Data protection and the UK transition: What you need to do

Blogs 19 Nov 2020

What happens to data security after 31 December 2020 and what can you do to prepare?

This resource was last reviewed 1 July 2021

If your business or organisation receives personal data from the EU/EEA, there are steps you need to take now to ensure that you are ready for the new rules from 1 January 2021.

What is personal data?

Broadly speaking, personal data is any information that can be used to identify a living person. This type of information is regularly used in the daily running of most businesses and organisations.

How could this apply to me?

You may receive a personal data transfer from an EEA partner. For example:

  • Your company receives customer information from an EEA company, such as names and addresses.
  • You manage your HR data, such as staff working hours and payroll details, via partners based in the EEA.

What do I need to do?

Full guidance on the new regulations can be found on the GOV.UK website.

The ICO have a dedicated hub to help small businesses ensure they stay data compliant when sending or receiving data from EEA countries.  

The EU is currently undertaking a data adequacy assessment of the UK. What you will need to do depends on the outcome of this assessment.

What is data adequacy?

Data adequacy is a status granted to a country that is outside the European Economic Area (EEA). It indicates that the country provides a level of personal data protection comparable to that in European law, allowing the flow of data to continue. It was announced on 28 June 2021 that adequacy decisions have been approved for the UK. This means that UK businesses can continue with their current practices in regards to receiving data from the EU and no further changes are needed. 

What is an SCC?

A Standard Contractual Clause (SCC) is a set of terms and conditions to help to protect personal data when it leaves the EEA and is no longer protected by GDPR.

How do I prepare one?

The ICO has an interactive tool which will help you decide if an SCC is appropriate for your business. It allows you to build and download an SCC for your transfer.

Does this mean that GDPR no longer applies?

No. GDPR will be retained in domestic law at the end of the transition period, so you’ll still need to stay on top of GDPR compliance. However, the UK will have the independence to keep the framework under review.

Where can I go for further guidance?

Information Commissioner's Office: Interactive tool for selecting and building SCCs

GOV.UK: Using personal data in your business or other organisation after the transition period

FSB members have access to an online library of over 1,000 legal documents, factsheets and templates via the FSB Legal Hub, as well as a 24/7 legal advice line.


Legal compliance is just a click away

With FSB Legal Hub, you’ll have legal documents at your fingertips. Search over 1,300 documents, templates, policies and more, on everything from tax to cyber security. Checked by real lawyers, fully compliant and easy to use.