The General Data Protection Regulation (GDPR) was launched more than four-and-a-half years ago, and much has happened since. The UK is no longer part of Europe, which then led to the implementation of the UK GDPR. Last year, on 28 June 2021, adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED) were approved by the EU. Data can therefore continue to flow as before for the most part, until at least 27 June 2025.

What does this all mean from a data protection perspective? What does it mean for UK businesses either receiving data from, or having offices in, the EU and European Economic Area (EEA)? The ICO has produced guidance on exactly this, providing a basic overview of the changes to data protection in recent years. Head to the ICO website for that and additional guidance on Data Protection and the EU. Alternatively, read on for a summary.


The GDPR was put into effect on 25 May 2018 as a way for the EU to demonstrate its firm stance on data privacy and security. Organisations targeting or collecting data related to people in the EU were now open to huge fines for violating these standards. The regulation is large in scope and far-reaching, meaning that GDPR compliance is a daunting prospect. Post-Brexit, the UK GDPR was then introduced. Tailored by the Data Protection Act 2018, it effectively sees GDPR retained in UK law.

Adequacy decisions in 2021

Countries, territories, sectors or organisations with an “essentially equivalent” level of data protection to the EU are described using the term, ‘adequacy’. Last year, the EU Commission adopted adequacy decisions for the UK GDPR and the LED. The decisions applied to the whole of the UK, including Northern Ireland. As aforementioned, this basically means the majority of data can continue to flow freely from the EU to the UK. What data received by a UK organisation from the EU or EEA is affected? Any data which falls within the scope of the DPA 2018 immigration exemption.

UK organisations with offices, branches or customers in the EEA must comply with both UK and EU data protection regulations.

Key questions & answers

Q. Does the GDPR still apply to the UK?

A. No, the GDPR is an EU regulation – hence it being known as the EU GDPR.

Q. Does the EU GDPR apply to you if you operate in the EEA? Does it apply if you offer goods or services to individuals in the EEA? What if you monitor the behaviour of individuals in the EEA, does it still apply then?

A. The answer is potentially yes – read more on that from the ICO here.

Q. Are organisations in the EU and EEA allowed to send data to a UK business?

A. Yes.

Clearly data protection and the EU is a huge topic, with an abundance of information available. Here we have simply tried to provide a broad overview. Hopefully the questions we have included and answered will be of some assistance. If you require more help, then we would love to hear from you.

Further reading from CRIBB on this subject: