The GDPR and the DPA apply to businesses that store or handle personal data (ie identifiable information relating to individuals). People handling personal data can either be 'data controllers' or 'data processors':
The controller is the person who says how and why personal data is processed (eg a city council operating CCTV cameras).
The processor is the person who acts on the controller’s behalf (eg IT services).
For more information, read Processing personal data.
The GDPR primarily applies to businesses established in the UK but also applies to businesses based outside the UK that offer goods and services to UK residents. This means that businesses will have to comply with the GDPR regardless of where they store or handle data, as long as they are processing UK citizens’ personal data.
UK businesses will also need to comply with the EU GDPR where they are processing EU citizens’ personal data.
Businesses should ensure they are clear about transfers of personal data in their Privacy policies.
On 1 January 2021, the UK became a ‘third country’ (a country outside of the EU), for the purpose of personal data transfer outside the EU.
On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and EEA to the UK. This brings an end to uncertainty over transfers of personal data to the UK.
This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional contractual paperwork, measures or assessments. The adequacy will be reviewed every 4 years (provided the UK continues to ensure an adequate level of data protection) and the Commission will intervene if necessary.
For more information on international data transfers, read International transfers of personal data.