The UK left the EU on 31 January 2020 and entered a transition period, this ended on 31 December 2020. The UK Government are seeking adequacy decisions from the European Commission. In the absence of adequacy decisions, transfers from the European Economic Area to the UK will need to comply with EU GDPR transfer restrictions. We will keep our guidance under review, and update it as the situation evolves. There are changes to how to receive personal data from the EU and action you may need to take on data protection. Please continue to monitor the ICO website for updates.
This guidance is designed to help small to medium-sized UK businesses and organisations keep personal data flowing with Europe (the EEA) at the end of the transition period. (The EEA is the EU plus Iceland, Norway and Liechtenstein.)
If the EU Commission make adequacy decisions about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.
The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government has incorporated it into UK law as the UK GDPR.
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to be data protection compliant.
If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow now the Brexit transition period has ended.
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations at the end of the transition period. You may need to designate a representative in the EEA.
Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). In the absence of adequacy, data processed before 01 January 2021 will be subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).
Use this guidance document to understand whether you will be affected and to find out how you need to prepare. It also links to additional guidance about how to improve your data protection knowledge and compliance.
We will continue to update our guidance and develop other tools to assist you.
Check what you need to do:
- Guidance for UK businesses and organisations who have no contacts or customers in Europe.
- Guidance for UK businesses and organisations who send or receive data to or from Europe.
- Guidance for UK businesses and organisations with a European presence or with European customers.
- Guidance for UK businesses and organisations who send or receive data to or from countries outside Europe.
Guidance for large business and organisations and data protection specialists – Read this if you are a large business or organisation or need more detail on data protection law and how it will change at the end of the transition period.
Keep data flowing from Europe to the UK – interactive tool (external link)
Thank you for reading.