(updated 1 January 2021)
As we’re all aware, the General Data Protection Regulation (GDPR) came into effect on 25th May 2018. This was replaced by the UK GDPR on 1 January 2021, following the end of the Brexit transition period when the UK ceased to be a member of the EU.
The UK GDPR, together with the (updated) Data Protection Act (DPA) 2018, form the legal framework for the UK’s data protection regime.
The UK GDPR cites seven principles which form the basis of its privacy legislation.
Prior to Brexit, the GDPR (now referred to as the EU GDPR) was updated after nearly 20 years to catch up with advances in technology and also reflect the fact that the vast majority of us are regularly sharing a great deal of personal information online. We (Data Subjects) now have enhanced rights in terms of both accessing this information and understanding what is being done with it… whilst organisations have a greater obligation to ensure our information is protected.
When it comes down to compliance, the UK GDPR now takes precedence when processing the personal information of UK Data Subjects. Whilst the EU GDPR contains the principles that must continue be adhered to by all organisations who process the personal data of citizens of the European Union.
The UK legislation also covers data processing activities performed by law enforcement or intelligence services, and the role of our regulator – the Information Commissioner’s Office (ICO).
How does this impact me as a business owner?
Well, there are several factors to be considered, such as your core activities and the number of individuals you employ; but ultimately, if you have a website there likely already exists a legal requirement for compliance.
…noticed the “Cookies banner” that pops up on most websites nowadays..?
Cookies are essentially small data files stored on your device by websites for various purposes and lengths of time.
As a business owner, you are likely using cookies for analytical reasons: to gain an understanding of traffic to your website and how users navigate around the web pages.
They have several additional uses, as can be seen in the graphic.
The remit of the UK GDPR and DPA2018 is:
“… personally identifying or identified information of a natural person”
This means any piece of data that discloses the identity of a living person, or data subject (these laws do not cover the personal information of a deceased individual).
I.P addresses and the information collected by cookies are considered personally identifiable information, as these are unique to you and your device.
“..but haven’t we left the EU…?” I hear you ask?
Correct! Read my post ‘Does Brexit Impact Your Personal Data Flows?‘ which covers the data protection implications after the transition period end date of 31 December 2020.