I work for ***. Several years ago I purchased your organization's EU GDPR toolkit and used it to assist in preparing my organization for GDPR. As we are a UK firm, in a post-Brexit world we do fall under the UK data protection legislation. I am wondering if you have a similar package related to the UK law. That being said, I recognize the two laws (EU and UK) are quite similar, so perhaps your advice would be to use the same policies and procedures, but to simply reference the UK law in place of the EU law. Please let me know your thoughts when you get a chance.
Yes, UK GDPR is shaped by EU GDPR. You need to assess whether your organization falls under the scope of both regulations or not because both EU GDPR and UK GDPR have extraterritorial applications.
Therefore, if you need to comply with EU GDPR and UK GDPR in the normative section you can add UK GDPR and UK Data Protection Act 2018 as legislative references in the policies and in the documentation, while if you need to comply with UK GDPR you can replace all EU GDPR references with the UK GDPR.
Thanks for your response. Would you say that if a policy is already designed to comply with EU GDPR, then simply amending the language to also reference UK GDPR is sufficient? In other words, is the only change required to specify that it’s UK, but no actual substantive changes to the policy are needed?
Yes, that is right. Of course, I suggest you monitor the Information Commissioner Officer (you can subscribe to the newsletter which is good) if any change in the legislation happens. Now, the UK GDPR is mirroring the EU GDPR (it was a condition to benefit from the adequacy decision for data transfer between the UK and the EU), but in the future things may change.