UK Data Protection Toolkit Implementation Guide
3 UK data protection law post-Brexit In this section, we will describe where UK data protection law is now, and how it got there. This includes an overview description of the main piece of post-Brexit legislation, known as the UK GDPR, and the relevant points from the supporting law, the Data Protection Act 2018.
3.1 The situation before Brexit Before describing the post-Brexit situation with data protection law in the UK, it is worth outlining some of the history so the current legislation can be put into context. Prior to Brexit, the UK was a member state of the European Union and so was subject to its laws. In 1995 the EU created the Data Protection Directive which, rather than becoming law directly in all member states, instead provided what was effectively a specification for each member state to introduce their own law concerning data protection. Accordingly, the UK brought in the Data Protection Act in 1998 as its implementation of the Directive, and other EU countries enacted their equivalents. Many years passed and technology moved on relentlessly, blurring the lines of data protection as it went. To catch up (and to simplify the situation where each member state had slightly differing laws), the EU created the General Data Protection Regulation (GDPR) in 2016 and this became law within the EU on 25 May 2018. The GDPR, being a Regulation rather than a Directive, directly applied to all of the EU without needing a separate local law to be passed in each member state. However, the GDPR did allow for some variations within each country, such as the age of a child for data protection purposes (default 16, but this could be as low as 13). Partly to specify what these were in the UK, the government introduced an update to the Data Protection Act in 2018. So, prior to Brexit, data protection law in the UK was defined mainly by a combination of the GDPR and the Data Protection Act 2018 (there are also laws called the PECR and NIS, but we will not be discussing these here). The combination of the GDPR and the changes to it introduced by the Data Protection Act 2018 are sometimes referred to as the “applied GDPR”.
3.2 The situation after Brexit Once Brexit was decided upon, the UK started the preparations for the UK to leave the EU. From a data protection point of view, the main piece of legislation they passed was called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. These regulations set out the changes that would be made to current UK laws to adapt them to the fact that the UK was leaving the EU. In basic terms, what they did was to create the “UK GDPR” (as distinct from the “EU GDPR”) and make changes to the DPA 2018. The intention is that UK data protection law remains the same as EU data
www.certikit.com
Page 6 of 31