Using personal data in your business or other organisation from 1 January 2021

Guide

Last updated 28 June 2021

This information is for UK businesses and other organisations that:

  • receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
  • operate in the EEA

What personal data is

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Receiving personal data from the EU/EEA and third countries which have EU adequacy decisions

The EU has now formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK.

All 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK. Find further information on the ICO's website.

Personal data flows from the UK

There are no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.

For international data transfers from the UK to other jurisdictions, see further information on the ICO's website.

Data protection and GDPR

The UK's data protection regime is set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner is the UK's independent supervisory authority on data protection.


First published 5 October 2020