The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner (ICO) is calling on the UK’s businesses to check whether they are impacted by data protection law before the end of the UK’s transition period with the EU on 31 December.

Businesses and organisations that are affected need to take steps to ensure that data can continue to flow from the EU lawfully from 1 January.

The ICO is urging businesses to visit its website - - to view guidance and resources on the actions they may need to take if they use personal data.

Research indicates that sharing personal data is essential to running the majority of SMEs. Any businesses receiving data from organisations in the EU or European Economic Area (EEA) must take action to ensure the flow of data doesn’t stop.

Personal data is classed as anything that relates to an identifiable individual and can relate to information about both customers and staff. HR records, customer details, pay roll information and information collected through cloud services are all forms of personal data and could be affected.

The ICO recognises that smaller organisations may not have dedicated data protection specialists to help with the preparations. It has therefore created specific guidance and resources to support SMEs to keep data flowing at the end of the transition.

Businesses are advised to continue complying with the Data Protection Act 2018 and General Data Protection Regulation (GDPR) and to prepare by understanding where the personal data they use comes from.

For most businesses and organisations, Standard Contractual Clauses (SCCs) are the best way to keep data flowing on EU-approved terms. The ICO website hosts an SCC Interactive Guidance tool to assist SMEs.

Businesses should also review their privacy information and any documentation to identify changes that need to be made at the end of the transition period.

As part of the negotiations, the EU is yet to make a decision as to whether it accepts that the UK’s data protection regime is still adequate. An adequacy decision is still possible but the timing is unclear.

Elizabeth Denham, Information Commissioner, said:

“We appreciate there is a lot of pressure on SMEs right now, especially given the impact of the pandemic. However, sharing personal data is essential to the running of many businesses and it is vital you take action to ensure that data can continue to flow.

“As we don’t know what the outcome will be from the EU, there is an even bigger need for businesses to prepare now.

“The ICO appreciates data protection can seem daunting to SMEs, which is why we have created a specific suite of products to help small businesses prepare. I encourage people to visit the ICO’s website to understand what steps they need to take and to keep up-to-date.”

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. Standard Contractual Clauses (SCCs) are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.
  4. The EEA is the EU plus Iceland, Norway and Liechtenstein.
  5. The ICO’s website has guidance, checklists and toolkits to help SMEs understand what they need to do to keep data flowing. Also available is a recording of a recent webinar looking at key data protection requirements for SMEs for the end of transition.