UK GDPR After Brexit

The obligations of companies in the UK with regard to compliance with personal data protection  laws have changed slightly since 1 January 2021. What you should pay attention to depends on what your company does, where it is based, and whether it processes personal data of individuals residing in the UK or also in the EU. 

brexit, eu, europe-4011711.jpg

All companies based in the UK still have an obligation to register with the Information Commissioner’s Office and pay the Data Protection licence fee (unless exempt), as well as comply with UK-GDPR personal data protection laws.

All companies in the UK should check their records regarding the processing of personal data in the company and:

  • Change the references of legal basis from GDPR to UK-GDPR.
  • If they send or receive personal data from other entities operating in the European Union countries, they must ensure the legality of data transfers (additional consents, protections, SCCs [standard contractual clauses]).
  • If they have customers or their business involves monitoring the behaviour of individuals from EU countries and they do not have their headquarters in the EU, they must appoint a representative in the EU. This person will act as a local representative for individuals and data protection authorities in the Union. The representative can be an individual or a company, but it cannot be a company that processes the same personal data. Your representative should be listed in your Privacy Policy and fulfil the obligations set out in Article 27 of the GDPR.


If you are a company based in one of the EU countries but process personal data of individuals residing in the UK (you have clients, suppliers, or your business involves monitoring people’s behaviour in the UK), you must appoint a UK representative. They will have the same obligations as an EU representative described above and will represent you in matters related to personal data subjects and the ICO – the UK government unit responsible for overseeing compliance with personal data protection laws in the UK.

If your organisation processes the personal data described above but does so only sporadically, it may be exempt from the obligation to have its own representative in the EU or UK, but must provide evidence to confirm this circumstance.

If you have any doubts about whether your documentation is compliant with the new legal state in the UK, please contact us.

in data protection law data processing companies will not pay a penalty only,
if they can prove that they have done everything to protect the data

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner