To date, there has been no change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), have continued to apply throughout the transition period alongside the Data Protection Act 2018. There is no requirement for UK data controllers or processors to appoint EU-based representatives for the duration of the transition period.

From 1 January 2021, GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018. Technical amendments will be made to ensure it can continue to function in UK law. 

Receiving personal data from the EU/EEA and already adequate third countries

If your business receives personal data from the EU/EEA, from 1 January 2021, you may need to have an alternative transfer mechanism in place. This will ensure you can keep personal data flowing lawfully.

The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, personal data can continue to flow freely from the EU/EEA to the UK, without you having to do anything.

However, with the 1 January 2021 fast approaching, it would be wise to look at having Standard Contractual Clauses (SCCs) in place in case the EU doesn’t grant positive adequacy decisions by 1 January 2021. The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.

Sharing personal data from the UK

There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. 

Further information

The government will keep this page updated if any of the above changes.