.svg)
If you are a UK-based organization or if you are a non-UK business operating in the UK, the UK General Data Protection Regulation (UK GDPR) will apply to your collection and use of individuals’ personal data.
While its name may suggest it is an identical twin of the EU GDPR, there are important nuances between the two pieces of legislation that you need to be aware of. Moreover, recent reforms to the UK data protection regime have introduced notable changes to the UK GDPR, further widening the gap between the UK and EU approaches to data protection.
In this article, we explain the key requirements of the UK GDPR, highlight how it differs from the EU GDPR, and explore what the latest reforms introduced through the Data Use and Access Act (DUAA) mean for businesses operating in the UK.
What is the UK GDPR?
The UK GDPR is the primary law that regulates the processing of individuals’ personal data in the UK. For instance, it sets out when the UK GDPR applies, which lawful bases can be relied on to process personal data, and specifies the special conditions for processing individuals’ special category data, such as their health and genetic data.
Alongside these core provisions, the UK GDPR grants individuals a range of rights concerning their personal data, such as the right to access and erase their data. It also sets out the requirements for valid consent and imposes strict obligations on organizations, including the obligation to carry out data protection impact assessments for certain high-risk processing activities.
At this point, you might start to think that legislation as complex as the UK GDPR must be the only data protection law in the UK.
However, two other key data protection legislations in the UK are highly relevant to organizations handling individuals’ personal data.
First, the Data Protection Act 2018 supplements the UK GDPR by introducing additional requirements and clarifications. Most notably, it sets out a detailed list of conditions under which organizations may process special category data, including health data, data revealing ethnic or racial origin, and genetic and biometric data.
The Act also provides for exemptions from certain data subject rights in specific circumstances. In addition, it governs the processing of personal data for law enforcement purposes and by the intelligence services.
Secondly, the PECR (Privacy and Electronic Communications Regulations) impose rules and restrictions on electronic communications and provide individuals with rights in relation to them.
Now that we have provided a summary of the UK GDPR and explained its place within the UK data protection regime, we can dive deeper into the key requirements under the UK GDPR.
Differences between the UK GDPR and the EU GDPR (post-Brexit)
The UK GDPR and the EU GDPR are highly similar in their underlying principles, key obligations, and the rights individuals have regarding their personal data. Their format and structure are also closely aligned.
Despite these similarities, there are material differences between the two regimes. These differences affect the obligations imposed on data controllers and processors, the way individuals exercise their rights, and the implementation and enforcement of data protection law.
One key difference relates to legal force and enforcement. The UK GDPR is a domestic piece of legislation enforced by the UK Information Commissioner’s Office (ICO). By contrast, the EU GDPR applies uniformly across the EU and the EEA and is enforced by national data protection authorities in each Member State. At the EU level, the European Data Protection Board (EDPB) is responsible for promoting the consistent application of the EU GDPR. There is no equivalent coordination mechanism in the UK, and the EDPB’s decisions and opinions are not binding on the ICO.
Secondly, the UK has introduced important amendments to the UK GDPR and to the UK data protection law regime through the Data Use and Access Act (DUAA). The majority of these changes came into force on February 5, 2026. With those changes in full effect, the UK GDPR will further diverge from the EU GDPR in the following ways:
- Under the amended Article 22 UK GDPR, restrictions on automated decision-making are narrower compared to the EU GDPR. Note that automated decision-making will still require appropriate safeguards.
- Under the UK GDPR, there is a list of “recognized legitimate interests” that allows organizations to rely on legitimate interests for specified purposes without conducting a full legitimate interest assessment(LIA) before processing. In contrast, the EU GDPR does not contain such a list.
- Under the UK GDPR, organizations must facilitate and respond to data subjects' complaints through an internal complaints procedure. Such a requirement is not contained in the EU GDPR.
UK GDPR vs EU GDPR: Comparison table
Which GDPR do you need to comply with?
Depending on where you are established, where you operate, the individuals to whom you offer your products or services, and whether you monitor individuals’ behaviour, you may be subject to both the UK GDPR and the EU GDPR, to only one of them, or to neither.
For example, a global e-commerce platform that offers its services to consumers in both the UK and the EU will typically be subject to both regimes.
As a result, it is essential to review your data processing activities to determine which data protection laws apply to your organization and to ensure that those activities comply with the relevant requirements, including those under the UK GDPR and the EU GDPR.
7 key principles of UK GDPR
Article 5 of the UK GDPR requires that data controllers comply with seven key principles when collecting, using, and processing people’s personal data. These principles can be summarized as follows:
- Lawfulness, fairness, and transparency: You must process personal data on a lawful ground, and in a fair manner, while also being transparent in relation to the processing.
- Purpose limitation: Personal data must be collected and used only for specified, legitimate, and explicit purposes.
- Storage limitation: You must not store personal data longer than necessary for the purpose for which you process it.
- Data minimisation: You must process a type of personal data only i̇f i̇t i̇s adequate, relevant, and limited to what is necessary to achieve your specific purposes.
- Accuracy: You must ensure and maintain the accuracy of personal data processed.
- Integrity and confidentiality: You must ensure and maintain appropriate security of personal data.
- Accountability: The overarching principle that requires you to adhere to the six principles above and demonstrate compliance.
While these principles do not prescribe specific obligations, such as exact data retention periods or the lawful basis to be used for particular processing activities, failure to comply with them may, in certain circumstances, result in fines of up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher.
For this reason, these principles should be embedded in your privacy compliance programme and reflected in your data processing activities from the outset, before any personal data is collected or processed, to minimise regulatory risk.
What documentation do you need? (minimum viable governance)
If you fall within the scope of the UK GDPR as a data controller, you must comply with a wide range of obligations. These include, for example, carrying out data protection impact assessments for certain processing activities and obtaining GDPR-compliant consent where you rely on individuals’ consent as your lawful basis.
Many of these obligations require organizations to establish and maintain appropriate internal policies, documentation, and contractual arrangements with third parties.
By way of example, where you engage third-party data processors, such as cloud service providers, website analytics providers, or email marketing platforms, you are required under Article 28 of the UK GDPR to enter into a compliant data processing agreement with each of those processors.
In addition, depending on the nature, scale, and context of your data processing activities, you may need to implement further documentation and internal procedures. These may include conducting data protection impact assessments for high-risk processing, maintaining records of processing activities, and establishing a clear and defensible data retention schedule.
How to handle international transfers in the UK?
The UK GDPR and UK law provide individuals with a certain level of protection for their personal data. If an organization transfers personal data subject to the UK GDPR to a third country, the protections afforded by the UK GDPR may be undermined.
Therefore, Article 44 of the UK GDPR requires that data controllers and data processors comply with the UK GDPR’s international data transfer rules before transferring personal data outside the UK.
One mechanism for lawful cross-border data transfers is the UK adequacy regulations. If the Secretary of State concludes that the “data protection test” is met, you can freely transfer personal data to the specified third countries or international organizations without additional safeguards. For instance, all countries in the EU and the EEA satisfy this criterion under the current UK adequacy regulations, and you may freely transfer personal data governed by the UK GDPR to those countries without implementing additional measures.
If there are no adequacy regulations in place, you will have to rely on one of the appropriate safeguards listed in Article 46 of the UK GDPR. These mechanisms include standard data protection clauses, binding corporate rules, and other specified safeguards.
Even if the adequacy regulations do not apply to your data transfer or if you determine that you cannot rely on one of the appropriate safeguards, you may still transfer personal data outside the UK in exceptional circumstances under Article 49 of the UK GDPR. For instance, you may rely on individuals’ explicit consent to transfer personal data to an organization outside the UK. However, regular and systematic data transfers are unlikely to fall under the scope of the exceptions listed in Article 49 of the UK GDPR. In practice, reliance on consent will therefore be limited to a narrow range of circumstances.
Penalties for UK GDPR violations
If you violate the UK GDPR, you may face financial penalties. The exact amount would depend on the type of infringement.
If you fail to comply with certain UK GDPR provisions, such as data protection by design and default, you may be hit with penalties for up to £8.7 million or 2% of your undertaking’s total worldwide annual turnover in the preceding financial year.
If your data processing activities fail to comply with key principles of the UK GDPR, such as purpose limitation, consent requirements, international data transfers, or other specified UK GDPR obligations, you may face fines up to £17.5 million or 4% of your undertaking’s total worldwide annual turnover in the preceding financial year.
Put simply, failure to comply with the UK GDPR may incur significant financial penalties.
How to comply with UK GDPR
Achieving full compliance with the UK GDPR is a lengthy process that spans all aspects of your business operations, from your website cookie consent banners to your data retention and security practices.
If you fall under the scope of the UK GDPR as a data controller, you must ensure compliance with the following key requirements:
- Key principles: You must comply with the key principles of the UK GDPR we addressed above. These principles include purpose limitation, storage limitation, and data minimization.
- Data subject requests: You must establish and maintain an effective internal policy to respond to and satisfy data subject requests from individuals, such as the right to access and delete personal data.
- Identify a lawful basis: For each data processing activity, you must identify and rely on a lawful basis. For instance, you may rely on “contractual necessity” to process customer payments, or you may rely on consent to share individuals’ data with third-party marketing firms.
- Consent: UK GDPR and the PECR set out strict conditions for obtaining valid consent. The consent must be freely given, specific, informed, and unambiguous. Therefore, your website/mobile app cookie consent banners, your website forms, and contact forms must be in compliance with the UK GDPR consent requirements for consent to be valid.
- International data transfers: If you transfer personal data to third countries, you must ensure that you comply with the UK GDPR’s requirements. If the third country or organization is not covered by adequacy regulations, you must consider one of the safeguards specified in Article 46 UK GDPR, such as standard data protection clauses.
How Didomi can help you comply with the UK GDPR
The UK GDPR is among the most complex and stringent data privacy laws globally. While it differs from the EU GDPR in certain respects, the UK GDPR still imposes broad obligations on organisations. These include requirements to obtain consent for certain data processing activities, restrictions on international data transfers, and obligations to respond to data subject access requests.
One critical compliance area that should be at the top of your list is obtaining, managing, and recording data subjects’ consent through a UK GDPR-compliant consent flow.
For example, when you rely on consent for the use of cookies and similar technologies on your website or mobile app, you must not only obtain informed and affirmative consent, but also ensure that individuals can withdraw their consent at any time and that you maintain records of each consent. This is where Didomi’s Consent Management Platform can streamline your end-to-end consent flow by enabling you to obtain and manage UK GDPR-compliant consent.
Our Consent Management Platform (CMP) allows global organisations to collect and maintain consent records as part of a comprehensive suite of privacy-preserving solutions, including privacy request management, first-party data management, compliance monitoring, and server-side tagging. Get in touch with our team to discuss your privacy challenges and learn how our solutions can help you comply with UK data protection laws:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
Does the GDPR still apply in the UK after Brexit?
The UK GDPR is still applicable in the UK.
What is the UK GDPR?
UK GDPR is the primary data protection legislation in the UK governing the processing of individuals’ personal data. It sits alongside other UK data protection laws such as the UK Data Protection Act 2018 and the PECR.
What are the 6 legal bases of the UK GDPR?
Article 6 of the UK GDPR lists “consent”, “legitimate interests”, “contractual necessity”, “vital interests”, “legal obligation”, and " performance of a task carried out in public interest” as the six lawful grounds to process personal data.
What are the rights of data subjects under the UK GDPR?
Under Article 13-22 of the UK GDPR, individuals have the right to be informed about processing of their data, right to access personal data, right to erasure of their data, right to data portability, right to object to data processing, right to restrict data processing, right to rectify their data, and right not to be subject to automated decision-making in certain circumstances.
Is the UK GDPR changing?
The Data Use and Access Act 2025 introduced important changes to the UK GDPR, including the establishment of “recognized legitimate interests” and the relaxation of restrictions on automated decision-making. Most of the provisions of the DUAA 2025 came into force on February 5, 2026. You may read our blog post to learn more.
What is the difference between UK GDPR and PECR?
The UK GDPR governs the processing of individuals’ personal data, while the Privacy and Electronic Communications Regulations (PECR) set out the rules and restrictions that apply to electronic communications, including cookies, marketing emails, SMS, and phone calls. In practice, the majority of businesses often need to comply with both.
What is considered valid consent under the UK GDPR?
UK GDPR and the PECR set out strict conditions for obtaining valid consent. The consent must be freely given, specific, informed, and unambiguous. Therefore, your website/mobile app cookie consent banners, website forms, and contact forms must comply with the UK GDPR consent requirements for consent to be valid.
Do UK businesses ever need to comply with the EU GDPR as well?
If a UK business offers its products or services to EU data subjects or if it monitors EU data subjects, it will likely be subject to the EU GDPR.
What counts as personal data under UK GDPR?
Under the UK GDPR, personal data means any information relating to an identified or identifiable natural person. From direct identifiers like name to indirect identifiers such as cookies, a wide range of information can constitute personal data under the UK GDPR.
What are the 7 principles of the UK GDPR?
Article 5 of the UK GDPR requires that data controllers comply with seven key principles when collecting, using, and processing people’s personal data. These principles are lawfulness, fairness and transparency, purpose limitation, storage limitation, data minimisation, accuracy, integrity and confidentiality, and accountability.
What lawful basis do we need to process personal data?
For each data processing activity, you must identify and rely on a lawful basis. For instance, consent and legitimate interests are some of the lawful bases you may rely on.
Do we need a DPO in the UK?
Depending on your data processing activities, you may need to appoint a Data Protection Officer (DPO) to comply with the UK GDPR. For example, you will likely need to appoint a DPO if you are a public authority, or if your core activities involve large-scale monitoring of individuals or large-scale processing of special category data.
What are the penalties for non-compliance with the UK GDPR?
If an organisation doesn’t comply with the UK GDPR, the ICO can take enforcement action. In serious cases, this can include fines of up to £17.5 million or 4% of global annual turnover (whichever is higher). The ICO may also issue warnings or reprimands, or require an organisation to stop certain data processing activities until issues are fixed.
