The GDPR and the DPA apply to businesses that store or handle personal data (ie identifiable information relating to individuals). People handling personal data can either be 'data controllers' or 'data processors':
The controller is the person who says how and why personal data is processed (eg a city council operating CCTV cameras).
The processor is the person who acts on the controller’s behalf (eg IT services).
For more information, read Processing personal data.
The GDPR primarily applies to businesses established in the UK but also applies to businesses based outside the UK that offer goods and services to UK residents. This means that companies will have to comply with the GDPR regardless of where they store or handle data, as long as they are processing UK citizens’ personal data.
UK businesses will also need to comply with the EU GDPR where they are processing EU citizens’ personal data.
On 1 January 2021, the UK became a ‘third country’ (a non-EU country), for the purpose of personal data transfer outside the EU. The EU assessed whether the UK should receive an adequacy decision that would provide a solution for EU-UK data transfers.
In the long term, this will require an ‘adequacy decision’ by the European Commission on the suitability of the UK’s data protection framework under the DPA 2018. It may also result in a legally binding data protection agreement between the EU and UK. On 14 April 2021, the European Data Protection Board announced that it had adopted two Opinions on the draft UK adequacy decisions. The next step is for the European Commission to seek approval from representatives from each EU Member State and then adopt a final decision.
In the short term, businesses can continue to transfer personal data between the EU and UK without the need to take additional measures (eg entering into standard contractual clauses). The Trade and Cooperation Agreement between the EU and UK states that until 30 June 2021, the transfers of personal data from the EU to the UK will not be considered a transfer to a third country. This is subject to certain safeguards (ie the UK not amending its data protection laws without the EU’s agreement).
Ask a lawyer if you are unsure whether the GDPR applies to your business.