The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

How to use this report

Please see below for suggested actions and further reading based on your answers to the five questions. You can download this report as a Word document using the button on the top right corner of the page.

Transfers from the EEA to the UK: no action required

Transfers to the EEA: no action required

Suggested actions

You can still send the data.

You need to make sure all your privacy information and other records are up to date, but you don't need to take any other action. The UK GDPR currently doesn't require any safeguards for transfers to the EEA.

Further reading

If you'd like more information on the new UK rules on transferring data, you can read:

European representative: new EU rules apply and you need to take action

Suggested actions

If you're based in the UK but target people in the EEA, you still need to comply with EU rules (as well as UK rules) after the end of the transition period. In most cases, you need to appoint a representative in the EEA to deal with European authorities and individuals on your behalf. You need to:

  • find an individual or organisation (eg a law firm, consultancy or other company) in a relevant European country who provides services as a GDPR representative;
  • authorise them in writing to act on your behalf (this will probably mean entering into a service contract with them); and
  • include their contact details in your privacy information for individuals, and on your website (if you have one).

There's an exemption for public authorities, or for occasional low-risk processing. 

Further reading

If you'd like more information on the EU rules on targeting, monitoring and representatives, you can read:

Non-UK data: you need to take action

 

Suggested actions

You should make sure you can identify the data you collected before the end of 2020 about people living outside the UK at the time. You don't need to collect any new information - use the latest information you have, up to 31 December 2020.  This is a one-off exercise, and you need to keep this for compliance purposes.

From 1 January 2021, UK rules apply to UK data, and to most of the new data you collect. But any non-UK data collected in 2020 that you already hold will continue to be covered by existing rules. 

If the EU agrees to give the UK an adequacy decision, this may change and UK rules will cover all types of data. But there's no guarantee of an adequacy decision, so you need to take action now to prepare. Keep checking the ICO website for updates on this.

Further reading

We will publish more guidance on how the ICO will approach 2020 non-UK data and how the 'Frozen GDPR' applies in due course.

For more comprehensive guidance on your data protection obligations generally, read the Guide to Data Protection.

Continue to comply: no action required

 

Suggested actions

You may just want to review your privacy information and other data protection documentation to see if you need to update any details which mention the EU or to add details of transfers to the EEA.

Further reading

More information is available in our data protection at the end of the transition period guidance.