GDPR British and UN flag

In April 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), a legal framework that establishes guidelines for collecting and processing EU citizens’ personal information.

Implemented two years later, the GDPR’s main goal is to increase individuals’ control and rights over their personal information by setting standards for accountability, security, and transparency in using private data.

In June 2016, less than two months after the GDPR was approved, the United Kingdom held a referendum on leaving the EU, commonly known as the Brexit referendum. 51.9% of those who voted chose to leave the EU. To prepare for Brexit, the UK parliament passed the European Union (Withdrawal) Act 2018, which incorporates several EU regulations into domestic law.

The GDPR was part of the UK’s domestic law until the end of the Brexit transition period on 31 December 2020, when it was replaced by the UK GDPR.

The UK GDPR – alongside the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations (PECR) – governs all processing of personal data from individuals located inside the United Kingdom. While the UK GDPR essentially mirrors the EU GDPR, there are some important differences between them.

And businesses operating in both markets must be aware of these differences to ensure GDPR compliance.

The Main Differences

1. Applicability

The EU GDPR has extraterritorial applicability, which means that it applies to any organization – inside or outside the EU – that process the personal data of individuals located within the EU. This broad applicability ensures that the protection of personal data is not limited to EU-based organizations.

The UK GDPR, on the other hand, has a narrower applicability. It primarily applies to organizations that are based in the UK or organizations outside the UK that process the personal data of individuals in the UK.

If a business operates exclusively within the UK, it must comply with the UK’s iteration of the GDPR. Conversely, if a business operates solely in the EU, the EU GDPR is applicable. Businesses that operate in the UK and the EU are obligated to comply with both versions of the GDPR.

2. Supervisory Authorities

One of the key differences between the two regulations. In the EU, each member state is required to establish one or more Supervisory Authorities to monitor the application of the GDPR within its jurisdiction. These authorities’ responsibilities include:

  • Providing guidance and advice to organizations and individuals on their data protection obligations and rights.
  • Receiving and investigating complaints from data subjects regarding potential violations of their rights under the GDPR.
  • Conducting investigations into organizations’ data processing practices, including audits, on-site inspections, and requesting information.
  • Imposing administrative fines and penalties on organizations that violate the GDPR provisions.

In addition to each member state’s Supervisory Authorities, the EU GDPR is governed by the European Data Protection Board (EDPB). The EDPB ensures that the GDPR is applied consistently across the EU, provides guidelines, resolves disputes between Supervisory Authorities, and promotes cooperation among them.

In contrast, in the UK, there is only one body responsible for overseeing and enforcing data protection: the Information Commissioner’s Office (ICO).

The ICO has similar functions and powers to those of the Supervisory Authorities under the EU GDPR. While it is an executive non-departmental public body, the ICO is sponsored by the Department for Science, Innovation, and Technology.

3. Adaptions to the UK’s legal framework

When the UK enacted its version of the GDPR, it aimed to maintain the EU’s high standard of data protection while tailoring certain aspects to align with the UK’s legal framework.

As a result, the UK GDPR incorporates most provisions from the EU GDPR, but it includes specific modifications and derogations to accommodate the UK’s unique circumstances.

The modifications and derogations in the UK GDPR can be seen in various areas, including:

  • References to EU institutions: the UK GDPR replaces references to EU institutions, such as the European Commission and European Data Protection Board, with appropriate UK equivalents. This ensures that the UK GDPR operates within the context of the UK legal system.
  • Data protection standards: while the fundamental principles and rights of data subjects remain largely the same, the UK GDPR deviates from the EU GDPR in certain areas, such as data breach notification requirements, appointments of data protection officers, and exemptions for certain public authorities.
  • Cooperation with EU Supervisory Authorities: the UK GDPR establishes mechanisms for cooperation and consistency with EU Supervisory Authorities. It outlines processes for mutual assistance, joint operations, and information sharing between the UK’s Information Commissioner’s Office (ICO) and EU Supervisory Authorities.

4. Transfers of personal data

Under the EU GDPR, personal data can flow freely between EU member states without additional safeguards. This is based on the principle of the “single market” within the EU, which allows for unrestricted movement of goods, services, and data.

Organizations within the EU can transfer personal data to other EU member states as long as they comply with the general data protection principles, and established a data processing agreement (DPA) according to the requirements outlined in the EU GDPR.

With the UK’s exit from the EU, the UK is now treated as a separate jurisdiction under the EU GDPR. This means that transferring personal data from the EU to the UK is considered a transfer to a “third country” outside the EU, similar to data transfers to countries like the United States or Canada.

As a result, additional safeguards may be required for the transfer of personal data from the EU to the UK. These safeguards are necessary to ensure that the transferred data continues to be protected to a similar level as provided by the EU GDPR.

Organizations in the EU need to follow the specific mechanisms or tools permitted by the EU GDPR for transferring data to third countries, such as the use of standard data protection clauses or binding corporate rules, to facilitate transfers to the UK.

5. EU representatives

The EU GDPR stipulates that organizations outside the EU are obligated to appoint an EU representative if they process the personal data of EU residents. The EU representative must be established in the EU member states where the data subjects, whose data is being processed, are located.

This ensures that there is a point of contact for data protection authorities and individuals within the EU to facilitate communication and address data protection concerns.

The UK GDPR introduced a different provision for organizations outside the UK that process the personal data of UK residents. These organizations must designate a representative in the UK. However, unlike the EU GDPR, the UK GDPR does not require the representative to be physically located in the UK.

The distinction in the location requirement for the representative under the UK GDPR reflects the UK’s aim to allow flexibility while ensuring that there is a designated point of contact for the Information Commissioner’s Office (ICO) to address matters related to data protection.

It allows organizations to appoint representatives who may operate remotely, as long as they fulfill their responsibilities effectively and comply with the UK GDPR’s requirements.

It is worth noting that organizations subject to both the EU GDPR and the UK GDPR may need to appoint separate representatives, depending on their data processing activities and the jurisdictions involved.

6. The one-stop-shop (OSS) mechanism

The one-stop-shop (OSS) mechanism is a unique feature of the EU GDPR that affects organizations conducting cross-border data processing within the EU.

Under the OSS, if an organization operates in multiple EU member states and conducts cross-border data processing activities, it can work primarily with a Lead Supervisory Authority (LSA), which is based in the same Member State as the organization’s main establishment (usually its EU headquarters).

The OSS mechanism helps streamline the compliance process, as it allows organizations to deal with cross-border privacy-related issues from their home base and communicate with one Supervisory Authority, rather than engaging with multiple authorities in each jurisdiction where they operate.

However, it is important to note that the OSS mechanism does not exclude other supervisory authorities in the EU from being involved.

Other Supervisory Authorities, referred to as concerned Supervisory Authorities, still have a role in the process and can provide input and participate in decisions that affect individuals in their respective jurisdictions.

On the other hand, the UK GDPR does not have an equivalent OSS mechanism. Instead, the Information Commissioner’s Office (ICO) is fully and directly responsible for all UK data protection regulation, functioning as the sole Lead Supervisory Authority.

7. Amendments and updates

In the case of the EU GDPR, any changes or updates to the regulation would happen through the EU legislative process.

This process involves several steps, such as proposals by the European Commission, negotiations and discussions among the EU member states and the European Parliament, and eventual adoption through the appropriate EU legislative bodies.

This means that modifications to the EU GDPR require a collective decision-making process involving multiple stakeholders from different member states.

The EU legislative process ensures a consistent and harmonized approach to data protection across the union, as any changes or updates to the regulation are carefully considered and go through a rigorous evaluation and consultation process.

It also allows for input from various perspectives, including legal experts, data protection authorities, and other relevant stakeholders.

The UK GDPR provides the UK government with the authority to make adjustments or modifications independently.

This independence gives the government flexibility and agility to respond to specific circumstances and make updates to the UK GDPR as needed, taking into account the evolving data protection landscape, emerging technologies, or any specific considerations related to the UK’s legal framework and national interests.

However, it is important to note that while the UK can make adjustments to the UK GDPR independently, it still aims to maintain a high standard of data protection that is largely aligned with the EU GDPR.

This alignment ensures that there is a level of consistency and compatibility between the data protection frameworks in the UK and the EU, facilitating data transfers and cooperation between the two jurisdictions.

8. Data protection exemptions

The UK GDPR includes provisions that enable organizations, particularly those involved in national security, immigration control, or intelligence services, to deviate from certain data protection obligations.

For instance, in matters of national security, the UK GDPR recognizes that the protection of national security interests may require limitations on certain personal data rights.

This allows organizations responsible for national security, such as intelligence agencies or law enforcement authorities, to collect, process, and use personal data without being bound by all the requirements and rights outlined in the UK GDPR.

While these concessions exist in the UK GDPR, they are subject to safeguards and oversight to ensure that any restrictions on personal data rights are proportionate, necessary, and in accordance with the law. There are specific provisions in the UK GDPR that outline the conditions and safeguards that must be met when utilizing these concessions.

In contrast, the EU GDPR takes a more comprehensive and uniform approach to data protection.

While the EU GDPR allows member states to restrict – by way of legislative measures – personal data rights in matters of national security, it places a stronger emphasis on protecting individuals’ rights and freedoms and maintaining a consistent level of data protection.

9. Penalties and fines

The EU GDPR states explicitly that some violations are more severe than others. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s annual revenue from the preceding financial year, whichever amount is higher.

The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s annual revenue from the preceding financial year, whichever amount is higher.

The same principle applies to the UK GDPR. Violations not considered severe could result in a fine of up to £8,700,000, or 2% of the firm’s annual revenue from the preceding financial year, whichever amount is higher.

Serious violations could cost organizations up to £17,500,000, or 4% of their annual revenue from the preceding financial year, whichever amount is higher.

10. Cooperation and collaboration

The EU GDPR establishes the European Data Protection Board (EDPB) as a key component for promoting cooperation and consistency among Supervisory Authorities across EU member states.

The EDPB consists of representatives from each member state’s Supervisory Authority, the European Data Protection Supervisor (EDPS), and the European Commission.

It serves as a forum for collaboration, coordination, and decision-making on matters related to the application and interpretation of the EU GDPR.

The EDPB plays a crucial role in facilitating the harmonization of data protection practices across the EU. It provides mechanisms to ensure uniform application of the GDPR and to address different interpretations or practices among member states.

The EDPB’s decisions have a binding effect and contribute to the consistent implementation of the EU GDPR across the EU.

While the UK GDPR also emphasizes cooperation with EU Supervisory Authorities, the UK does not have representation in the EDPB. As a result of the UK’s exit from the EU, the UK GDPR operates within the kingdom’s independent regulatory framework for data protection.

However, the UK GDPR still recognizes the importance of cooperation with EU Supervisory Authorities.

It establishes mechanisms for cooperation, coordination, and information sharing between the UK’s Information Commissioner’s Office (ICO) and EU Supervisory Authorities. This ensures that there is ongoing collaboration and exchange of information on data protection matters that have implications for both the UK and the EU.

How are businesses operating in the EU and the UK affected?

The differences between the EU GDPR and the UK GDPR pose significant challenges for businesses operating in both the EU and the UK, as well as for businesses from countries outside the EU. These challenges stem from the varying regulatory frameworks, legal requirements, and compliance obligations imposed by each regulation.

For businesses operating in the EU and the UK, maintaining consistency and alignment between data protection practices in both markets can be demanding. They may need to establish separate data protection policies, procedures, and mechanisms tailored to each jurisdiction. This can increase operational complexity, administrative burden, and costs.

Businesses from countries outside the EU face additional complexities. If they process the personal data of individuals in the EU, they need to comply with the EU GDPR’s requirements for cross-border data transfers and the appointment of an EU representative.

Simultaneously, if they process the personal data of individuals in the UK, they must adhere to the UK GDPR and designate a representative in the UK, albeit with more flexibility in terms of their location.

The difficulties faced by businesses operating across the EU and the UK, as well as those from non-EU countries, include the need to manage dual compliance frameworks.

These business needs to interpret and apply different legal provisions, navigate divergent guidance and interpretations from Supervisory Authorities, and adapt to varying mechanisms for data transfers and appointments of representatives.

Get peace of mind for all things compliance

At Papaya Global, the world’s leading payroll and payments platform, we pride ourselves on having the highest standards for the most sensitive data.

Papaya’s core offering includes access to in-house experts on every aspect of compliance, and our unique Center of Excellence model delivers the targeted advice companies operating in different countries require. Schedule a demo.

What is the main purpose of the UK GDPR and the EU GDPR?

The main purpose of the UK GDPR and the EU GDPR is to increase individuals’ control and rights over their personal information by setting standards for accountability, security, and transparency in processing private data. These regulations establish a robust framework for data protection, privacy, and security within their respective jurisdictions, and ensure that organizations handling private data adhere to specific principles, obligations, and safeguards.

How do the geographical and jurisdictional scopes of the UK GDPR and EU GDPR differ?

The EU GDPR has a broad geographical scope, applying to the processing of personal data within the EU member states. It covers organizations established in the EU that process personal data, as well as organizations outside the EU that offer goods or services to individuals in the EU or monitor their behavior. In contrast, the UK GDPR applies to the processing of personal data within the United Kingdom. It covers organizations established in the UK that process personal data, regardless of whether the data subjects are UK residents or individuals located outside the UK. However, it’s important to note that the UK GDPR also includes provisions for international data transfers, ensuring that organizations outside the UK comply with the regulations when processing the personal data of UK residents.

What are the unique provisions in the UK GDPR for national security and law enforcement data processing?

The UK GDPR allows organizations involved in national security activities to deviate from certain data protection obligations if necessary to fulfill their functions. In terms of law enforcement data processing, the UK GDPR outlines principles for lawful and fair processing, data subject rights, data retention, and safeguards for international data transfers in the context of law enforcement activities. These unique provisions in the UK GDPR aim to strike a balance between protecting personal data rights and ensuring the effectiveness of national security and law enforcement activities.

How do the enforcement agencies for the UK GDPR and EU GDPR differ?

The EU GDPR is enforced by each EU member state’s Supervisory Authority, which is responsible for monitoring the regulation within its jurisdiction. In addition to each member state’s Supervisory Authorities, the EU GDPR is governed by the European Data Protection Board (EDPB), which plays a coordinating role, providing guidance, opinions, and consistency mechanisms to ensure uniform application of the EU GDPR across the EU member states. The UK GDPR is enforced primarily by the Information Commissioner’s Office (ICO), which is the independent authority responsible for upholding information rights and data protection in the UK. The ICO has the power to investigate, impose fines, and take enforcement actions against organizations that breach the UK GDPR.

What is the age of consent for data processing under the UK GDPR and EU GDPR?

Under the EU GDPR, the age of consent for data processing is set at 16 years old. However, the EU GDPR allows member states to lower the age of consent to a minimum of 13 years. Under the UK GDPR, the age of consent for data processing is set at 13 years old.

What is the immigration exemption in the UK GDPR?

The immigration exemption in the UK GDPR refers to a specific provision that allows for the limitation of certain data protection rights and obligations in the context of immigration control. Under this exemption, organizations involved in immigration control, such as immigration authorities or border agencies, may process personal data for immigration control purposes, even if it involves deviating from certain data protection obligations.

How has Brexit affected data transfers between the UK and the EU?

Before Brexit, data transfers between EU member states and the UK were seamless, as the UK was part of the EU and adhered to the EU GDPR. After Brexit, the UK became a third country in terms of data protection regulations. This means that data transfers from the EU to the UK are now subject to additional requirements and safeguards to ensure an adequate level of protection. Adequacy decisions have been implemented to allow for the continued flow of personal data from the EU to the UK, but organizations may also rely on alternative transfer mechanisms such as standard contractual clauses or binding corporate rules to facilitate data transfers.