UK GDPR and Post-Brexit Data | DataSupplier
DataSupplier
Insights EN · ES Log in Request a Quote
Insights / Compliance & Governance

UK GDPR and post-Brexit data

DataSupplier·13 min read

For organisations operating across the UK and EU, data protection now spans two related but separate regimes. This guide explains the UK GDPR and what it means for sourcing data across the border.

Two regimes, common roots

After Brexit, the UK retained the GDPR as the UK GDPR, alongside the Data Protection Act. It closely mirrors the EU GDPR but is a separate regime that can diverge over time.

Adequacy and transfers

The EU has recognised the UK as providing adequate protection, allowing data to flow from the EU to the UK, subject to review. Transfers in both directions still require attention, and onward transfers to third countries follow each regime rules.

What it means for sourcing

Sourcing data across the UK and EU means confirming which regime applies, where data originates and is processed, and the basis for any cross-border flow. Documentation should reflect both regimes where relevant.

Divergence risk

Because the UK can amend its regime, buyers should watch for divergence that could affect adequacy or specific obligations, and design sourcing to adapt.

Practical note

This is general information, not legal advice; confirm obligations with qualified counsel.

In a managed model

A managed partner can structure UK and EU sourcing with the right basis and documentation for each regime.

Two regimes, common roots

After Brexit the UK retained the GDPR as the UK GDPR alongside the Data Protection Act; it closely mirrors the EU GDPR but is a separate regime that can diverge over time. EU-UK data flows rely on an adequacy decision, subject to periodic review, and onward transfers to third countries follow each regime’s rules.

Sourcing across the border

Sourcing across the UK and EU means confirming which regime applies, where data originates and is processed, and the basis for any cross-border flow, with documentation reflecting both regimes. Watch for divergence that could affect adequacy or specific obligations, and design sourcing to adapt.

Key takeaways
  • The UK GDPR mirrors the EU GDPR but is a separate regime.
  • EU-UK data flows rely on an adequacy decision, subject to review.
  • Confirm which regime applies and the basis for cross-border flows.
  • Watch for divergence that could affect adequacy.

Sources & further reading

  • UK GDPR and Data Protection Act 2018.
  • European Commission: UK adequacy decision.
  • ICO: guidance on UK data protection.
  • EUR-Lex: Regulation (EU) 2016/679 (GDPR).
Sourcing across the UK and EU?

We structure UK and EU sourcing with the right basis and documentation for each regime. Get a no-obligation quote.

Request a Quote Book a 30-minute call
Related
Cross-border data transfers and data sovereignty in the EU →GDPR for external data: lawful bases, roles and transfers →