UK General Data Protection Regulation (UK GDPR)

Does the GDPR still apply to the UK?

Guide

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

  • directly to you:
    • if you operate in the European Economic Area (EEA)
    • offer goods or services to individuals in the EEA
    • monitor the behaviour of individuals in the EEA
  • to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation. In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. The ICO's End of transition interactive tool will help you decide if you are processing 'legacy data' and provide more guidance.

Interim adequacy 'bridge'

The EU Exit transition period ended on 31 December 2020. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months pending any full adequacy finding for the UK. This is known as the 'bridge'.

On 19 February 2021, the European Commission has published its draft UK adequacy decisions. If adopted, these decisions will allow for continued free flow of personal data from the EU into the UK.

In the absence of adequacy decisions at the end of the bridge, transfers from the EEA to the UK will need to comply with the EU rules on restricted transfers of data.

If you receive personal data from the EEA, you should put alternative safeguards in place before the end of April 2021, if you haven't done so already. One such safeguard could be the use of Standard Contractual Clauses (SCCs).

What is the UK GDPR?

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The government has published a 'Keeling Schedule' for the UK GDPR, which shows the amendments.

As well as UK businesses, the UK GDPR applies also to controllers and processors based outside the UK if their processing activities relate to:

  • offering goods or services to individuals in the UK, or
  • monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or other establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

This guide does not constitute legal advice and is provided for general information purposes only.