The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What effect does the trade deal have on data protection?

As part of the new trade deal, the EU agreed to delay transfer restrictions until 30 June 2021 (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

For more information, read Data Protection at the end of the transition period and our guidance on International Transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

We will keep our guidance under review and update it as necessary to reflect any developments.

Do we need a European representative?

You may need to appoint an EU representative if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, read Data protection at the end of the transition period – European representatives.

Does the GDPR still apply?

The EU GDPR is an EU Regulation and it no longer applies to the UK. However, if you operate inside the UK, you will need to comply with UK data protection law. The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR. GDPR recitals continue to have the same status as before – they are not legally binding, they clarify the meaning and intention of the articles.

The EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA.

The EU GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the UK GDPR, if the trade deal bridge ends without adequacy.

The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.

For more information on how this affects your data protection obligations and what you need to do, visit our Data Protection at the end of the transition period hub.

What is the UK data protection law now the Brexit transition period has ended?

The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.

What role will the ICO have?

The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.

The UK government will continue to work towards maintaining close working relationships between the ICO and other countries’ supervisory authorities once the transition period ends.

Is the ICO’s GDPR guidance still relevant?

Yes. The principles of the EU GDPR have been incorporated in UK Data Protection law, so you should continue to use our existing guidance. We have updated our guidance to reflect that the Brexit transition period has ended.
We will continue to keep our guidance under review and update it where necessary.

Can we still transfer data to and from Europe?

Yes. Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU has agreed to delay transfer restrictions from the EEA to the UK for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the EEA to the UK until either adequacy decisions are adopted, or the bridge ends.

Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK.

If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April 2021, if you haven’t done so already.

For more information, read Data Protection at the end of the transition period and our guidance on International Transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

What about EEA processors sending data back to UK controllers?

This point is still being discussed by data protection authorities in the EU. As any transfers by EEA processors to the UK will be regulated by European data protection authorities and not by the ICO, we’re not able to provide advice on this point until those discussions are concluded.

Further updates will be provided as soon as they’re available.

What about Northern Ireland?

There are no specific provisions. Northern Ireland is not treated any differently to the rest of the UK for data protection purposes.

What does Adequacy mean?

‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU.

An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The UK is seeking adequacy decisions under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.

The trade deal agreed between the UK and the EU means that the UK has a bridge until 30 June 2021 where data can continue to flow from the European Economic Area (EEA) to the UK whilst the adequacy decisions process takes place. The bridge can finish sooner than this if the EU adopts adequacy decisions in respect of the UK.  

Adequacy decisions secured by the end of the bridge will allow the free flow of personal data to the UK from the EU to continue uninterrupted. In the meantime, there are steps that you can take to ensure that personal data can continue to flow if the bridge ends without adequacy decisions. We recommend that you put measures in place by the end of April, if you have not done so already. For more information, read our guidance on International Transfers, and our interactive tool on using standard contractual clauses for transfers into the UK.

Transfers of data from the UK to the EEA are permitted. The UK Government has recognised EU Commission adequacy decisions made before the end of the transition period. This allows restricted transfers to continue to be made from the UK to most organisations, countries, territories or sectors covered by an EU adequacy decision.

You can find more detail in our guidance on international data transfers at the end of the transition period.

We recommend that you regularly check our data protection at the end of the transition period page for updates and new resources.

What progress has been made towards adequacy?

The UK and the EU agreed in the Political Declaration on the future relationship that the European Commission would start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal.  On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate.

The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments.  If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions.  There is no set timescale for this process, it is likely to take several months.

There are steps that you can take to ensure that personal data can continue to flow if the bridge ends without adequacy decisions. We recommend that you put measures in place by the end of April, if you have not done so already. For more information, read our guidance on International Transfers, and our interactive tool on using standard contractual clauses for transfers into the UK.

The ICO has no formal role in the adequacy process. The ICO’s informal role has been to demonstrate that it is an independent and effective regulator of data protection in the UK.  The key dialogue is between the European Commission and the UK Government. The decision about whether the UK provides an adequate level of data protection will be made by the European Commission.

What does the draft EU GDPR adequacy decision say?

The draft EU GDPR adequacy decision says that the UK provides adequate protection for personal data transferred from the EU under the EU GDPR.

The decision will last for four years from the date it is adopted. A review and a decision on whether to extend the decision for another four years will take place near the end of that period. This is the norm for all EU adequacy decisions.

What does the draft Law Enforcement Directive (LED) adequacy decision say?

The draft LED adequacy decision says the UK provides adequate protection for personal data transferred from the EU for a law enforcement purpose.

The decision will last for four years from the date it is adopted. A review and a decision on whether to extend the decision for another four years will take place near the end of that period. This is the norm for all EU adequacy decisions.

What do I need to do with data collected before the end of the transition period?

The data protection provisions set out in the Withdrawal Agreement (data protection provisions set out in Part Three, Title VII, Article 71(1) signed by the UK and the EU in December 2019) apply unless full adequacy decisions are adopted by the EU.

This means organisations in the UK need to comply with EU data protection law (as it stands on 31 December 2020) when processing personal data that was gathered before the end of the transition period, or on the basis of the Withdrawal Agreement (for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement).

Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data processed before 01 January 2021 is subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).

Data collected on or after 01 January 2021 will need to comply with the UK GDPR alongside the DPA 2018. Therefore, it is important that organisations know when personal data was collected and where the data subject lived on 31 December 2020 to ensure that their processing complies with the appropriate legislation. Our End of Transition Interactive Tool will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, our guidance continues to be applicable. If the EU Commission gives the UK an ‘adequacy decision’ then these requirements will cease to apply for as long as adequacy decision are in place.  Should the UK lose adequacy, legacy data processing will be subject to the frozen GDPR.

The government have published guidance on the personal data provisions in the Withdrawal Agreement.

What is the Frozen GDPR and when does it apply?

The term ‘Frozen GDPR’ is not an official title and it’s not used in the law itself. However, we think it’s a useful label to help you understand this part of the data protection regime.

The Frozen GDPR is the EU GDPR almost exactly as it existed on 31 December 2020. The only change is that Articles 60 to 76 of the EU GDPR (on co-operation and consistency) are deleted from the Frozen GDPR.

When the UK left the EU, the UK government agreed that this ‘frozen’ version of the EU GDPR would continue to apply to some types of non-UK personal data. This is set out in Article 71 of the Withdrawal Agreement, and it automatically became part of UK law on 1 January 2021.

Although the UK has now left the EU, for the purposes of the Frozen GDPR any references to the EU or to member states are read as if the UK was still part of the EU. For example, if the Frozen GDPR applies, there are no restrictions for transfers between the UK and the EU (although transfers back from the EU to the UK may still be restricted under the EU GDPR).

The Frozen GDPR will not change even if the UK GDPR or EU GDPR are amended. The Frozen GDPR will stay frozen to reflect the way it was on 31 December 2020.

The Data Protection Act 2018 also applies to data that falls under Frozen GDPR. You can continue to apply the latest exemptions and conditions from the DPA2018 to frozen GDPR.

EDPB guidelines continue to be relevant to the Frozen GDPR.

From 1 January 2021, the Frozen GDPR may apply in the UK to the processing of personal data of individuals located outside of the UK (whether they’re located in the EU or anywhere else in the world). But it only applies to that personal data if:

  • it was processed in the UK under the EU GDPR before 1 January 2021 (known as legacy data); or
  • it’s being processed in the UK on the basis of the Withdrawal Agreement. For example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.

This is to ensure that there’s no change in the level of protection given to non-UK personal data at the end of the Brexit transition period.

If the EU gives the UK an adequacy decision, the Frozen GDPR will no longer apply. The UK GDPR will then apply to all personal data in the UK.

The Frozen GDPR does not apply to any personal data about individuals who are located in the UK. This is covered by the UK GDPR instead.

The Frozen GDPR does not apply to any new personal data collected on or after 1 January 2021 – unless it’s being processed on the basis of the Withdrawal Agreement. Most newly collected personal data is covered by the UK GDPR instead.

The Frozen GDPR is essentially the same as the UK GDPR in most respects. You should continue to follow our guidance for all personal data.

You need to be able to accurately identify which version of the law applies. This will become particularly important if the UK GDPR is ever amended in the future. There may also be cases where this is a relevant consideration right now. For example, when considering international transfer mechanisms.

Therefore, you should identify any personal data collected before the end of 2020 about individuals who were living outside the UK at the end of 2020. You may use the latest information you have about where people were living, up to 31 December 2020.

In addition, you should identify any new non-UK personal data processed to comply with the provisions of the Withdrawal Agreement.

Do we need to appoint a UK representative?

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, then you need to consider whether you must appoint a UK representative.  For more information, read Data protection at the end of the transition period – UK representatives.

How do I choose a UK Representative?

If you are based outside of the UK and you do not have a branch, office or other establishment in the UK and you either:

  • offer goods or services to individuals in the UK; or
  • monitor the behaviour of individuals in the UK,

then you need to comply with the UK GDPR. The UK GDPR will require you to appoint a representative in the UK.

Your representative may be an individual, or a private company or organisation established in the UK, and must be able to represent you regarding your obligations under the UK GDPR (eg a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.

You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to communicate with the ICO and with data subjects.

For more information, read our guidance on Data protection at the end of the transition period – UK representatives.

What about law enforcement processing?

The data protection regime set out in Part 3 of the DPA 2018 still applies to competent authorities processing for law enforcement purposes. These rules derive from an EU directive but are now set out in UK law and continue to apply (with some minor technical changes to reflect our status outside the EU).

Transfers of data from the UK to the EU and Gibraltar can continue on the basis of new UK adequacy regulations. For more information on how the transfers rules work, read the international transfers page of our Guide to Law Enforcement processing.

As part of the new trade deal, the EU has agreed to delay transfer restrictions until 30 June 2021 (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

At the end of the bridge period, unless the EU has made adequacy decisions, transfers of data from the EU to the UK will be subject to local transfer requirements in the sender’s country. Your European partners may ask you to comply with additional safeguards. We suggest you contact your partners in the EU to discuss what they want to do to ensure that data can continue to flow into the UK.

For more information, read Law enforcement processing – five steps to take and Data Protection at the end of the transition period – law enforcement processing.

Does PECR still apply?

Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They continue to apply.

The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed.

You can find more information on current PECR rules in our Guide to PECR.

Does NIS still apply?

Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They continue to apply. You can find more information in our Guide to NIS.

If you are a UK-based digital service provider offering services in the EU, you may need to appoint a representative in one of the EU member states in which you offer services. You need to comply with the local NIS rules in that member state. If you also offer services in the UK, you also need to continue to comply with the UK rules regarding your UK services.

Does eIDAS still apply?

The eIDAS regulation covers electronic ID and trust services. It is an EU regulation and no longer applies in the UK. However, the government has incorporated the eIDAS rules into UK law. In practice, if you are a UK trust service provider, you should assume that you still need to comply with eIDAS rules.

For more information, see our Guide to eIDAS.

If you offer trust services in the EU, you may also still need to comply with EU eIDAS law in EU member states. The UK no longer regulates that aspect of your services. We continue to work closely with EU supervisory authorities.

Does FOIA still apply?

Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.

For more information, see our Guide to freedom of information.

Do the EIR still apply?

Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).

For more information, see our Guide to the EIR.

Will you be producing more guidance?

The core data protection principles, obligations and rights remain the same. So, at this stage, we don’t need to produce an entirely new range of guidance. However, some specific areas – chiefly in cross-border supervision and enforcement, and international transfers – are specifically affected. So, we have recently produced the following guidance:

We will also keep our Guide to Data Protection – and in particular our guidance on international transfers – under regular review and update it to reflect the latest developments.

We will also regularly update these FAQs to reflect the queries we receive. In the meantime, given that UK data protection remains aligned with the EU GDPR, our Guide to Data Protection remains a good source of advice and guidance on how to comply with UK and EU data protection rules both now and after the transition period.