What is the U.K. GDPR?

Question

I understand that the DPA implemented the GDPR in British law as an act of Parliament. Then there was Brexit, and the U.K. GDPR was introduced to stand in for the no longer binding EU GDPR, with only very few minor differences. Why was the U.K. GDPR even necessary as a replacement for the eu GDPR? Why isn’t simply having an active statute (ie DPA 2018) remain on the books enough?

Answer 1

The 2018 Data Protection Act specifically implemented the GDPR EU Regulation in the UK - while the regulation itself was directly binding it required member states to create their own legislation for implementing the details - setting up the required supervisory and accreditation bodies etc. The various 'opening clauses' in the regulation also provided the means for the members states to implement specifics in local legislation (so long as that legislation exceeded the minimums set out in GDPR).

At the end of the Brexit transition period the UK was no longer a member state (and it's citizens were no longer EU citizens), keeping the DPA 2018 as was would have actually meant that UK citizens weren't eligible for the very protections it was intended to provide them!

Therefore the basis of the law needed updating (as well as certain minor provisions that no longer made sense) hence the "UK GDPR" provided a substitute. The fundamentals are the same and crucially it also codified the necessary basis for the UK's data protection laws to have what is referred to as "adequacy" - which means that the EU considers the UK GDPR/DPA to provide "essentially equivalent" levels of protection and therefore data is allowed to continue to flow between the UK and the EU.

Answer 2

The Data Protection Act 2018 does not implement the GDPR in British law, because it doesn't need to. EU regulations automatically become law in EU member states (which the UK was at the time) without any further action.

What the Act actually does is summarised in section 1:

(1) This Act makes provision about the processing of personal data.

(2) Most processing of personal data is subject to the GDPR.

(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).

(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.

...plus additional provisions relating to intelligence services, the Information Commissioner, and the enforcement of the data protection legislation, which are not covered by the GDPR.

All EU regulations remained a part of UK law after Brexit by virtue of the European Union (Withdrawal) Act 2018, but this Act also gave Parliament the ability to amend or repeal these regulations, which it couldn't do before.

In the case of the GDPR, amendments - including renaming it to UK GDPR - were made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.