What is the UK General Data Protection Regulation (UK GDPR)?

The General Data Protection Regulation (2016/679 EU) (EU GDPR) is the governing legislation for collecting and processing personal data in the EU. Following the end of the Brexit transition period on 31 December 2020, most of the EU GDPR was retained in UK law by the European Union (Withdrawal) Act 2018. The retained GDPR is known as the "UK GDPR". The UK GDPR is supplemented by the Data Protection Act 2018.

Therefore, the GDPR principles and requirements continue to apply following Brexit. For example, employers must:

  • ensure that they have legal grounds for carrying out any processing of personal data;
  • provide information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data;
  • comply with additional requirements when processing special categories of personal data, such as data relating to employees' health;
  • adopt organisational measures for data protection such as policies and practices; and
  • be able to demonstrate compliance through the documentation of data processing activities.

Employers should also be aware that the UK GDPR enforcement system provides for significant financial penalties. In particular, breach of the UK GDPR in some circumstances can lead to a maximum fine of £17.5 million or 4% of an undertaking's worldwide annual turnover, whichever is higher.