The GDPR and the DPA apply to businesses that store or handle personal data (ie information relating to individuals who can be identified from that data). People handling personal data can either be 'data controllers' or 'data processors':
The controller is the person who says how and why personal data is processed (eg a city council operating CCTV cameras).
The processor is the person who acts on the controller’s behalf (eg IT services).
For more information, read Processing personal data.
The GDPR primarily applies to businesses established in the UK, but also applies to businesses based outside the UK that offer goods and services to UK residents. This means that companies will have to comply with the GDPR regardless of where they store or handle data, as long as they are processing UK citizens’ personal data.
UK businesses will also need to comply with the EU GDPR where they are processing EU citizens’ personal data.
On 1 January 2021, the UK became a ‘third country’ (a non-EU country), for the purpose of personal data transfer outside the EU.
In the long term, this will require an ‘adequacy decision’ by the European Commission on the suitability of the UK’s data protection framework under the DPA 2018. It may also result in a legally-binding data protection agreement between the EU and UK.
In the short term, businesses can continue to transfer personal data between the EU and UK without the need to take additional measures (eg entering into standard contractual clauses). The Trade and Cooperation Agreement between the EU and UK states that until 31 June 2021, the transfers of personal data from the EU to the UK will not be considered a transfer to a third country. This is subject to certain safeguards (ie the UK not amending its data protection laws without the EU’s agreement).
Ask a lawyer if you are unsure whether the GDPR applies to your business.