Why do UK organisations still have comply with EU GDPR?

March 9, 2023

UK organizations must comply with the European Union (EU) General Data Protection Regulation (EU GDPR) because it is a regulation that applies to all organisations that process the personal data of EU citizens, regardless of where the organisation is located.

This means that, in reality, UK based organisations have to comply with both the UK Data Protection Act (DPA) 2018 (aka UK GDPR) and EU GDPR.

The EU GDPR was implemented by the EU in 2018, and it is a comprehensive data protection law that strengthens data protection rights for EU citizens. The regulation sets out strict rules on how organisations must collect, store, use, and share personal data. These rules apply to any organisation that processes personal data of EU citizens, regardless of where that organisation is located. So, if you there is any possibility of processing EU citizens data, EU GDPR applies.

Brexit and the subsequent transition process did not change the UK’s obligation to comply with the EU GDPR, as the UK implemented the EU GDPR into national law before it left the EU (as the DPA / UK GDPR). Therefore, UK organisations that process the personal data of EU citizens must comply with both versions of GDPR (EU and UK) to ensure that they are protecting the privacy rights of those individuals.

Non-compliance with the either GDPR can result in significant fines and reputational damage for organisations. Therefore, it is essential that UK organisations understand their obligations under the EU GDPR and take the necessary steps to ensure compliance.

Finally, whatever the outcome of the proposed Data Reform Act (that the UK Government has previously proposed), organisations will still have to follow rules that the EU require e.g. having a Data Protection Officer where that is legally required.

I’d love to say this is simple, however of course it isn’t. The basic advice is, irrespective of Brexit, EU law still applies if you process EU citizens data. Overlook this and you could be in significant trouble with EU regulators, definitely something to avoid.

Published: George Harris – Senior Data Protection Officer.

Request a callback

Schedule a call with us using Microsoft Teams

Request a callback