- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Axiom publishes white paper on the rising pressures facing GRC in 2026
November 27, 2025
On 19 December 2025, the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. renewed its two 2021 UK adequacy decisions, confirming that personal dataInformation which relates to an identified or identifiable natural person. can continue to flow freely between the EU and the UK until 27 December 2031.
The decisions had previously been extended by six months while the Commission assessed the UK’s evolving data protection framework, including the newly enacted Data Use and Access Act 2025. The Commission concluded that the level of data protection offered by the UK remains ‘essentially equivalent’ to EU standards — a critical finding that preserves continuity for EU–UK data flows.
What this means for your organisation
For organisations operating across both jurisdictions, the renewal provides welcome certainty at a time of broader regulatory change. It confirms that EU-to-UK data transfers can continue without additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., contractual requirements or technical measures, which should support operational continuity whilst reducing friction, cost, and compliance complexity.
However, adequacy is not guaranteed indefinitely. Built-in review mechanisms mean the UK’s framework will remain under scrutiny, particularly as regulatory divergence continues to be debated.
Prudent organisations should treat this as reassurance, and not a reason for complacency, by:
- Monitoring regulatory developments in both the EU and UK
- Keeping data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mapping and risk assessments current
- Retaining contingency safeguards where specific transfer risks arise
Ben Seretny, COO at The DPO Centre, said,
‘Although not a tremendous surprise after the European Data Protection Board endorsed the adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... back in October, it certainly provides a greater degree of comfort and certainty for organisations looking to continue frictionless transfers of personal data between the UK and its largest trading partner.’
