UK General Data Protection Regulation (UK GDPR)

Does the GDPR still apply to the UK?

Guide

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

  • directly to you:
    • if you operate in the European Economic Area (EEA)
    • offer goods or services to individuals in the EEA
    • monitor the behaviour of individuals in the EEA
  • to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

  • offering goods or services to individuals in the UK, or
  • monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

This guide does not constitute legal advice and is provided for general information purposes only.

Printer-friendly version
Actions
ICO guide to the UK GDPR
Data protection self-assessment
Data protection: small business and sole traders checklist
Also on this site
Using personal data in your business or other organisation
Comply with the Children's code to protect children's privacy online
Privacy and data protection in direct marketing