What is UK GDPR?
The UK General Data Protection Regulation (UK GDPR) is the United Kingdom's primary data protection law, retained from EU law after Brexit through the European Union (Withdrawal) Act 2018. It works alongside the Data Protection Act 2018 (DPA 2018) to form the UK's comprehensive data protection framework.
UK GDPR applies to any organisation that processes the personal data of individuals in the UK, regardless of where the organisation is based. If you offer goods or services to people in the UK, or monitor the behaviour of people in the UK, UK GDPR applies to you.
The regulation is enforced by the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection. Since the UK left the EU on 31 January 2020 (with the transition period ending 31 December 2020), the UK has operated its own data protection regime — substantively similar to EU GDPR but with key differences.
Dual Compliance Required
If your organisation processes data of both UK and EU residents, you must comply with both UK GDPR and EU GDPR separately. They are now distinct legal regimes with separate supervisory authorities and enforcement mechanisms.
The Data Protection Act 2018
The DPA 2018 sits alongside UK GDPR and provides additional provisions specific to the UK. It's not a replacement for UK GDPR — rather, it supplements and tailors the regulation for the UK context.
What DPA 2018 Covers
- • Sets the age of consent for children at 13 years
- • Provides exemptions for journalism, research, and archiving
- • Defines conditions for processing special category data
- • Establishes the framework for law enforcement data processing (Part 3)
- • Governs intelligence services data processing (Part 4)
- • Creates the immigration exemption for data subject rights
- • Sets out the ICO's powers and duties
Special Category Data Conditions
DPA 2018 Schedule 1 provides additional conditions (beyond those in UK GDPR Article 9) for processing special category and criminal conviction data:
- • Employment, social security, and social protection
- • Health and social care purposes
- • Public health
- • Research and statistics
- • Prevention of fraud
- • Insurance purposes
- • Elected representatives responding to requests
UK GDPR vs EU GDPR: Key Differences
While UK GDPR was derived directly from EU GDPR and shares the same core principles, several meaningful differences have emerged post-Brexit:
Supervisory Authority
Information Commissioner's Office (ICO)
National Data Protection Authorities (DPAs) in each member state
International Transfers
UK adequacy regulations & UK International Data Transfer Agreement (IDTA)
EU adequacy decisions & Standard Contractual Clauses (SCCs)
Age of Consent (Children)
13 years (set by DPA 2018)
16 years (member states may lower to 13)
Representative Requirement
UK representative required for non-UK controllers targeting UK individuals
EU representative required for non-EU controllers targeting EU individuals
Immigration Exemption
DPA 2018 includes an immigration exemption allowing data processing restrictions for immigration control
No equivalent exemption
National Security
Broader national security exemptions under DPA 2018
More limited national security provisions
Legislative Authority
UK Parliament can amend UK GDPR via domestic legislation
Changes require EU-wide legislative process
Divergence Watch
The UK government has signalled intent to reform UK data protection law through the Data Protection and Digital Information Act. Organisations should monitor developments as the UK regime may diverge further from EU GDPR over time, potentially affecting EU–UK adequacy arrangements.
ICO: The UK's Data Protection Authority
The Information Commissioner's Office (ICO) is the UK's independent body responsible for upholding information rights and enforcing UK GDPR and DPA 2018.
Regulatory Powers
- • Issue information notices
- • Conduct audits and assessments
- • Issue enforcement notices
- • Impose monetary penalties
- • Prosecute criminal offences
Guidance & Support
- • Publishes detailed guidance
- • Offers a helpline for organisations
- • Provides codes of practice
- • Runs the registration system
- • Handles public complaints
Registration
- • Most organisations must pay the ICO data protection fee
- • Three tiers: £40, £60, or £2,900/year
- • Based on organisation size and turnover
- • Failure to register is a criminal offence
ICO Registration Requirement
Unless exempt, every organisation or sole trader that processes personal data must pay the annual data protection fee to the ICO. This is separate from GDPR compliance — it's a legal requirement under the Data Protection (Charges and Information) Regulations 2018.
Six Lawful Bases for Processing
Under UK GDPR Article 6, every processing activity must have a lawful basis. You must determine your lawful basis before you begin processing, and document it. You cannot retrospectively change your lawful basis.
Consent
The individual has given clear, affirmative consent for you to process their personal data for a specific purpose.
Contract
Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal Obligation
Processing is necessary to comply with UK law (not including contractual obligations).
Vital Interests
Processing is necessary to protect someone's life. This basis is rarely appropriate for business activities.
Public Task
Processing is necessary to perform a task in the public interest or for official functions, with a clear basis in law.
Legitimate Interests
Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's data protection rights.
Legitimate Interests Assessment (LIA)
If relying on legitimate interests, the ICO recommends conducting a three-part test: (1) identify the legitimate interest, (2) show the processing is necessary to achieve it, and (3) balance it against the individual's interests, rights, and freedoms. Document this assessment and keep it under review.
Data Subject Rights Under UK GDPR
UK GDPR grants individuals eight key rights. Organisations must respond to most requests within one calendar month, extendable by a further two months for complex or numerous requests (with notification to the individual within the first month).
Right of Access (SAR)
Individuals can request a copy of all personal data you hold about them. You must respond within one month.
Right to Rectification
Individuals can request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure
Also known as the "right to be forgotten" — individuals can request deletion of their personal data in certain circumstances.
Right to Restrict Processing
Individuals can request that you limit how you use their data while a complaint is being resolved.
Right to Data Portability
Individuals can obtain and reuse their personal data across different services in a structured, machine-readable format.
Right to Object
Individuals can object to processing based on legitimate interests, direct marketing, or research/statistics purposes.
Rights Related to Automated Decision-Making
Individuals have safeguards against solely automated decisions that produce legal or similarly significant effects, including profiling.
Right to Withdraw Consent
Where processing is based on consent, individuals can withdraw that consent at any time.
International Data Transfers Post-Brexit
Transferring personal data outside the UK requires appropriate safeguards. Post-Brexit, the UK has established its own transfer mechanisms, separate from the EU framework.
UK Adequacy Regulations
The UK Secretary of State can make adequacy regulations recognising that a country provides adequate data protection. Data can flow freely to adequate countries.
- • The EEA/EU is recognised as adequate by the UK
- • The UK has made its own adequacy assessments for countries including Japan, South Korea, Canada, and others
- • The EU granted the UK adequacy in June 2021 (reviewed periodically)
Transfer Mechanisms
Where no adequacy decision exists, you must use one of these safeguards:
- • UK International Data Transfer Agreement (IDTA) — the UK's replacement for EU SCCs
- • UK Addendum to EU SCCs — allows use of EU SCCs with a UK-specific addendum
- • Binding Corporate Rules (BCRs) — for intra-group transfers
- • Derogations — explicit consent, contract necessity, or public interest in limited cases
Transfer Risk Assessments
Even with appropriate safeguards in place, the ICO expects organisations to conduct a Transfer Risk Assessment (TRA) to evaluate whether the destination country's laws and practices provide adequate protection for the transferred data. This is similar to the EU's Transfer Impact Assessment (TIA) requirement following the Schrems II decision.
Penalties & Enforcement
UK GDPR provides for significant financial penalties, mirroring the EU GDPR fine structure:
Higher Maximum
£17.5 million
or 4% of annual worldwide turnover (whichever is higher)
For infringements of data processing principles, lawful basis conditions, data subject rights, and international transfer provisions.
Standard Maximum
£8.7 million
or 2% of annual worldwide turnover (whichever is higher)
For infringements of record-keeping obligations, data protection officer requirements, certification bodies, and monitoring body provisions.
Additional Enforcement Powers
• Enforcement notices — requiring organisations to take (or stop) specific actions
• Information notices — compelling disclosure of information to the ICO
• Assessment notices — enabling the ICO to carry out data protection audits
• Criminal prosecution — for offences such as unlawfully obtaining personal data
• Reprimands — formal warnings for non-compliant controllers or processors
• Compensation claims — individuals can pursue civil claims for damages
UK GDPR Compliance Checklist
Conduct a Data Audit
Map all personal data flows — what you collect, where it's stored, who it's shared with, and your lawful basis for each processing activity.
Appoint a DPO (if required)
Public authorities and organisations carrying out large-scale systematic monitoring or processing special category data must appoint a Data Protection Officer.
Create Records of Processing Activities (ROPA)
Maintain detailed records of all processing activities as required under Article 30 of UK GDPR.
Update Privacy Notices
Provide clear, transparent privacy notices covering all required information under Articles 13 and 14 of UK GDPR.
Implement Lawful Basis for Processing
Identify, document, and communicate the lawful basis for every processing activity.
Establish DSR Procedures
Build processes to handle data subject requests within the one-month statutory deadline.
Conduct DPIAs for High-Risk Processing
Carry out Data Protection Impact Assessments before any processing likely to result in high risk to individuals.
Review International Transfer Mechanisms
Ensure all transfers of personal data outside the UK have appropriate safeguards (adequacy regulations, IDTAs, or SCCs).
Implement Technical & Organisational Measures
Deploy appropriate security measures including encryption, access controls, pseudonymisation, and regular testing.
Create a Breach Response Plan
Establish procedures to detect, report, and investigate personal data breaches within the 72-hour ICO notification window.
How PrivaBase Helps with UK GDPR Compliance
PrivaBase automates the most complex and time-consuming aspects of UK GDPR compliance, so your team can focus on your core business.
Automated Data Mapping
Scan your website and systems to identify personal data collection points, cookies, trackers, and third-party data sharing — building your Article 30 records automatically.
DSR Management
Handle data subject access requests, erasure requests, and portability requests with automated workflows that ensure you meet the one-month deadline every time.
Cookie & Consent Management
Deploy ICO-compliant cookie banners that actually block non-essential cookies until consent is given, with full consent records for audit purposes.
Privacy Policy Generation
Generate UK GDPR-compliant privacy notices that include all required Article 13/14 information, automatically updated as your data processing changes.
Breach Detection & Reporting
Monitor for data breaches and generate ICO notification reports within the 72-hour reporting window, with all required information pre-populated.
Continuous Compliance Monitoring
Ongoing scanning and alerts ensure your website stays compliant as you add new features, integrations, or third-party services.
Check Your UK GDPR Compliance Now
Run a free privacy scan to identify UK GDPR compliance gaps on your website — cookies, trackers, third-party data sharing, and missing privacy controls. Results in under 60 seconds.