Data updates


The United Kingdom is now in a new relationship with the European Union. After many months of negotiations, an agreement on the future partnership was eventually reached in the final days of 2020. For the most part, EU law no longer has direct effect in the UK, but much EU law has been integrated into our domestic legal system.

Data Protection

Now that the transition period has ended, EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law is therefore aligned.

Receiving personal data from the EU/EEA and already adequate third countries

The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.

As a sensible precaution, during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to the College to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data from April 2021.

For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs). If you work with suppliers or service providers outside the UK please email your contract or account manager and request a status update on their data processing and international data transfer terms. Alternatively contact for guidance. UK Government guidance can also be found here.  

For personal data flows from the UK

There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU and this will be unaffected by our exit from the EU. For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.

Colleagues who regularly receive transfers of large volumes of personal data

Colleagues who regularly receive transfers of large volumes of personal data or high risk special category (sensitive) personal data, from any organisation / application / researchers from within the EEA, need to notify our Data Protection team