In this article:
- Why is there a separate GDPR for the UK?
- Key differences between UK GDPR and EU GDPR
- Do EU GDPR principles apply in the UK?
- What is the Data Protection Act 2018?
- The difference between Data Protection and GDPR
- Anonymisation and pseudonymisation of data
- Get Involved with Trust Hogen’s Data Protection Month
Why is there a separate GDPR for the UK?
Following the UK’s decision to leave the European Union (EU), there was a period of confusion regarding the EU’s General Data Protection Regulation (GDPR) laws and how it would affect those in the UK.
As a result, the UK government took steps to ensure that data protection laws in the UK remain adequate and GDPR-compliant. This resulted in the introduction of UK GDPR and the Data Protection Act 2018 (DPA 2018), which are both essential pieces of legislation for anyone who collects or processes personal data in the UK.
Key differences between UK GDPR and EU GDPR
You may be asking, ‘is UK GDPR and EU GDPR the same?’.
Not exactly. Although the UK GDPR is aimed at enforcing EU GDPR within the UK, there are some modifications you need to be aware of:
In the EU, an individual must be at least 16 years or older to consent to have their personal data used (with some exceptions). While in the UK, the age of consent for personal data drops to 13 years old.
EU GDPR and UK GDPR both use separate bodies to monitor and enforce data protection laws. In the UK, this body is called the Information Commissioner’s Office (ICO), while the European Data Protection Board (EDPB) governs EU GDPR.
If a company only operates within the UK, it must abide by UK GDPR and the Data Protection Act. However, if it also operates exclusively within the EU, then it must only follow EU GDPR rules. Those companies that operate in both the UK and the EU must comply with both jurisdictions.
Under EU GDPR, personal data is not collected for security, immigration or intelligence service reasons, while in the UK, GDPR allows personal data to be collected for these reasons (with some exceptions).
Do EU GDPR principles apply in the UK?
As mentioned earlier, following Brexit the UK introduced two key data protection laws that apply to businesses: the Data Protection Act 2018 and GDPR.
Any organisation that processes personal data must follow detailed guidance and ensure compliance with both GDPR (for EU law) and the DPA 2018.
Organisations must take measures to meet legal obligations under both GDPR and the DPA 2018. This includes understanding their responsibilities as data controllers, as well as ensuring appropriate safeguards are in place for data transfers between the UK and EU (such as the Standard Contractual Clauses or the Binding Corporate Rules).
The free flow of personal data between the UK and the EU is currently guaranteed by an adequacy decision from the European Commission, but this will need to be renewed in 2025.
Find out everything you need to know in our last post: What Are The Key Principles Of Data Protection? (2023)
What is the Data Protection Act 2018?
The UK Data Protection Act 2018 (DPA) is the UK implementation of the large-scale legal obligations of the EU’s original GDPR.
The DPA also outlines rules that every data protection officer must follow in sectors where the EU’s GDPR doesn’t apply, such as national security.
The ICO is the Data Protection Authority in the UK, which works in a judicial capacity and has enforcement powers under the DPA.
All data protection officers must follow the DPA, which is split into separate sections covering topics such as:
- General regulations for data processing
- Law enforcement data processing
- Intelligence services data processing
- And more.
The difference between Data Protection and GDPR
You may be asking ‘what is the difference between the Data Protection Act and GDPR?’
To put it simply, the GDPR is a wider and more comprehensive set of regulations than the DPA, but both have the same purpose – to protect personal data.
The primary difference is that the GDPR applies to more companies in more places and protects more data than the DPA.
Companies must also show that they comply with GDPR, rather than just say so. This applies to countries around the globe, including those outside the EU.
For example, if a business in Canada is selling web software to an EU organisation, it must abide by GDPR laws or face penalties.
Additionally, if companies lose or compromise personal data, GDPR will likely have them report the breach. This is because, under the GDPR, organisations must be more accountable and notify both the regulator and individuals affected by certain data breaches, rather than just recommending notification as under the DPA.
To process personal information under GDPR, consent must be obtained from individuals in a more specific way than under DPA.
For example, separate consent must be given for marketing by email, telephone and in-product messaging. Individuals must also be informed that they can withdraw such consent at any time.
Finally, the GDPR allows regulators to fine non-compliant companies up to 4% of global turnover, compared to a maximum fine of £500,000 under the DPA.
Anonymisation and pseudonymisation of data
The UK’s most recent changes to the legislation include the ICO’s third part of the extended consultation into the Government’s draft guidance on pseudonymised data, anonymisation and privacy boosting tech.
Pseudonymisation is defined as data processing in a way that means it can’t be easily attributed to the data subject. Although this doesn’t restrict processing, it does mean that data subjects are even more protected.
The guidance does still consider this kind of data as personal data because it can still be used to identify the data subject, provided more information is given.
According to the draft guidance that is being considered by the ICO, there are several benefits of pseudonymising personal data, including:
- Building confidence and trust in an organisation’s data processing
- Supporting overall compliance without undue delay
- Reducing risks for an individual’s data usage
- Enhancing security
- Minimising data minimisation to only what is strictly necessary.
Get Involved with Trust Hogen's Data Protection Month
Thank you for reading our post on the difference between UK GDPR and EU GDPR.
We hope you have a better understanding of the differences and now know how to protect your organisation’s data.
At Trust Hogen, we’re getting ready to celebrate Data Protection Day on the 28th of January by dedicating an entire month to Data Protection and GDPR.
We’ve already posted a detailed GDPR glossary and a look into the key GDPR principles in business. Make sure to give the articles a read to get your organisation up to speed on the regulations.
Trust Hogen is a leading independent managed security service provider (MSSP), offering a combination of cutting-edge technology and expert security advice to ensure business owners have the best possible protection for their data assets.
We can help your company comply with GDPR regulations and provide essential security support. Contact us today to get started.
We look forward to helping you keep your organisation secure!