Does this section apply to us?

You should review this section if you are a UK-based business or organisation and the GDPR currently applies to your processing of personal data.

It is particularly relevant to UK businesses and organisations which:

  • operate in the European Economic Area (EEA), which includes the EU; or
  • send personal data outside the UK; or
  • receive personal data from the EEA.


The GDPR is an EU regulation. This means it became law in all member states of the EU (including the UK), without the need for a UK Act of Parliament. It also applies to the EEA states.

When the UK exits the EU, the EU GDPR will no longer be law in the UK. The UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the “UK GDPR”). The government has published a ‘Keeling Schedule’ for the GDPR, which shows the planned amendments.

When planning for a no-deal exit you may need to consider our guidance (set out below) on:

Some parts of the GDPR will no longer be relevant or apply to the UK; for example, those aspects that refer the UK’s participation as a Member State of the EU.

The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK, where their processing activities relate to:

  • offering goods or services to individuals in the UK; or
  • monitoring the behaviour of individuals taking place in the UK.