UK GDPR Compliance

The Data Protection Act 2018 (DPA 2018) is an Act of Parliament that updated data protection laws in the UK. It came into effect on May 25, 2018, and effectively incorporates the EU’s General Data Protection Regulation (GDPR) into UK law. If your company is based in the UK, if you offer goods/services to UK residents, or if you monitor the online behavior of residents (e.g., via cookies), you need to understand your UK GDPR compliance requirements.

Despite the UK leaving the EU in January 2020, known as “Brexit,” the country continued to uphold the standards and safeguards set by the GDPR in protecting personal data and preserving data privacy. This article takes a look at UK GDPR compliance, highlights any differences with the EU version, and touches on some of the most high-profile and costly fines for non-compliance.

UK GDPR 101: A Brief Overview

Like the EU version, UK GDPR applies to both data controllers and processors. A controller decides on the reasons and methods for processing personal information while a processor handles, or processes, data on behalf of a controller. Companies, whether acting as data controllers or processors, must demonstrate accountability and compliance with GDPR’s principles.

For example, retail companies, such as a clothing brand with an online store, often act as data controllers. The store decides what data is needed (the means), such as name, address, and payment card information, and why it’s needed (the purpose). A third-party payment processing company like PayPal is often the data processor. If that same clothing store uses PayPal to handle transactions, PayPal processes the customer’s payment information on behalf of the store without deciding on what data to collect or why.

The UK GDPR mandates that personal data must be processed lawfully, fairly, and transparently. This means companies should collect and use data only for specific, legitimate purposes (e.g., legitimate interests of your company or a third party) and should inform individuals about how their data is being used. Additionally, the data collected should be the minimum necessary amount of information for the stated purpose, accurate, and stored only for as long as necessary. Critically, companies must also protect this data with appropriate security measures.

As with the EU version of GDPR, UK law refers to individuals as data subjects and gives significant rights to those data subjects. People about whom personal information is processed have the right to:

• Be informed about how their data is used
• Have access to their data
• Rectify incorrect or incomplete data
• Erase their data or restrict its processing, in some cases

Data subjects also have rights to data portability – the ability to object to data processing – and protections against automated decision-making, including profiling.

A Data Protection Officer (DPO) is a role defined in UK GDPR that involves overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements around processing activities. The DPO can be a staff member or an external service provider, and they must have professional expertise in data protection law and practices around the processing of personal data.

Not every business must appoint a DPO. According to UK GDPR, you must appoint a DPO if:

• Your organization is a public authority (except for courts acting in their judicial capacity)
• The core activities of your organization require large-scale, regular, and systematic monitoring of individuals
• The core activities of your organization consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses

UK GDPR vs EU GDPR: Differences

While the UK GDPR closely mirrors the EU equivalent, it’s important to note there are some tailored provisions included by the Information Commissioner’s Office (ICO) in the UK version.

• Geographical scope: The UK GDPR applies to controllers and processors in the UK, as well as those outside the UK if they offer goods or services to individuals in the UK or monitor the behavior of individuals within the UK. The EU GDPR has a different geographical scope across the EU and EEA.
• National Security exemption: The UK GDPR includes exemptions for matters of national security, defense, and public security. While the EU law also contains exemptions for similar matters, the exemptions apply only to data erasure requests. The UK law exempts companies processing data for these matters from most of the data protection principles and obligations.
• References to EU institutions: The UK GDPR replaces references to EU institutions and procedures with equivalent UK concepts. For example, references to the European Data Protection Board and the EU’s ‘one-stop shop’ mechanism aren’t in the UK legal text.
• Age of consent: Both the UK and EU GDPR allow individual nations to specify the age of digital consent at which minors can consent to the processing of their personal data. While the EU GDPR sets a default age of 16 for EU citizens and residents, individual EU member countries can opt to reduce this to as young as 13. The UK has chosen the default lower age limit of 13.
• Representatives: Unlike the EU GDPR, the UK GDPR doesn’t require UK controllers or processors without a branch, office, or other establishments in the UK, but who offer goods or services to individuals in the UK or monitor their behavior, to designate a representative in the UK.
• Regulatory cooperation and consistency: The provisions in EU GDPR for cooperation and consistency between EU member state supervisory authorities do not apply in the UK GDPR. Instead, the ICO has sole authority for regulatory cooperation and consistency within the UK.
• Adequacy decisions: Prior to the end of the Brexit transition period, the European Commission made adequate decisions. However, post-Brexit, the UK has the data protection authorities have the power to make their own adequacy decisions under its independent data protection regime. These adequacy decisions allow data flows from the UK to a third country, territory, sector, or organization without any further safeguards being necessary

United Kingdom GDPR: Biggest Fines

The fines for non-compliance with UK GDPR fall into two tiers:

1. A maximum fine of £17.5 million or 4 percent of annual global turnover (the higher of the two) for infringements of the law’s data protection principles or ignoring the rights of individuals.
2. A maximum fine of £8.7 million or 2 percent of annual global turnover (the higher of the two) for infringement of other obligations, such as administrative and record-keeping requirements.

Exemplifying how seriously the UK government regards data protection obligations under UK GDPR, here are some of the largest fines to date for non-compliance issued by the ICO.

• Social media platform TikTok got slapped with a £12.7 million fine for flagrant flouting of data processing rules relating to illegally processing the data of children under 13, and not processing data in a fair or transparent manner.
• Clearview AI, an AI-based facial recognition company, was fined £7.5 million in 2022 for several GDPR breaches, including failing to have a lawful reason for collecting people’s information.
• British Airways was fined £20 million for failing to secure personal data belonging to over 400,000 customers.

Avoid Fines and Get Compliant with Leading DLP

Data loss prevention (DLP) platforms like Endpoint Protector classify sensitive information in your IT environment (such as personal data covered under GDPR) and enforce policies that control data access and transfer, including the ability to block unauthorized transfers.

In the event of potential non-compliance, DLP solutions provide alerts and reports to help you take prompt remedial action and maintain regulatory compliance. Reduce your risk of costly fines and reputational damage with multi-OS DLP protection across Linux, Windows, and Mac operating systems.

Get your demo today.