The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The UK left the EU on 31 January 2020, and entered a transition period during which the UK continued to be subject to EU rules. The transition period ended on 31 December 2020. The UK agreed a trade deal on 24 December 2020, which came into force on 01 January 2021. 

The regime from 01 January 2021

The EU GDPR has been written into UK legislation by the Withdrawal Act as the UK GDPR. The EU Exit Regulations applied technical amendments to make the GDPR work in a UK context, but the principles and rules are essentially unchanged. The UK government is committed to maintaining the same high standards of data protection.

The Data Protection Act 2018 (DPA 2018) also remains in place with some technical amendments. Processing previously covered by the ‘applied GDPR’ now falls under the UK GDPR.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is unchanged aside from references within it to the GDPR are now to the UK GDPR.

Data gathered before 01 January will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’). If the EU Commission gives the UK an ‘adequacy decision’ then this requirement ends. As the UK data protection regime is currently aligned with frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies.

European Economic Area (EEA) and EU data flows

Sending data

Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU Exit Regulations provide provisional arrangements so that UK adequacy regulations include the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020. The UK intends to review these adequacy regulations over time.

Receiving data

As part of the trade deal, the EU has agreed to delay transfer restrictions for four to six months (known as the bridge). This means that data can flow freely from the EEA as before. The EU Commission has stated that it intends to promptly launch the procedure for the adoption of adequacy decisions under the GDPR and the Law Enforcement directive. In the absence of an EU adequacy decision at the end of the bridge, these transfers will need to comply with EU GDPR transfer rules. We recommend that you put alternative safeguards in place before the end of April, if you haven’t done so already. Our end of transition guidance will help you to prepare for changes to receiving personal data from the EEA.

Regulatory oversight

If your organisation processes data in the EEA and the UK, or is UK based but offers goods or services or targets individuals in the EEA (or the other way around) you are now subject to both the EU GDPR and the UK GDPR. You may need to:

  • appoint an EU Representative (or a UK Representative);
  • Consider which EEA or EU supervisory authority is now your lead authority.

Actions you should take

  • You should review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and your EU representative (if you need one).
  • Ensure your DPO will be easily accessible from both your UK and EEA establishments.
  • Records of processing – ensure that you are able to identify legacy data that falls under the Frozen GDPR. This requirement goes if the EU Commission makes adequacy decisions about the UK.

Please visit our end of transition hub for detailed guidance. We will keep our guidance under review and update it as necessary.