Does this guidance apply to us?

You should read this guidance if you are a business or organisation based in the UK and the GDPR or Part 3 of the Data Protection Act 2018 currently applies to your processing of personal data.

It is particularly relevant to UK businesses and organisations which:

  • operate in European Economic Area (the EEA), which includes the EU; or
  • send personal data outside the UK; or
  • receive personal data from the EEA.

This guidance is not aimed at individuals and, if needed, we will provide guidance for individuals in due course.

You should also read this guidance if you are a UK business or organisation and any of the following regulations apply to you:

  • the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);
  • the Network and Information Systems Regulations 2018 (NIS); or
  • Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).

Overview

If you are a UK business or organisation, we have set out the key practical points and preparations for you to consider if the UK were to exit the EU without a deal on 29 March 2019.

This guidance covers the following laws that are regulated by the ICO, which will be affected by the UK exiting the EU:

 

The GDPR

The General Data Protection Regulation (GDPR) is EU law that regulates the use of personal data in the EEA and is relevant to most businesses and organisations.

 
 

The Data Protection Act 2018

The Data Protection Act 2018 came into force in the UK at the same time as the GDPR took effect. It covers four data protection regimes:

  1. Part 2, Chapter 2: General processing – the GDPR – this chapter supplements the GDPR so that it operates in a UK context.
  2. Part 2, Chapter 3: Other general processing – this chapter applies a UK version of the GDPR (the “applied GDPR”) to those areas outside the scope of EU law, such as defence.
  3. Part 3: Law enforcement processing – this chapter brings into UK law the EU Data Protection Directive 2016/680 (the Law Enforcement Directive).
  4. 4. Part 4: Intelligence services processing
 
 

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the upcoming e-Privacy Regulation

 
 

Network and Information Systems Regulations 2018 (NIS)

 
 

Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)