Information Commissioner’s Office, “Data protection at the end of the transition period”, retrieved on 6th January 2021, licensed under the Open Government Licence.
If you are a UK business or organisation that receives data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
- UK is committed to maintaining the high standards of the GDPR and the government has incorporated it into UK law (the UK GDPR) alongside the Data Protection Act 2018. UK businesses will be covered by the UK data protection regime.
- The UK government has stated that transfers to the EEA are not restricted. So if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
- If a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. You will need to take action with them so the data can continue to flow.
- For most businesses and organisations, SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK. Use ICO’s SCC Interactive Guidance tool to help you (external link).
- Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). In the absence of adequacy, data processed before 01 January 2021 will be subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.
Thank you for reading.