AI Summarize

Share

If your business handles the personal data of UK residents, understanding the UK GDPR is non-negotiable. Since Brexit, the UK is no longer subject to the EU's General Data Protection Regulation (EU GDPR). Instead, it enforces its own version, known as the UK GDPR, alongside the Data Protection Act 2018.

The UK GDPR doesn't just apply to businesses that are based in the UK. If your organization handles the data of UK residents, you must abide by its regulations. The UK GDPR retains the basic framework of its EU counterpart, but there are significant differences, particularly in areas such as international data transfers, representation requirements, and enforcement jurisdiction.

This guide will walk you through the following:

  • What the UK GDPR is
  • How it compares to the EU GDPR
  • The implications for UK-based and international businesses
  • Compliance steps to follow

Let's break it down.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What Is the UK GDPR?

The UK GDPR is the UK's post-Brexit version of the EU GDPR. It came into force on January 1, 2021, as part of the EU (Withdrawal) Act 2018. It mirrors the structure and principles of the EU GDPR but makes specific adjustments to fit the UK legal framework.

This regulation sits alongside the following UK-specific data privacy regulations:

  • Data Protection Act 2018 (DPA): Supplements the UK GDPR and covers areas such as law enforcement data use and child data protection.
  • Privacy and Electronic Communications Regulations (PECR): Governs direct marketing, cookies, and electronic communications.

  • Data (Use and Access) Act (DUAA) 2025: Introduced in June 2025 and being phased in over the following year, as seen below, this new legislation does not replace the UK GDPR or other data privacy laws, but simplifies some procedures while maintaining the highest standards of data protection.

    UK DUAA 2025 will not replace GDPR

Who Does the UK GDPR Apply To?

It doesn't matter whether your organization is located in Birmingham or Bangkok. If your business processes the personal data of individuals in the UK, it is subject to the scope of the UK's data protection laws.

Specifically, it applies to:

  • UK-based businesses processing personal data
  • Non-UK businesses offering goods/services to or monitoring people in the UK

If your organization is based in the UK and continues to process the data of EU/EEA residents, you will still need to comply with the EU GDPR.

This international reach mirrors the EU GDPR, and the core definition of personal data remains unchanged. Any data that can identify an individual, such as names, addresses, location data, or even cookie identifiers, is considered personal data and must be protected.

UK GDPR Personal data definition

The Core Principles of UK GDPR

The UK GDPR continues to rely on the seven fundamental principles outlined in its EU predecessor. These principles guide the way businesses must handle personal information.

The seven core principles

They are set out in Article 5(1) of the UK GDPR:

  1. Lawfulness, fairness, and transparency: Process data in a legal and honest way, and be clear about how you use it.
  2. Purpose limitation: Collect data only for specified, legitimate purposes.
  3. Data minimization: Only collect data that's necessary.
  4. Accuracy: Keep personal data accurate and up to date.
  5. Storage limitation: Don't hold onto personal data longer than necessary.
  6. Integrity and confidentiality: Keep data secure through appropriate security measures.
  7. Accountability: Be able to demonstrate your compliance at all times.

Data controller (organizational) responsibilities

Article 5(2), shown below, highlights a crucial requirement for every business. It is the responsibility of the data controller to uphold these seven principles. The data controller is the "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". In short, your business.

UK GDPR Article 5.2: Controller must uphold principles

Each of the seven principles must be documented and implemented across policies, processes, and systems.

One of the challenges and benefits of the UK GDPR is that it does not establish specific rules or processes for data processing. Organizations have considerable latitude in using different processes to achieve the same result, but no business can afford to overlook a single core principle without risking legal repercussions.

Risks of UK GDPR breaches

To quantify the level of risk we're talking about, fines for infringements of the seven basic principles can result in fines of 4% of a business's total annual worldwide turnover or £17.5 million, whichever is higher.

It's clear that it pays to invest some time and money at the outset in getting UK GDPR compliance right rather than running the risk of substantial fines and a damaged reputation in the future.

Lawful Processing of Personal Data under UK GDPR

Just like the EU GDPR, the UK GDPR requires that every processing activity be grounded in one of six lawful bases. Failing to identify and document a valid basis can constitute a breach of UK GDPR. In addition to being lawful, organizations must also ensure that the processing is fair and transparent.

This checklist from the UK Information Commissioner's Office can help businesses determine whether their data collection policies are on a sound legal footing:

UK ICO on the UK GDPR legal basis

Lawful bases for processing

The six lawful bases are:

  • Consent: Freely given, specific, and informed agreement.
  • Contract: Necessary to fulfill a contract with the data subject.
  • Legal obligation: Required to comply with a legal duty.
  • Vital interests: Protecting someone's life.
  • Public task: Necessary for performing a task in the public interest.
  • Legitimate interests: A flexible legal basis, but it must not override the rights of individuals.

The importance of necessity

Built into each of these legal bases is the concept that data processing must be necessary. This does not mean essential; it means it must be necessary, targeted, and proportionate to achieve a specific purpose.

The first question every business must ask about every piece of data it decides to collect and process is: why does it need to process this data?

It's essential to take the time to establish the legal basis for all data processing carried out by your business before it begins handling personal data. It is very difficult, but not impossible, to change the lawful basis later. Additionally, your lawful basis will form the backbone of your Privacy Policy, the essential document for UK GDPR compliance.

The UK Information Commissioner's Office includes another handy checklist to support businesses in deciding on the most appropriate lawful basis for data processing:

UK ICO: Checklist for UK GDPR legal basis

Data Subject Rights

As with the EU GDPR, individuals whose data is processed under the UK GDPR are known as data subjects. Data subjects have powerful rights under UK GDPR. These rights echo those found under the EU GDPR:

  • Right to be informed: Every business needs a clear Privacy Notice that informs users about the information the business collects and how it will use it.
  • Right of access: Users can submit Subject Access Requests (SARs) to find out what information is stored on them and how it is being used.
  • Right to rectification: Users can request that inaccurate or incomplete data is rectified or completed.
  • Right to erasure: Sometimes called the right to be forgotten, this only applies in certain situations. However, individuals can make this request, and organizations must respond within one month.
  • Right to restrict processing: In certain circumstances, individuals have the right to temporarily limit processing.
  • Right to data portability: The ability to move their data between service providers for their own purposes.
  • Right to object: Individuals have the right to object to processing based on legitimate interests or public tasks, unless you can demonstrate compelling legitimate grounds. All users have the right to request that their data not be used for direct marketing.
  • Rights related to automated decision-making and profiling: Individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. They can challenge such decisions and request human intervention.

Your organization's Privacy Notice must clearly explain how users can exercise these rights and make it as easy as possible for them to do so.

How the UK and EU GDPRs Work Together

One of the stated aims of the EU GDPR was to enable the free movement of data within the European Union. However, when the UK exited the European Union, it ceased to be under the EU GDPR and to benefit from this arrangement.

The EU adequacy decision

However, as seen from the extract below, the EU Commission has deemed the UK "adequate." This means data can continue to flow as it did before in many cases, without additional safeguards. This decision will remain in effect until December 27, 2025.

EU Commission: UK GDPR is adequate

What UK GDPR adequacy means for businesses

The EU's adequacy decision means businesses can continue to enjoy a free flow of data transfers without needing to add extra safeguards, as the two pieces of legislation are considered broadly equivalent.

However, as mentioned earlier, the UK introduced the DUAA in 2025, which modifies parts of the UK GDPR. Thus, businesses that carry out international data transfers need to keep an eye on developments in case the EU decides the changes mean it is no longer considered adequate.

Transferring data from the UK to other countries

The UK now maintains its own list of adequate countries, independent from the EU's list. However, currently, the UK's list mirrors the EU's. The UK government may diverge in future assessments, so regular reviews are essential.

Key Differences Between the UK and EU GDPRs

It's true that the UK GDPR started life as the EU GDPR. However, since Brexit, there have been several changes to the UK version. The recent DUAA only widens the gap.

Here are some key points of divergence that all businesses need to take into account.

Supervisory authorities

The EU GDPR is governed by at least two supervisory bodies:

  • Each member state must set up at least one organization to monitor how the EU GDPR is applied in its jurisdiction.
  • Additionally, the European Data Protection Board (EDPB) takes an overarching look at how the EU GDPR is applied across the entire EU.

Now that the UK has left the European Union, it has its own body responsible for enforcing the UK GDPR. It is known as the Information Commissioner's Office (ICO) and it does not answer to the EDPB. However, it functions in much the same way as the supervisory bodies in each EU member state.

Modifications and adaptations

Since Brexit, the UK has gradually modified certain aspects of the GDPR to better fit its legal framework. Some key differences in regulations now include:

  • All references to the EU and European supervisory bodies have been removed.
  • Differences in how data breaches are notified, how data protection officers are appointed, and which public authorities are exempted from compliance.
  • Organizations located outside of the UK that process UK residents' data must appoint a representative, but they do not have to physically reside in the UK, unlike under the EU GDPR, which has a residency requirement.
  • Unlike the EU GDPR, there is no one-stop-shop mechanism for cross-border data processing in the UK version. Instead, the ICO is solely responsible for enforcing UK data protection laws wherever the processing occurs.
  • The UK GDPR prioritizes national security over individuals' data protection rights. In practice, this means that certain organizations, such as immigration, intelligence, and national security services, are not bound by all the UK GDPR's requirements.
  • Under the EU GDPR, each member state is represented in the EDPB. However, while the UK GDPR cooperates with the EDPB, the UK does not have a representative within that supervisory body.

What do the GDPR differences mean for businesses?

If you process the personal data of UK or EU residents, your business will likely be unaffected by these differences. However, if you process both, you must comply with two data protection frameworks.

On a practical level, this means that your Privacy Policy and data handling processes need to be rigorous and continually monitored to ensure compliance with both the UK and EU GDPRs. Additionally, if a data breach occurs that affects EU and UK residents' data, you may be required to report to both supervisory authorities.

It pays to seek qualified legal advice on how to manage where the EU and UK GDPRs diverge so you comply with both simultaneously. As both regulations stress the importance of accountability, your business must ensure it has an up-to-date data privacy policy and procedures, and maintains detailed records of:

  • Data processing functions
  • Data Protection Impact Assessments (DPIAs)
  • Appointing a Data Protection Officer, where required

UK GDPR Compliance Checklist

Here's a quick compliance checklist to help UK and international businesses stay on the right side of the law:

  • Conduct a data audit to identify what personal data you collect and why
  • Identify your lawful bases for processing
  • Update your privacy notices and internal documentation
  • Review and update contracts with data processors
  • Ensure appropriate security measures (technical and organizational)
  • If required, appoint a DPO and/or UK representative
  • Train staff on data protection awareness
  • Maintain clear records of processing activities (ROPA)
  • Be ready to respond to data subject requests within one month
  • Have a process in place for data breaches and notifying the ICO within 72 hours

UK GDPR: Not Just EU GDPR Version 2.0

The UK GDPR may have its origins in the EU GDPR, but it's a mistake to conclude it's a copy and paste of it. While the structure remains very similar, there are significant differences, especially around international data transfers, representation, and regulatory oversight.

The introduction of the DUAA and the pending EU adequacy decision could lead to further divergence and increased controls for businesses targeting UK customers, regardless of their location. Double the rules means double the obligations, so it is important to seek legal advice to ensure your organization complies with both regimes and is audit-ready.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy