The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does this section apply to us?

This section applies to all UK businesses and organisations whose processing of personal data is currently subject to the EU GDPR.

How can we prepare?

  • Take stock so that you can identify overseas data processed before the end of the transition period (known as ‘legacy data’). In the absence of adequacy, data processed before 01 January will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’)
  • You can review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and your EU representative (if you need one).                                                
  • Ensure your DPO will be easily accessible from both your UK and (if you have them) EEA establishments.

What are the key points?

  • Privacy notices – You may need to (a) review your privacy notice to reflect changes to international transfers, (b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and (c) identify your EU representative (if you are required to have one).
  • Rights of data subjects – as a reminder, if the UK GDPR applies to your processing of personal data, it doesn’t matter where in the world the individuals whose data you process are located.
  • Documentation – the information required in your record of processing activities is unlikely to change. You may need to review it to reflect changes regarding international transfers. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to ‘union law’ or other terminology changed in the UK GDPR.
  • Data Protection Impact Assessments (DPIAs) – existing assessments may need to be reviewed in the light of the UK GDPR; for example, if they cover international data flows that on exit date become restricted transfers.
  • Data protection officers (DPOs) – if you are currently required to have a DPO, on exit date that requirement will continue, whether under the UK GDPR or the EU GDPR. You may continue to have a DPO who covers the UK and EEA. The UK and EU GDPRs both require that your DPO is ‘easily accessible from each establishment’ in the EEA and UK.
  • Codes of conduct and certification  Currently there are no approved codes of conduct and certification schemes acting as safeguards for international transfer tools. However, we are working on developing codes of conduct and certification schemes and this work will continues.