Does this section apply to us?
This section applies if:
- you are a UK-based business or organisation; and
- the UK GDPR currently applies to your processing of personal data.
What should we do?
Now the UK has EU adequacy decisions, you can use our guidance to assess the impact of legal changes in a few key areas:
- international data transfers;
- EU representatives;
- EU regulatory oversight of any cross-border processing; and
- minor updates to documentation and accountability measures.
Does the GDPR still apply?
Yes. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments. These should be used for information only for the time being, until the official text on legislation.gov.uk has been updated.
The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
This guidance covers the key issues you need to consider regarding cross-border processing.
Otherwise, you should continue to follow our existing guidance on your general data protection obligations.
For information about how other legislation we regulate is affected by the end of the transition period, see our Overview – Data Protection and the EU.