Blog details

ICO urges UK businesses: ensure compliance to data protection law before the end of the UK’s transition.

ICO urges UK businesses: ensure compliance to data protection law before the end of the UK’s transition.

ICO urges UK businesses to ensure compliance to data protection law before the end of the UK’s transition on December 31st 2020. 


December 31st 2020 will officially end the transitionary period for the UK, out of the EU, and the ICO is calling on UK businesses to ensure that if they are impacted by data protection law, that they should take the necessary steps to ensure continued lawful data flow from the EU. The ICO advises that any businesses receiving data from organisations in the EU or European Economic Area (EEA, which includes the EU, Iceland, Norway and Liechtenstein) will need to take action to ensure the flow of data doesn’t stop. 


Many SMEs depend on the flow of personal data to operate, and the ICO seeks to aid these businesses during the transition. 

Personal data applies to anything that relates to an identifiable individual whether it be information on customers or staff. HR records, customer details, payroll information and information collected through cloud services are all classified as personal data and will possibly be affected. The ICO recognises that sharing personal data is essential to running the majority of SMEs and that smaller organisations may not have dedicated data protection officers or specialists to help with the preparations. They have, as a result, published a statement advising businesses on steps they can take before January 1st to ensure continued compliance. 

The ICO urges UK businesses to maintain compliance with the DPA 2018 and the GDPR, and to double check their privacy information.


Businesses in the UK will need to continue to ensure compliance with the GDPR and DPA 2018. However, as it relates to the exchange of data between entities in the UK and the EU, as of January 1st 2021, businesses will need to ensure that they have safeguards in place to ensure that the continued flow of data is lawful. The ICO has gathered some guidance and resources on its website and urges businesses to make use of this to determine the actions they may need to take if they use personal data. In addition, businesses should review their privacy information and other documentation for possible changes that need to be made at the end of the transition period.


For most businesses and organisations, the ICO suggests Standard Contractual Clauses (SCCs) to keep data flowing on EU-approved terms. 

The ICO statement suggests that standard contractual clauses or SCCs may be the best option for businesses that use personal data and want to ensure their data transfers are EU-approved. As businesses in the UK will officially be treated as non EU processors or controllers, come January first, SCCs which have proven to be a sufficient safeguard for the transfers for data between controllers and processors within the EU and internationally, have been recommended as the best option for UK businesses to adopt post-transition. 


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.

Prev post
EU to tackle online gatekeepers through Digital Services Act and the Digital Markets Act
December 18, 2020
Next post
FRA report on AI and fundamental rights: Getting the future right.
January 6, 2021

Leave a Comment