Does this section apply to us?
This section applies if:
- you are a UK-based business or organisation; and
- the UK GDPR currently applies to your processing of personal data.
How can we prepare?
Now the transition period has ended, you can use our guidance to assess the impact of legal changes in a few key areas:
- international data transfers;
- EU representatives;
- EU regulatory oversight of any cross-border processing; and
- minor updates to documentation and accountability measures.
Does the GDPR still apply?
The GDPR is retained in domestic law now the transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.
The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
This guidance covers the key issues you need to consider regarding international data flows and cross-border processing.
Otherwise, you should continue to follow our existing guidance on your general data protection obligations.
For more information about how other legislation we regulate is affected by the end of the transition period, see Information rights at the end of the transition period – FAQs.