Does this section apply to us?

This section is of interest to all UK businesses and organisations that process personal data.


This section outlines the roles of the national supervisory authorities of EU and EEA states and the European Data Protection Board, the independent body established by the EU GDPR to ensure consistency within the EU as regards interpreting the law and taking regulatory action. It looks at the relationship of the national supervisory authorities among themselves and with the EDPB, both before and after exit date.

What is the role of the ICO and the EDPB?

The EU GDPR says each EU and EEA state must have an independent public authority responsible for monitoring the application of the EU GDPR. In the UK this is the ICO.

The EU GDPR also provides for the establishment of an independent body of the EU, the EDPB. The EDPB is made up of representatives from the supervisory authorities of each EU member state and each EEA state (without voting rights), and the European Data Protection Supervisor. The European Commission is able to participate in the activities of the EDPB but has no voting rights.

The EDPB’s role is to ensure the consistent application of the EU GDPR across the EU. It does this by issuing guidelines and providing opinions, and (if there is a dispute between supervisory authorities) making decisions on the application of the EU GDPR, which are binding on those supervisory authorities.

What are the key points?

On exit, the ICO will not be a supervisory authority for the purposes of the EU GDPR and so will not be an EDPB member. The ICO will seek to retain a strong relationship with the EDPB after exit.

The ICO will continue to be the independent supervisory body regarding the UK’s data protection legislation.

The UK government will continue to work towards maintaining the close working relationships between the ICO and the EU supervisory authorities once the UK has left the EU.