The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Brexit transition period ended on 31 December 2020. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). The UK Government are seeking adequacy decisions from the European Commission. In the absence of adequacy decisions at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions. If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already. We will keep our guidance under review, and update it as the situation evolves. Please continue to monitor the ICO website for updates.

Does this guidance apply to us?

If you’re new to this topic, go here first for an overview of the key points you need to know and practical guidance to help you prepare for the end of the transition period.

This guidance explains data protection at the end of the Brexit transition period in more detail. Read it if you have detailed questions not answered in our other resources, or if you need a deeper understanding of data protection law and how it has changed

It is particularly relevant to UK businesses and organisations that rely on international data flows, target European customers or operate inside the European Economic Area (EEA).

This guidance is aimed primarily at DPOs and those with specific data protection responsibilities. It is not aimed at individuals and, if needed, we will provide guidance for individuals in due course.