations’ as permitted by the GDPR, resulting in some key differences.
Child An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
Extended definition of ‘identifier’
Automated decision making/processing
Under UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling.
Privacy vs Freedom of Expression
The DPA is wider in scope than the GDPR, covering:
Finally, whilst the GDPR is governed by the A Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU), when the UK leaves the EU, the DPA will be governed solely by the UK justice system, leaving the CJEU out in the cold.
Being an EU Member State, means data can flow unhindered across borders to and from the UK. This makes business cheaper, faster and generally easier.
However, when the UK leaves the EU, data will no longer be able to rely on data flowing freely, this will depend on our data protection laws being considered ‘Adequate’ (as defined by Article 45 of the GDPR by the EU Commission).
This means our data protection laws must be sufficiently similar to the EU data protection laws so that the EU feel that residents’ data is being ‘adequately’ protected if shared with the UK.
Clearly, the more negative the disparity between the DPA and GDPR, the less likely we will be deemed Adequate, therefore these differences really do matter.
Finally, it should also be mentioned that Acts other than the DPA may cause the UK problems post Brexit, such as the Investigatory Powers Act 2016, which confers on the state new powers that clearly contradict the GDPR, especially regarding data processing in the investigation of criminal offences.
As experts in Data Protection legislation, the DPO Centre provides advice and guidance to organisations to help them navigate the ever-evolving regulatory landscape by providing outsourced Data Protection Officers as a service, GDPR EU Representation Services required under Article 27 for organisations outside the EU, as well as Data Protection Impact Assessments, Consultancy and Training.