The ICO exists to empower you through information.

Some of the information we process is passed outside of the European Economic Area, what do we need to do?

If you’re sending personal data to a different organisation or person based outside of the European Economic Area (which is the EU member states plus Iceland, Norway and Liechtenstein), you’ll be making what’s known as a ‘restricted transfer’.

When making a restricted transfer you’ll need to make sure the country is covered by an ‘adequacy decision’ which means it’s considered to meet the required standards in the way it treats personal data, or that an appropriate safeguard or exception is met.

Often, standard contractual clauses act as an appropriate safeguard between two organisations. These are a set of clauses included within an agreement between the organisations that say how they’ll comply with the accepted standards of data protection. They place requirements on the sender and recipient. Our guidance on international transfers helps explain the available mechanism for making restricted transfers.

My business only works within the UK. Do data protection laws still apply?

Yes, data protection rules still apply if you process personal data. The UK government has made our data protection laws similar to those we had before, known as the UK GDPR.

Even if all your customers are based in the UK, and you don’t send any personal data to another organisation or person outside of the UK, you still need to follow data protection rules.

Getting on top of data protection now will save you time and help your business in the future.


We will be updating our guidance and offering support whenever there are developments. You can sign up to our newsletter below to receive information about this and other ICO updates.