The General Data Protection Regulation (GDPR) came into force on 25 May 2018. This wide-ranging piece of legislation governs data protection requirements for any entity managing personal data across the entirety of the European Union. It stipulates a variety of requirements around how and why data can be processed.
But while the regulation has seen a swath of copycat and even carbon copy regulations being introduced across the world – including the California Consumer Privacy Act (CCPA) – less reported is the fact implementations of GDPR within the EU can vary from country to country.
Countries across the EU already have passed or will soon pass their own data protection bills which bring the GDPR into their legal system. Passed on 23 May 2018, the UK Data Protection Act 2018 (DPA) is the UK implementation of the EU’s GDPR legislation, codifying its requirements into UK law.
While the language and requirements are largely the same across all member states, the GDPR allows members wiggle room – known as derogations – to change aspects of the legislation under the terms of Article 23. These changes are generally kept within certain scenarios such as national security, crime and legal proceedings, and other types of special data categories. They should still be in the spirit of GDPR and define the purposes and scope of the processing and safeguards around data. GDPR acts as the base requirement, with the DPA (or any other EU state’s local implementation) adding extra requirements or exemptions to the regulations.
“I see a lot of people sort of brushing past that [topic]”, says Linda Thielov, Privacy Counsel at OneTrust, “thinking that ‘oh, we have the GDPR, so what could be different in the UK? It applies the same way everywhere.’ But the devil is in the details.”
In the UK’s case, there are a number of additional scenarios where data needs to be processed under GDPR-like protection, and a number of exemptions around notifications and data access rights. The DPA also transposes the EU’s Law Enforcement Directive into the UK at the same time as the GDPR.
“People might not realise how closely knit the UK legislation is with relation to the EU GDPR and that it’s actually built on a lot of similar principles, while still being this sort of standalone and I would say quite independent piece of legislation at the same time,” says Thielov.
Although the large, 20 percent of revenue fines – often the scariest and most noteworthy part of the legislation for many – still remain, there are a number of ways the DPA is different to GDPR. While some might require additional processes or consideration when creating policy or workflows, not all differences are necessarily bad or mean more work for UK companies.
“What makes the British Data Protection Act special is that it extends the GDPR and its requirements beyond the scope of where we would normally see GDPR stretching,” says Thielov.
“The UK has actually decided to extend GDPR and apply it also to some situations like immigration where normally GDPR would not be applicable in the member states.”
The number of additional lawful bases for processing sensitive personal data – reasons it can be okay to process personal data of subjects, albeit with adequate controls to ensure that data is protected – is higher under the DPA, and can be applied to the following use cases:
“The UK has seized the opportunity to bake into the Data Protection Act some additional requirements or maybe some additional safeguards, which normally would not automatically go hand in hand with the GDPR without some special provisions and seizing the opportunity to go beyond just the bare minimum that the GDPR is prescribing,” says Thielov.
The DPA, however, requires that organisations keep ‘appropriate policy documents’ in place when processing these special categories of data that explain how the controller is complying with the data protection principles, as well as policies for the retention and erasure of the data in question.
The DPA exempts application of the GDPR for processing necessary to safeguard national security or defence purposes, or in relation to manual unstructured data held by certain government bodies designated by freedom of information legislation. This means organisations processing data for the prevention and detection of crime, for example, would be exempt from the GDPR’s provisions around the right to be informed or the purpose limitation principle if it would prejudice the purposes of processing. An example the ICO gives includes a bank passing data to the National Crime Agency while investigating financial fraud not informing the subject of this sharing of data, as it may prejudice the investigation.
There are also exceptions to data subject rights in certain scenarios, meaning a company can refuse data subject access requests (DSARS). These include:
[The above also have exemptions around notifying subjects of how and where data was collected]
Other differences include the minimum age of consent for processing a subject’s data being lower; 13 in the UK versus 16 in the GDPR.
The DPA also stipulates that the ICO shall produce codes of practices to provide guidelines on how companies can stay compliant when processing data in specific scenarios and/or industries.
Rather than seeing this as a separate set of requirements, companies should simply look at the DPA – and any other local implementations of GDPR with their own derogations – as simply another process to build into their local GDPR compliance efforts.
“It’s not like you can ignore one in favour of the other,” says Thielov. “It’s more like understanding that the GDPR isn’t the whole story and there might be some extra layers that you need to add to your workflows.”
She adds that given its length (the DPA is around 350 pages) and the fact that a lot of the detail is hidden in within specific sections and schedules, organisations need to study it closely while keeping in mind the specific processes and data they deal with in their day-to-day operations.
“It’s not enough that you’re doing processing right under the GDPR. You also have to make sure that the special categories of personal data are processed also in line with these additional requirements of the British Data Protection Act.
“It would be good practice for organisations, when they are actually processing these special categories of personal data under the GDPR, to double-check whether the processing purposes and legal bases the rely on actually still comply with what the UK Data Protection Act sets out as the specific conditions for processing special categories of personal data.”
While this may seem challenging for organisations, the fact that the majority of the requirements are the same as the GDPR – which companies should in theory already be adhering to – means the bulk of the hard work is done.
“It is a challenge for companies, but the baseline is already set out [within the GDPR] and it’s uniform for them across the EU,” says Thielov. “It’s really just about figuring out which of those additional members state details would be applicable to what you’re doing in your organisation; not everybody is processing sensitive data or maybe not everybody has something to do with immigration.
“It’s really this one-time laborious task where you have to figure out these details and then you just need to track them and make sure that you’re up to speed with any updates.”
Ensuring that appropriate policy documentation is regularly being adhered to, reviewed and updated, for example, should “make it into daily practice for privacy people”, says Thielov.
Another process that will need to be looked at closely is around DSARS.
Many businesses are still struggling to comply with DSAR requests – a Macro4 study suggested nearly a third of companies are failing to adequately respond within the required timeframe – and the fact that the DPA includes exemptions that can allow them to refuse a request means companies shouldn’t be blindly processing all requests equally.
“When you are internally processing DSARS from the subjects, it would really be best measure to set out extra steps within your workflow when you look at each individual case and decide whether it might not actually fall under one of those exceptions,” says Thielov.
“I would warn against complying with DSARS automatically without giving it a second thought and checking those exemptions that are in the UK Protection Act.”
Although the number of companies in the UK complying with GDPR ticks up with every survey taken, there will inevitably be a minority group that thinks the rules with change post-Brexit and so there’s no point making efforts to compliant. However, GDPR will absolutely apply post-Brexit, whatever kind of deal the UK ends up with. Rather than reduce red tape, it may well increase the burden of compliance for companies in the UK, especially if they do business with the EU.
“A lot of confusion is related the UK exiting the EU and people are still quite frequently not clear on what the implications will be with relation to the GDPR,” says Thielov. “GDPR isn’t really going away, regardless of how we actually exit the EU, even if there is the case of hard Brexit.”
All EU regulations will apply to the UK during whatever ‘transition period’ is set out. Previous government advice said that GDPR would likely be brought directly into UK law to sit alongside the DPA, but that was withdrawn after the planned exit date was moved to October and no further advice has been issued. However, whatever kind of Brexit does happen, the Data Protection Act will continue to exist, meaning UK companies will still be required to comply with a near-identical set of rules and requirements. Furthermore, as with any other country outside the EU, UK companies processing data of EU citizens will be required to comply with the legislation.
“We will end up with two GDPRs functioning, living one beside another,” says Thielov. “And very often, you might actually end up in an obligation to follow not just one of them, but actually both of them. And they’re sort of mirroring each other in terms of the extraterritorial requirements for companies.
“When you actually transferring data outside the UK into the EU, you have to make sure that there are actually some safeguards in place and you might have to set up a representative within the EU to make sure that you are sort of easy to reach and you have somebody accountable on the EU side in case of any issues with your compliance.”
The post-Brexit landscape may also complicate data flows between the UK and mainland Europe. For easy flow of data back and forth between the two, the UK will need an ‘adequacy decision’ from the EU to say that the country’s data protection laws are up to the EU standards.
Currently, 11 countries have adequacy decisions from the EU, while Canada and the US have partial adequacy (US-EU data transfer is largely covered by Privacy Shield). And even though the UK will have a carbon-copy of the GDPR in its laws, the UK will not have an adequacy agreement with the EU as soon as the country leaves the bloc. While the UK government has said it won’t impede the flow of data from the EU into the UK, the EU has released a statement confirming it will treat the UK as a ‘third country’ after the withdrawal date until any adequacy decision has been made.
This will require additional safeguards such as standard data protection clauses, binding corporate rules, approved codes of conduct and/or approved certification mechanisms for UK companies sending data into the EU. And any adequacy agreements could take time. Japan was in negotiations with the EU for almost 18 months, while South Korea is still currently in discussions to achieve adequacy despite having started negotiations at the same time as Japan.
“I know a lot of companies I’ve met very much rely on the idea that if there is a Brexit we will have this adequacy decision in place immediately after the UK Brexit,” says Theilov. “But that’s very likely not going to be the case.