What is the UK GDPR? Explaining the Relationship with the GDPR and Key Points to Remember

Following the UK’s departure from the EU, the UK GDPR (United Kingdom General Data Protection Regulation) was implemented on January 1, 2021.

GDPR is a set of EU regulations for the processing and transfer of personal data, and Japanese companies offering services to customers within the EU must comply with GDPR. The UK GDPR is the British version of this regulation.

This article will provide a detailed explanation of the relationship between GDPR and the EU’s GDPR, as well as an in-depth look at the EU’s GDPR. It is essential for businesses expanding into Europe, including the UK, to understand the key points and legal measures that should be taken into consideration.

The UK GDPR Enacted Following the UK’s Exit from the EU

The United Kingdom left the European Union (EU) on January 31, 2020, and in conjunction with this departure, the UK GDPR was implemented based on the EU’s GDPR.

Under the EU’s GDPR, the UK is considered a ‘third country’, and UK companies providing services to EU consumers must comply with both the UK and EU GDPR regulations.

Related article: What is GDPR? Explaining the Points of Comparison with Personal Information Protection Laws and What Japanese Companies Should Be Aware Of[ja]

Related article: Explaining the Key Points in Creating a GDPR-Compliant Privacy Policy[ja]

What is UK GDPR?

The UK GDPR (United Kingdom General Data Protection Regulation) is a set of rules that defines the requirements for processing personal data and transferring it outside the UK, as well as the standards and obligations that must be adhered to by those who process or transfer such data.

The Data Protection Act 2018, enacted in 2018, updated and established the framework of the Data Protection Act originally introduced in 1998 in the UK. Subsequently, in light of the UK’s departure from the EU, the regulation was amended as UK GDPR on January 1, 2021 (2021), based on the EU Withdrawal Act regulations.

The UK GDPR applies to the processing of personal data that takes place in the context of the activities of controllers or processors based within the UK. Furthermore, the UK GDPR also applies to the processing of personal data by controllers or processors not based in the UK under certain circumstances.

Key Points to Understand About the UK GDPR

This section will explain the following two key points that should be grasped concerning the UK GDPR.

• Transfer of Personal Data
• Appointment of Agents and Representatives

Transfer of Personal Data

In the context of data transfers between Japan and the UK, Japan has decided to continue the designation based on Article 24 of the Japanese Personal Information Protection Act (which, before the amendment by Article 50 of the Act on the Development of Digital Society Formation, effective April 1, Reiwa 4 (2022), was the current Article 28) even after the UK’s withdrawal from the EU.

Furthermore, the transfer of personal data between the UK and the EU can continue smoothly during the transition period as before.

Therefore, even after the UK’s departure from the EU, the smooth transfer of personal data between Japan and the UK is ensured.

Appointment of Agents and Representatives

UK companies that do not have branches or offices within the EU are required to appoint an EU agent and update their data protection notices as necessary.

The agent will function as a representative through branches or offices.

Additionally, under UK law, EU companies holding personal data are also required to have a representative in the UK.

Therefore, companies based in the EU need to review and segregate their records to determine whether the information they handle falls under the scope of the UK GDPR regulations.

Japanese Companies Subject to the UK GDPR

There are two main scenarios in which the UK GDPR applies to Japanese companies:

1. When operating with an established base within the UK
2. When conducting business aimed at the UK, without having a base there

In the second scenario, the UK GDPR applies in cases such as:

• When a Japanese business launches an e-commerce site targeting the global market, including Europe
• When conducting marketing campaigns aimed at the European market
• When a Japanese business generates revenue from the European market

Specific examples include:

• When a Japanese business distributes a gaming app to players located in the UK and collects their names and billing history
• When an e-commerce site, which allows payments in pounds, has English descriptions, and mentions shipping to the UK, collects customer addresses, names, and account information
• When a Japanese business manages names and email addresses to distribute newsletters to individuals located in the UK
• When a Japanese business collects and analyzes location data from individuals in the UK through an app
• When a Japanese business acquires cookie information from its website to analyze personal preferences and deliver targeted advertising
• When a Japanese business obtains and manages health-related information from individuals in the UK through wearable devices (such as smartwatches)

Below is the UK GDPR Applicability Flowchart.

Reference: “UK General Data Protection Regulation (UK GDPR) Practical Handbook”[ja] | Japan External Trade Organization (JETRO) London Office, Overseas Research Department

Three Risks of Violating the UK GDPR

In this section, we will introduce three risks associated with violating the UK GDPR.

• The risk of being subjected to penalties, including substantial fines, from the ICO
• The risk of facing legal claims for damages from data subjects and others
• The risk of losing business credibility due to inadequate handling of personal data protection

The ICO (Information Commissioner’s Office) is an independent UK authority established to uphold information rights. If a violation of the UK GDPR rules is discovered, you may be fined by the ICO.

The fines can be substantial; in 2019, the British airline British Airways was fined £183 million, which amounted to 1.5% of its global revenue for one year.

Marriott International, known for managing famous hotels such as Marriott and Ritz-Carlton, was also fined £99 million.

Since these actions are made public, not only can substantial fines be imposed, but there is also the potential for a decrease in brand value. Once a corporate brand has taken a hit, it is extremely difficult to improve it. To avoid diminishing brand strength, it is essential to be vigilant in the handling of personal data.

Summary: Close Attention to the Amendments of the UK GDPR is Essential

The UK GDPR (Japanese: 英国一般データ保護規制) is one of the relatively new laws that was amended on January 1, 2021 (Reiwa 3), following the United Kingdom’s departure from the European Union.

In addition, within the UK, there are two sets of laws concerning data protection: the UK GDPR, which is tailored for the domestic market, and the EU GDPR, which is applicable to the other EU countries.

There is an ongoing multifaceted review of regulations related to personal information. Therefore, Japanese companies that have already entered the UK or EU markets should keep a vigilant eye on future amendments to the UK GDPR.

Violations of the UK GDPR can result not only in hefty fines but also in the tarnishing of a corporate brand. It is crucial to review and update your company’s security measures, adapt to regulatory changes, and implement appropriate strategies.

Guidance on Measures by Our Firm

Monolith Law Office is a law firm with extensive experience in both IT, particularly the internet, and legal matters. In recent years, global business has been expanding increasingly, and the need for legal checks by specialists is growing more than ever. Our firm provides solutions for international legal affairs.

Areas of practice at Monolith Law Office: International Legal Affairs & Overseas Business[ja]