The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does this section apply to us?

This section applies if:

  • you are a UK-based business or organisation; and
  • the GDPR currently applies to your processing of personal data.

How can we prepare?

When planning for the end of the transition period, you can use our guidance to assess the impact of legal changes in a few key areas:

Will the GDPR still apply?

The GDPR is an EU regulation. This means it became law in all member states of the EU (including the UK), without the need for a UK Act of Parliament. It also applies to the EEA states.

The UK left the EU on 31 January 2020 and entered a transition period, this ends on 31 December 2020. Our end of transition guidance will help you to prepare for potential changes. We will keep our guidance under review, and update it as the situation evolves. There may be changes to how to receive personal data from the EU and action you may need to take on data protection. Please continue to monitor the ICO website over the transition period for these updates.

The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. The ‘UK GDPR’ will sit alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the planned amendments.

The key principles, rights and obligations will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to:

  • offering goods or services to individuals in the UK; or
  • monitoring the behaviour of individuals taking place in the UK.

There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR will still apply to this processing, but the way you interact with European data protection authorities will change.

This guidance covers the key new issues you need to consider regarding international data flows and cross-border processing.

Otherwise, you should continue to follow our existing guidance on your general data protection obligations.

Further reading

For more information about how other legislation we regulate is affected by the end of the transition period, see Information rights at the end of the transition period – FAQs.