Guidance and resources to help businesses and organisations be data protection compliant after the end of the transition period for leaving the EU.
The Brexit transition period ended on 31 December 2020. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate.
The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments. If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions. If adequacy decisions are not adopted at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions.
If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already. We will keep our guidance under review, and update it as the situation evolves. Please continue to monitor the ICO website for updates.
This guidance is designed to help small to medium-sized UK businesses and organisations keep personal data flowing with Europe (the EEA) at the end of the transition period. (The EEA is the EU plus Iceland, Norway and Liechtenstein.) For a more detailed version of this guidance, you can read our guidance for large businesses and organisations and data protection specialists.
If you are a business outside of the UK, with no offices, branches or other establishments in the UK but are offering goods and services to people in the UK or monitoring their behaviour, you will need to comply with the UK GDPR and may need to appoint a UK representative. Our guidance on UK representatives will explain the steps you need to take.
If the EU Commission make adequacy decisions about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.
The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government has incorporated it into UK law as the UK GDPR.
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to be data protection compliant.
If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow if the bridge ends without adequacy.
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you need to comply with both UK and EU data protection regulations. You may need to designate a representative in the EEA.
Take stock so you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data you collected before the end of 2020 about people who were located outside the UK at the end of 2020 will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’). You may use the latest information you have about where people were living, up to 31 December 2020.
Personal data acquired since 01 January that is processed on the basis of the Withdrawal Agreement (for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement) is also subject to the frozen GDPR. Our End of Transition Interactive Tool will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies. If the EU Commission gives the UK an ‘adequacy decision’ then these requirements will cease to apply.
Use this guidance document to understand whether you will be affected and to find out how you need to prepare. It also links to additional guidance about how to improve your data protection knowledge and compliance.
We will continue to update our guidance and develop other tools to assist you.
Check what you need to do:
- Guidance for UK businesses and organisations who have no contacts or customers in Europe.
- Guidance for UK businesses and organisations who send or receive data to or from Europe.
- Guidance for UK businesses and organisations with a European presence or with European customers.
- Guidance for UK businesses and organisations who send or receive data to or from countries outside Europe.
Guidance for large business and organisations and data protection specialists - Read this if you are a large business or organisation or need more detail on data protection law and how it has changed now that the Brexit transition period has ended.
Guidance for police forces or other law enforcement authorities - If you are a UK police force or other law enforcement authority, different rules apply. Click here for guidance on how to prepare for data protection compliance if there is no adequacy agreement.