Information Commissioner’s Office, “Data protection at the end of the transition period”, retrieved on 6th January 2021, licensed under the Open Government Licence.
If your organisation operates in the EEA, you need to comply with both UK and EU data protection regulations. You may also need to appoint a representative in the EEA.
- The UK is committed to maintaining the high standards of the GDPR and the government has incorporated it into UK law (the UK GDPR) alongside the Data Protection Act 2018.
- You will need to comply with the UK data protection regime for your activities in the UK.
- If you have offices, branches or other establishments in the EEA, your European activities are covered by EU law. You can check which European data protection regulator will be your ‘lead supervisory authority’.
- Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). In the absence of adequacy, data processed before 01 January 2021 will be subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).
- If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors. Read more in our guidance to European representatives.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.
Thank you for reading.