Data protection at the end of the transition period for SMEs
Guidance and resources to help businesses and organisations better prepare for data protection compliance if we leave without an adequacy decision.
The UK left the EU on 31 January 2020. There is now a transition period until 31 December 2020 while the UK and EU negotiate additional arrangements. The current rules will continue to apply during the transition period. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.
This guidance is designed to help small to medium-sized UK businesses and organisations keep personal data flowing with Europe (the EEA) at the end of the transition period. (The EEA is the EU plus Iceland, Norway and Liechtenstein.)
If the transition period ends before the EU Commission makes an adequacy decision about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.
The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government plans to incorporate it into UK law at the end of the transition period.
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance at the end of the transition period.
If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations at the end of the transition period. You may need to designate a representative in the EEA.
Use this guidance document to understand whether you will be affected and to find out how you need to prepare. It also links to additional guidance about how to improve your data protection knowledge and compliance.
We will continue to update our guidance and develop other tools to assist you.
UK businesses and organisations who have no contacts or customers in Europe
If you are a UK business or organisation that already complies with the GDPR and you have no contacts in the EEA who send you data, and no customers in the EEA, you do not need to do much to prepare for data protection at the end of the transition period.
- Your best preparation for data protection once the transition period ends is to comply with the GDPR now.
- The UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 when the transition period ends.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made by the end of the transition period.
UK businesses and organisations who send or receive data to or from Europe
If you are a UK business or organisation that receives data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
- Your best preparation for data protection at the end of the transition period is to comply with the GDPR now.
- UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 at the end of the transition period. UK businesses will be covered by the UK data protection regime.
- The UK government has stated that transfers to the EEA will not be restricted. So if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
- If a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. You will need to take action with them so the data can continue to flow.
- For most businesses and organisations, SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK. Use our SCC Interactive Guidance tool to help you.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.
UK businesses and organisations with a European presence or European customers
If your organisation operates in the EEA, you will need to comply with both UK and EU data protection regulations at the end of the transition period. You may also need to appoint a representative in the EEA.
- Your best preparation for data protection at the end of the transition period is to comply with the GDPR now.
- The UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 at the end of the transition period.
- You will need to comply with the UK data protection regime for your activities in the UK.
- If you have offices, branches or other establishments in the EEA, your European activities will be covered by EU law, even at the end of the transition period You can check which European data protection regulator will be your ‘lead supervisory authority’.
- If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will still need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors. Read more in our guidance to European representatives.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.
UK businesses and organisations who send or receive data to or from countries outside Europe
Rules for sharing data with countries outside the EEA will remain similar. At this stage, you don’t need to take any extra steps.
- The UK government has confirmed that there will be transitional provisions to recognise existing EU adequacy decisions and EU-approved transfers safeguards.
- Your best preparation for data protection at the end of the transition period is to comply with the GDPR now.
- The UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 at the end of the transition period.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep everyone up to date with the latest information and guidance.
- For more information, see our detailed guidance on data protection at the end of the transition period.
EEA The European Economic Area. It is made up of the EU member states plus Iceland, Norway and Liechtenstein.
