GDPR, the General Data Protection Regulation, was passed in 2018 as new legislation to protect the use of personal data across the EU and European Economic Area (EEA).
While the regulation originally applied to the UK, as of the 1st January 2021, the UK officially left the EU after completing the agreed transition period.
Since then, the EU’s GDPR laws have been duplicated into UK law, establishing a new version: UK GDPR.
For businesses that wish to work in the UK and EU, there are now two different GDPR frameworks to adhere to. Below, we outline these in further detail.
There are also various GDPR resources available online for businesses to expand their knowledge.
What is UK GDPR?
When the UK left the transition period, EU law was automatically transferred into UK law. As such, the UK’s version of GDPR is essentially a carbon copy of the EU’s GDPR — but there are some subtle differences to consider.
The regulation works alongside the UK’s existing and reworked Data Protection Act (2018). In basic terms, UK GDPR essentially widens the scope of the UK’s privacy laws.
Between both sets of law, they form the two major forms of legislation that protect personal data in the UK. They work in tandem with each other to ensure organisations protect the personal information of individuals.
What is EU GDPR?
EU GDPR was introduced on the 25th of May 2018 and applies to EU member states and those countries operating in the European Economic Area (EEA).
The regulation is intended to control the use of personal data within the EU/EEA and the transfer of data outside of the zone.
Specifically, the aim is to ensure organisations process and protect personal data as required by the law and create a commonality of protection..
The differences between UK and EU GDPR
Both UK and EU GDPR legislation are extremely similar — nearly the same. But there are some notable differences for businesses to consider. To ensure full compliance with the law, GDPR training courses are well worth considering.
Below are the key differences between UK and EU GDPR:
- Consent for data use — In the EU and EEA, an individual must be 16 years or older to give consent for the use of their personal data (with some exceptions). In the UK, the minimum age is 13.
- Area of jurisdiction — Another difference involves how and where companies operate. If a business operates solely in the UK, it needs to comply with both the UK’s version of GDPR and the Data Protection Act. If they operate solely in the EU, EU GDPR applies. If a business operates in both the UK and EU, they need to comply with both jurisdictions.
- Enforcing body — The enforcing bodies that monitor the use of personal data differ between the UK and EU. The Information Commissioner’s Office (ICO) is the sole body responsible for overseeing the regulation in the UK. EU GDPR is governed by the European Data Protection Board (EDPB), member state privacy authorities, and ultimately, the European Commission.
Image: By Pop Nukoonrat from Dreamestime.