The Difference Between UK and EU GDPR

Since May 2018, companies using or transferring data within the European Union (EU) have had to comply with the General Data Protection Regulation (GDPR). However, since the UK voted to leave the EU in the Brexit Referendum, data protection regulation has changed. Now, international companies who have customers or branches in the UK and/or any European Union country will need to be aware of both UK GDPR and EU GDPR, and ensure they meet compliance with both.

While GDPR did cause compliance headaches for many businesses, those who deal with data of both UK and EU citizens should make sure that post-Brexit, they remain compliant with not only EU regulation, but both the UK’s GDPR and the UK Data Protection Act (2018).

Who is affected by data protection laws like GDPR?

Businesses across both sides of the pond need to comply with data protection laws like GDPR. Whether you have an EU-registered firm, or are US-based but work with companies across the UK and Europe, you need to be aware, and comply with GDPR.

Why does the UK have its own GDPR?

The reason the UK has its own GDPR is due to the UK leaving the European Union in 2020. This was after a UK public referendum in 2016, which became law in 2018 under the EU (Withdrawal) Act.

On the 1^st January 2021, UK GDPR became law, and EU GDPR was no longer applicable, but only in the UK. For the rest of EU countries, they continue to abide by the EU’s version of GDPR.

The UK also has the Data Protection Act, which covers similar areas to the GDPR, but there are some nuances , like supervisory authorities and the One Stop Shop (OSS) mechanism.  

What are the differences between UK and EU GDPR?

While UK and EU GDPR are largely alike, there are some differences that businesses should be aware of before commencing activities in any EU or UK country.

1. Applicability

The EU GDPR has what’s known as extraterritorial applicability. This means that the EU’s GDPR laws apply to any organization inside or outside the EU that processes data relating to people living within the EU. This ensures that the data of EU citizens is protected, regardless of where the company processing their data is based.

On the other hand, UK GDPR has a slightly different approach to applicability. UK GDPR applies to organizations based within the UK, or companies outside the UK that process the data of people living in the UK.

2. Supervisory authorities

Supervisory authorities are the people who manage and oversee the implementation of GDPR within their country. This means that they will be the authority businesses can seek advice from, as well as the ones who impose fines and investigate potential wrongdoing. They play a vital role in GDPR, and help both individuals and organizations remain fully compliant.

However, the difference between how the EU and the UK utilize supervisory authorities is perhaps one of the biggest distinctions between the two.

In the EU, each member state (the term used to refer to a country that is a member of the EU), has to have one or more supervisory authorities to oversee GDPR in their area. Supervisory authorities in the EU must:

1. Guide and advise both companies and individuals on data protection obligations, and the rights of individuals when it comes to data protection.
2. Address complaints from individuals and companies about potential violations of GDPR. The supervisory authority must then investigate each complaint, and decide how to handle it, and whether the complaint is justified.
3. Investigate and audit organizations’ data processing and storage, ensuring they comply with GDPR. This could include remote or on-site inspections and requesting information in response to a complaint.
4. Be the body that hands out fines and penalties to organizations, including government bodies, that violate any GDPR regulations.

As well as there being supervisory authorities in each EU country, the EU themselves have a board that each supervisory authority reports to. This is called the European Data Protection Board (EDPB), and the EDPB ensures that GDPR is used consistently across all EU member states, as well as working with all supervisory authorities to boost collaboration.

While EU countries require one or more supervisory authorities, the UK has just one established supervisory authority, which is the Information Commissioners Office (ICO). The ICO doesn’t report to a central authority, but it is an arm of the government that’s sponsored by the Department for Science, Innovation and Technology.

3. Transfers of personal data

Personal data is data that can be attached to an individual, and processing it has become far stricter and more regulated since the introduction of GDPR. While more laws on what you can and cannot process exist, there are also many laws that relate to how you have to handle and transfer data between countries and companies.

EU GDPR means that data can flow freely in the EU in a secure manner, without preliminary checks and third-country verification before data is allowed to be transferred.  

4. OSS mechanism

The One Stop Shop (OSS) mechanism is unique to the EU’s GDPR. It allows businesses that work in multiple EU countries to work with a Lead Supervisory Authority which is often the supervisory authority based in the country of the company’s EU headquarters.

The role of the Lead Supervisory Authority in the OSS process is one of a liaison type role. A business is therefore able to work primarily with one supervisory authority, rather than having to liaise with multiple supervisory authorities.  This helps with GDPR compliance, as any cross-border compliance queries are dealt with primarily by one supervisory authority, rather than multiple authorities at every query. This doesn’t mean that no other supervisory authority will be involved per se, but it does mean that the amount of admin for each cross-border compliance issue is reduced.

However, UK GDPR does not have a comparable mechanism. Instead, the ICO is the sole supervisory authority, and any cross-border data compliance queries must go to all respective supervisory authorities in many cases.

5. Penalties and fines

As expected, there are penalties and fines for companies that violate any amendment in the GDPR. The supervisory authority is responsible for dealing with any violations such as complaints from the public and other businesses, as well as deciding the penalty or fine amount.

Some violations may result in a warning, which gives the company or public body a grace period during which they must show improvement or create an action plan that addresses this issue. The supervisory authority may act as a consultant in this matter and is there to advise in the process.

The main difference between EU and UK GDPR is the amount of applicable fines. As EU GDPR uses the Euro as currency, the fine amounts are different. In EU GDPR, smaller infringements will cost you up to €10million, or 2% of the firms’ financial revenue from the preceding financial year, whichever is higher. For severe infringements, the fine could be up to €20 million, or 4% of the previous financial year’s revenue, whichever is higher.

In the UK, the structure is similar, but the amount of fines differ from the EU. Smaller violations could mean a fine of up to £8,700,000, or 2% of the firm’s annual revenue from the preceding financial year, whichever amount is higher. Serious violations could cost organizations up to £17,500,000, or 4% of their annual revenue from the preceding financial year, whichever amount is higher.

Why do businesses need to be cautious when it comes to GDPR?

As GDPR is such a consumer facing law, people and businesses are acutely aware of their legal protections. If you’re looking to expand into an EU country, or the UK, and are currently headquartered elsewhere, understanding how GDPR will affect you as an employer, or as a provider of services, is imperative to ensure you don’t violate GDPR rules.

You’ll need to be aware of it when hiring new employees and even once an employee has left your business or organization.

How IRIS FMP Global can help with GDPR compliance

At IRIS FMP, our international employee services mean that we will provide GDPR-compliant processes, from on-boarding to off-boarding. While we can’t advise on GDPR for the services you offer, we’re acutely aware of how GDPR affects the employer and employees in the EU and the UK. Our in-country experts are closely connected with local supervisory authorities and will maintain compliance on your behalf for the services we are contracted for.

Why not speak to us today, and see how we can help you with your global expansion?