Does this guidance apply to us?
You should read this guidance if you are a business or organisation based in the UK and the GDPR or Part 3 of the Data Protection Act 2018 currently applies to your processing of personal data.
It is particularly relevant to UK businesses and organisations which:
- operate in European Economic Area (the EEA), which includes the EU; or
- send personal data outside the UK; or
- receive personal data from the EEA.
This guidance is not aimed at individuals and, if needed, we will provide guidance for individuals in due course.
You should also read this guidance if you are a UK business or organisation and any of the following regulations apply to you:
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);
- the Network and Information Systems Regulations 2018 (NIS); or
- Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).
If you are a UK business or organisation, we have set out the key practical points and preparations for you to consider if the UK were to exit the EU without a deal.
This guidance covers the following laws that are regulated by the ICO, which will be affected by the UK exiting the EU:
The General Data Protection Regulation (GDPR) is EU law that regulates the use of personal data in the EEA and is relevant to most businesses and organisations.
The Data Protection Act 2018
The Data Protection Act 2018 came into force in the UK at the same time as the GDPR took effect. It covers four data protection regimes: