The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What effect does the trade deal have on data protection?

As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

For more information, read Data Protection at the end of the transition period and our guidance on International Transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

We will keep our guidance under review and update it as necessary to reflect any developments.

Do we need a European representative?

You may need to appoint an EU representative if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, Data protection at the end of the transition period – European representatives.

Does the GDPR still apply?

The EU GDPR is an EU Regulation and it no longer applies to the UK. However, if you operate inside the UK, you will need to comply with UK data protection law. The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR.

The EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA.

The EU GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the UK GDPR, if the trade deal bridge ends without adequacy.

The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.

For more information on how this affects your data protection obligations and what you need to do, visit our Data Protection at the end of the transition period hub.

What is the UK data protection law now the Brexit transition period has ended?

The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.

What role will the ICO have?

The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.

The UK government will continue to work towards maintaining close working relationships between the ICO and other countries’ supervisory authorities once the transition period ends.

Is the ICO's GDPR guidance still relevant?

Yes. The principles of the EU GDPR have been incorporated in UK Data Protection law, so you should continue to use our existing guidance. We have updated our guidance to reflect that the Brexit transition period has ended. We will continue to keep our guidance under review and update it where necessary.

Can we still transfer data to and from Europe?

Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU has agreed to delay transfer restrictions from the EEA to the UK for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the EEA to the UK until either adequacy decisions are adopted, or the bridge ends.

Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK.

If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

For more information, read  Data Protection at the end of the transition period and our guidance on international transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

What about EEA processors sending data back to UK controllers ?

This point is still being discussed by data protection authorities in the EU. As any transfers by EEA processors to the UK will be regulated by European data protection authorities and not by the ICO, we’re not able to provide advice on this point until those discussions are concluded.

Further updates will be provided as soon as they’re available.

What about Northern Ireland ?

We’ll continue to monitor the position regarding personal data flows across the Ireland/Northern Ireland border and provide any necessary updates as soon as possible.

What does Adequacy mean?

‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU.

An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The UK is seeking adequacy decisions under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.

The trade deal agreed between the UK and the EU means that the UK has a four to six month bridge where data can continue to flow from the European Economic Area (EEA) to the UK whilst adequacy negotiations take place. The bridge can finish sooner than this if the EU adopts adequacy decisions in respect of the UK.

The UK and the EU agreed in the Political Declaration on the future relationship that the European Commission would start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal.

The ICO has no formal role in the process. The key dialogue is between the European Commission and the UK Government. The decision about whether the UK provides an adequate level of data protection will be made by the European Commission.

Adequacy decisions secured by the end of the bridge will allow the free flow of personal data to the UK from the EU to continue uninterrupted. In the meantime, there are steps that you can take to ensure that personal data can continue to flow if the bridge ends without adequacy decisions. We recommend that you put measures in place by the end of April, if you have not done so already. For more information, read our guidance on International Transfers, and our interactive tool on using standard contractual clauses for transfers into the UK.

Transfers of data from the UK to the EEA are permitted. The UK Government has recognised EU Commission adequacy decisions made before the end of the transition period. This allows restricted transfers to continue to be made from the UK to most organisations, countries, territories or sectors covered by an EU adequacy decision.

You can find more detail in our guidance on international data transfers at the end of the transition period.

We recommend that you regularly check our data protection at the end of the transition period page for updates and new resources.

What do I need to do with data collected before the end of the transition period?

The data protection provisions set out in the Withdrawal Agreement (data protection provisions set out in Part Three, Title VII, Article 71(1) signed by the UK and the EU in December 2019) apply unless full adequacy decisions are adopted by the EU.

This means organisations in the UK will need to comply with EU data protection law (as it stands on 31 December 2020) when processing personal data that was gathered before the end of the transition period.

Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data processed before 01 January 2021 is subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).

Data collected after 31 December 2020 will need to comply with the UK GDPR alongside the DPA 2018. Therefore, it is important that organisations know when personal data was collected and where the data subject lived on 31 December 2020 to ensure that their processing complies with the appropriate legislation. Our End of Transition Interactive Tool will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies. If the EU Commission gives the UK an ‘adequacy decision’ then these requirements will cease to apply

The government have published guidance on the personal data provisions in the Withdrawal Agreement.

What is the Frozen GDPR and when does it apply?

The term ‘Frozen GDPR’ is not an official title and it’s not used in the law itself. However, we think it’s a useful label to help you understand this part of the data protection regime .

The Frozen GDPR is the EU GDPR almost exactly as it existed on 31 December 2020. The only change is that Articles 60 to 76 of the EU GDPR (on co-operation and consistency) are deleted from the Frozen GDPR.

When the UK left the EU, the UK government agreed that this ‘frozen’ version of the EU GDPR would continue to apply to some types of non-UK personal data. This is set out in Article 71 of the Withdrawal Agreement, and it automatically became part of UK law on 1 January 2021.

Although the UK has now left the EU, for the purposes of the Frozen GDPR any references to the EU or to member states are read as if the UK was still part of the EU. For example, if the Frozen GDPR applies, there are no restrictions for transfers between the UK and the EU (although transfers back from the EU to the UK may still be restricted under the EU GDPR).

The Frozen GDPR will not change even if the UK GDPR or EU GDPR are amended. The Frozen GDPR will stay frozen to reflect the way it was on 31 December 2020.

The Data Protection Act 2018 (DPA 2018) is not frozen. The DPA 2018 can still be amended as long as it stays consistent with the Frozen GDPR.

European Data Protection Board (EDPB) guidelines will also continue to apply to the Frozen GDPR.

From 1 January 2021, the Frozen GDPR may apply in the UK to the processing of personal data of individuals located outside of the UK (whether they’re located in the EU or anywhere else in the world). But it only applies to that personal data if:

  • it was processed in the UK under the EU GDPR before 1 January 2021 (known as legacy data); or
  • it’s being processed in the UK on the basis of the Withdrawal Agreement. For example, in order to comply with legal obligations (such as the provisions for citizens’ rights) under the Withdrawal Agreement.

This is to ensure that there’s no change in the level of protection given to non-UK personal data at the end of the Brexit transition period.

If the EU gives the UK an adequacy decision, the Frozen GDPR will no longer apply. The UK GDPR will then apply to all personal data in the UK.

The Frozen GDPR does not apply to any personal data about individuals who are located in the UK. This  is covered by the UK GDPR instead.

The Frozen GDPR does not apply to any new personal data collected on or after 1 January 2021 – unless it’s being processed on the basis of the Withdrawal Agreement. Most newly collected personal data is covered by the UK GDPR instead.

The Frozen GDPR is essentially the same as the UK GDPR in most respects. You should continue to follow our guidance for all personal data.

You need to be able to accurately identify which version of the law applies. This will become particularly important if the UK GDPR is ever amended in the future. There may also be cases where this is a relevant consideration right now. For example, when considering international transfer mechanisms.

Therefore, you should identify any personal data collected before the end of 2020 about individuals located outside the UK.

In addition, you should identify any new non-UK personal data processed to comply with the provisions of the Withdrawal Agreement.

Do we need to appoint a UK representative?

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, then you need to consider whether you must appoint a UK representative. For more information, read Data protection at the end of the transition period – UK representatives.

How do I choose a UK Representative?

If you are based outside of the UK and you do not have a branch, office or other establishment in the UK and you either:

  • offer goods or services to individuals in the UK; or
  • monitor the behaviour of individuals in the UK,

then you will need to comply with the UK GDPR. The UK GDPR will require you to appoint a representative in the UK. 

Your representative may be an individual, or a private company or organisation established in the UK, and must be able to represent you regarding your obligations under the UK GDPR (e.g. a law firm, consultancy or private). In practice the easiest way to appoint a representative may be under a simple service contract.

You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to communicate with the ICO and with data subjects.

For more information, read our guidance on UK Representatives.

What about law enforcement processing?

The data protection regime set out in Part 3 of the DPA 2018 still applies to competent authorities processing for law enforcement purposes. These rules derive from an EU directive, but are now set out in UK law and will continue to apply after the end of the transition period (with some minor technical changes to reflect our status outside the EU).

Transfers of data from the UK to the EU and Gibraltar can continue for the time being on the basis of new UK adequacy regulations. For more information on how the transfers rules work, read the international transfers page of our Guide to Law Enforcement processing.

As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

At the end of the bridge period, unless the EU has made adequacy decisions, transfers of data from the EU to the UK will be subject to local transfer requirements in the sender’s country. Your European partners may ask you to comply with additional safeguards. We suggest you contact your partners in the EU to discuss what they want to do to ensure that data can continue to flow into the UK.

For more information, read Law enforcement processing - five steps to take and Data Protection at the end of the transition period – law enforcement processing.

Does PECR still apply?

Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply at the end of the transition period.

The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed.

You can find more information on current PECR rules  in our Guide to PECR.

Does NIS still apply?

Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They continue to apply. You can find more information in our Guide to NIS.

If you are a UK-based digital service provider offering services in the EU, you may need to appoint a representative in one of the EU member states in which you offer services. You need to comply with the local NIS rules in that member state. If you also offer services in the UK, you also need to continue to comply with the UK rules regarding your UK services. 

Does eIDAS still apply?

The eIDAS regulation covers electronic ID and trust services. It is an EU regulation and no longer applies in the UK. However, the government has incorporated the eIDAS rules into UK law. In practice, if you are a UK trust service provider, you should assume that you still need to comply with eIDAS rules.

For more information, see our Guide to eIDAS.

If you offer trust services in the EU, you may also still need to comply with EU eIDAS law in EU member states. The UK no longer regulates that aspect of your services. We continue to work closely with EU supervisory authorities.

Does FOIA still apply?

Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.

For more information, see our Guide to freedom of information.

Do the EIR still apply?

Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).

For more information, see our Guide to the EIR.

Will you be producing more guidance?

The core data protection principles, obligations and rights will remain the same. So, at this stage, we don’t need to produce an entirely new range of guidance. However, some specific areas – chiefly in cross-border supervision and enforcement, and international transfers – are specifically affected. So we have recently produced the following guidance:

We will also keep our Guide to Data Protection – and in particular our guidance on international transfers – under regular review and update it to reflect the latest developments.

We will also regularly update these FAQs to reflect the queries we receive. In the meantime, given that UK data protection remains aligned with the EU GDPR, our Guide to Data Protection remains a good source of advice and guidance on how to comply with UK and EU data protection rules both now and after the transition period.