The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does this section apply to us?

This section applies to all UK businesses and organisations whose processing of personal data is currently subject to the EU GDPR.

How can we prepare?

  • You can review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and your EU representative (if you need one).                                                
  • Ensure your DPO will be easily accessible from both your UK and (if you have them) EEA establishments.

What are the key points?

  • Privacy notices – the information required in your privacy notice is unlikely to change. You may need to (a) review your privacy notice to reflect changes to international transfers, (b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and (c) identify your EU representative (if you are required to have one).
  • Rights of data subjects – as a reminder, if the UK GDPR applies to your processing of personal data, it doesn’t matter where in the world the individuals whose data you process are located.
  • Documentation – the information required in your record of processing activities is unlikely to change. You may need to review it to reflect changes regarding international transfers. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to ‘union law’ or other terminology changed in the UK GDPR.
  • Data Protection Impact Assessments (DPIAs) – existing assessments may need to be reviewed in the light of the UK GDPR; for example, if they cover international data flows that on exit date become restricted transfers.
  • Data protection officers (DPOs) – if you are currently required to have a DPO, on exit date that requirement will continue, whether under the UK GDPR or the EU GDPR. You may continue to have a DPO who covers the UK and EEA. The UK and EU GDPRs will both require that your DPO is ‘easily accessible from each establishment’ in the EEA and UK.
  • Codes of conduct and certification  The EDPB is working on guidance regarding codes of conduct and certification, and how those schemes may be used for international transfers.  Currently there are no approved codes of conduct and certification schemes acting as safeguards for international transfer tools. However, we are working on developing codes of conduct and certification schemes and this work will continue after the end of the transition period.