What is the UK GDPR?

GDPR stands for General Data Protection Regulation. From 1 January 2021, the EU GDPR no longer applies to the UK. However, the EU GDPR has been amended so it can be incorporated into UK data protection law. This amended version of the EU GDPR is what is now commonly known as the "UK GDPR". It has very similar terms to the original EU GDPR. The Data Protection Act (DPA) 2018 continues to set out the framework for data protection law in the UK, and the UK GDPR sits alongside the DPA 2018 and the Privacy and Electronic Communications Regulations.

Does that mean the EU GDPR no longer applies to my organisation?

The EU GDPR still applies to organisations with a base in the EEA, or who target people in the EEA, either by offering them goods or services, or monitoring their behaviour. If your organisation falls within the scope above then you may have to comply with both the UK GDPR and the EU GDPR.

My organisation is based in the UK and offers goods and services in the EEA. What else should we do?

If you do not have a base inside the EEA, the EU GDPR requires you to appoint a representative in the EEA. This representative needs to be set up in the EU or EEA state where some of the individuals whose personal data you are processing are located. Your representative may be an individual, or a company or organisation established in the EEA. Your organisation's privacy notice should contain details of your representative. You do not need to appoint a representative if you are a public authority.

My organisation transfers personal data from the UK to the EEA and other countries. Do I need to take additional steps?

If the UK GDPR applies to the processing of personal data you transfer to the EEA, and the UK GDPR doesn't apply to the data importer (as it is located outside the UK), and the data importer is a separate legal entity to your organisation, then this is a 'restricted transfer' under the UK GDPR. However transfers of personal data to the EEA are permitted, as are transfers to other countries deemed by the UK to have an adequate data protection regime. The US is not deemed to have an adequate data protection regime so appropriate additional safeguards must be put in place before transferring personal data to the US (or any other country deemed not to have an adequate data protection regime by the UK). UK Binding Corporate Rules and Standard Contractual Clauses can be appropriate safeguards, but your organisation should take further legal advice if you find yourself in that situation.

What about personal data transfers from the EEA to the UK?

The UK is seeking 'adequacy decisions' from the European Commission which, if positive, will continue the free flow of personal data to the UK from the EU. The Financial Times has reported that the European Commission has concluded that the UK offers an adequate data protection regime. However the Commission must officially adopt the decision by the end of the temporary four to six month bridge, agreed between the UK and EU, which allows personal data to continue to flow from the EU to the UK while an adequacy decision is reached. The Information Commissioner's Office has recommended that UK businesses working with EU and EEA organisations in a way which involves personal data transfers should put in place alternative transfer mechanisms (such as Standard Contractual Clauses) to safeguard against any interruption to personal data flows should an adequacy decision not be officially adopted by the end of the bridge period. The adequacy decision, if agreed, will be re-examined every four years to check that UK rules do not compromise the privacy of EU citizens.