Compliance GDPR Privacy laws

UK GDPR: what is it and how to comply

Jun 17, 2025 | Time to read 10 min read
UK GDPR: what is it and how to comply
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

Companies that sell goods and services to UK residents or monitor their behavior have a legal obligation to ensure compliance with the UK GDPR. Non-compliance can lead to large fines, reaching up to £17.5 million or 4% of the total annual worldwide turnover.

The UK GDPR came into effect in January 2021, as a way to maintain strong data protection standards after Brexit. While its core requirements are similar to the EU GDPR, there are specific differences that businesses should be aware of.

If your organization processes the personal data of UK residents, this guide is for you. We’ll explain what the UK GDPR is and provide step-by-step instructions to achieve compliance, prevent penalties, and retain customer trust.

Become UK GDPR-compliant on Shopify
CheckmarkFree plan available
CheckmarkCustomizable cookie banner
Try TinyCookie

What is UK GDPR?

The UK General Data Protection Regulation (GDPR) is the UK’s version of the EU GDPR that went into effect in January 2021. It mirrors the European Union regulation and was created to protect the data rights and privacy of residents from the United Kingdom.

The UK GDPR was established as a way to ensure continuity and data protection after Brexit. Since the UK was no longer subject to the EU GDPR, the UK domesticated the privacy law through the European Union (Withdrawal) Act 2018.

The regulation was adapted by changing all EU institution references to UK bodies, such as switching from DPAs to the ICO.

How is UK GDPR different from EU GDPR?

The core principles of the UK GDPR are largely the same as those of the EU GDPR. However, the UK GDPR has been adapted to align with the UK's context, particularly in terms of scope, expanding to national security, intelligence services, and immigration. Let’s review the main differences between the two regulations:

UK GDPR

EU GDPR

Jurisdiction

UK residents

EU residents

Supervisory authorities

Information Commissioner’s Office (ICO)

Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB)

Data transfers between the UK and EU

Generally no restrictions

Requires an adequacy decision

Age of consent

13

13 or 16 (depends on member state)

Representative for non-local companies

UK-based representative

UE-based representative
  • Jurisdictional scope. The UK GDPR applies to organizations within and outside of the UK that sell goods or services to UK residents, while the EU GDPR protects individuals within the EU.
  • Regulatory authorities. In the UK, the Information Commissioner’s Office (ICO) is responsible for enforcing the GDPR. Meanwhile, each EU member state has a Data Protection Authority (DPA), coordinated by the European Data Protection Board (EDPB).
  • Data transfers. The EU GDPR requires adequacy decisions to allow data transfers from the EU to the UK. The UK GDPR allows data to be transferred to the EU without restrictions.
  • Representatives. Companies outside the UK that process the personal data of UK residents must appoint a UK representative, while non-EU organizations that target EU residents – an EU representative.

Who does UK GDPR apply to?

The UK GDPR applies to all organizations within or outside of the UK that process the personal data of UK residents. It includes data controllers or processors who offer goods or services to residents of the UK or monitor their behavior.

What are the main principles of UK GDPR?

The UK GDPR has 7 core data protection principles according to the ICO. Here are all of them explained:

  1. Lawfulness, fairness, and transparency – data must be processed in a legal and fair manner that’s easily understood by anyone.
  2. Purpose limitation – data must be collected for legitimate purposes only.
  3. Data minimization – collecting as little data as possible for the explicit purpose.
  4. Accuracy – data should be kept up to date.
  5. Storage limitationGDPR data retention should be limited for no longer than necessary for the purposes it was collected. Some exceptions apply to data meant for historical research purposes or statistical purposes.
  6. Integrity and confidentiality – personal data must be protected with appropriate security measures.
  7. Accountability – organizations must be able to demonstrate compliance.

What rights do individuals have under UK GDPR?

The UK GDPR states 8 user rights that give the natural person a level of protection and control over their privacy. They include:

  • Right to be informed. Users must be informed how their data is collected and processed in a transparent manner.
  • Right of access. Individuals can request a copy of their data by submitting a data subject access request (DSAR). 
  • Right to rectification. Users may ask organizations to correct inaccurate personal data.
  • Right to erasure. If the personal data is no longer needed or the organization is involved in unlawful data processing, users can request data deletion.
  • Right to restrict processing. Under certain circumstances, like unlawful data processing activity or no legitimate ground for processing, a user can request to limit data processing.
  • Right to data portability. Individuals can request to receive their personal data in a simple, machine-readable format to transfer it to another company.
  • Right to object. For certain purposes, like direct marketing, users can object to data processing.
  • Rights related to automated decision making including profiling. Individuals can object to automated decision-making (including profiling).

How to comply with UK GDPR?

UK GDPR compliance is similar to EU GDPR compliance. While it may seem challenging at first, let’s review a straightforward step-by-step guide to help your organization achieve proper compliance.

Step 1: Map out personal data

Complying with UK GDPR starts with understanding what data categories your organization collects and how it travels. This helps establish a proper legal basis for processing. Here’s how to map out your data:

  • Find out where you collect data from. Locate all the places you collect data from. Take into account even third-party integrations.
  • Check what data you collect. This can be such personal information as names, emails, social media, phone numbers, geolocation data, payment details, IP addresses, employee data, and more.
  • Review sensitive data categories. Take into account whether your organization collects any sensitive data, such as racial origin, political opinions, biometric data, or religious beliefs. Data like criminal convictions require separate organisational security measures.
  • Determine a lawful basis for processing. The ICO outlines six lawful bases for processing, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. You can use the ICO’s interactive tool to determine which lawful basis applies to your organization.
  • Track where data is stored. Document where the data you collect is stored.
  • Evaluate risks. Perform a GDPR risk assessment, and if you process sensitive data, also perform a Data Protection Impact Assessment (DPIA).

Step 2: Obtain consent for processing

The UK GDPR requires organizations to obtain explicit opt-in consent for data processing. Under the UK GDPR Article 4(11), consent is defined as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

To guarantee that consent is compliant with the UK GDPR, ensure the following:

  • Make sure that it’s explicit consent that involves a clear affirmative action.
  • If on a website, place a consent banner in an easily accessible place.
  • Include an easy consent withdrawal method.
  • Do not use technical jargon or legal language.
  • Avoid treating pre-ticked boxes or exit buttons as valid consent.

Step 3: Obtain cookie consent

Many online businesses use cookies to obtain personal user information, whether for creating a better user experience or targeted advertising. To obtain consent, websites usually use a cookie banner that includes accept, reject, or manage preferences buttons. Here’s an example of what a compliant banner looks like:

UK GDPR compliant banner

To ensure your cookie banner complies with the UK GDPR, follow these steps:

  • Implement a cookie banner with transparent cookie text.
  • Allow granular consent so users can agree only to the types of cookies they want.
  • Generate a cookie policy to explain your data collection practices.
  • Include a link to your privacy or cookie policy in the cookie banner.
  • Configure your banner to block third-party cookie firing until consent is obtained.
  • Record and store cookie consent in case you’re required to demonstrate compliance.
  • Include a widget that would allow users to withdraw consent during any session.
Adopt a GDPR cookie banner on Shopify
CheckmarkOne-click setup
CheckmarkConsent recording
Try TinyCookie

Step 4: Review your privacy policy

A privacy policy helps you stay compliant with UK GDPR by ensuring complete transparency towards consumers about an organization’s data processing and protection practices. It must be written in plain language so that every user can understand what they’re agreeing to.

Here are the main points a privacy policy should include:

  • Contact information of your organization (and Data Protection Officer (DPO), if engaged in large-scale processing)
  • The types of personal data your organization collects
  • The purpose of data processing
  • Legal basis for data processing
  • How long your organization retains data for
  • Data subject rights
  • Data sharing with other parties, including international transfers

Step 5: Create a DSAR management process

UK GDPR gives users a right to a DSAR – a request by a data subject to access the personal data that your organization has about them. It can be made in person, through the website, phone, email, or other methods. To manage DSAR, you can follow these steps:

  • Respond within one month
  • Verify the identity of the data subject
  • Evaluate the nature of the request
  • Do not charge the data subject (unless the request is repetitive or excessive)
  • Send the data
  • Make a record of your response for proof of compliance

Step 6: Create DPAs with third-party processors

If personal user data that your organization collects is also shared with third parties, such as your hosting company, tools, or software, you must establish agreements under UK GDPR. These are called Data Processing Agreements (DPAs), which ensure that third parties process personal data on your behalf lawfully.

Here’s what to know about creating a DPA:

  • Make a list of third parties who process personal data collected by you.
  • Sign DPAs with each third party, ensuring that they meet legal requirements of GDPR.
  • Establish the obligations of the processor, such as processing data only based on documented instructions, assisting with user rights, and allowing audits.
  • Ensure that the DPA requires processors to only use sub-processors with your approval.
  • Make sure that the DPA requires deleting or returning data after the agreement is terminated.
  • Describe the technical and organizational measures the third party must take to protect personal data.
  • In case of a breach, ensure that processors inform you about it without delay.

Step 7: Adopt data security measures

The UK GDPR requires adopting technical measures to ensure personal data security. Here’s a checklist to help organizations ensure appropriate protection:

  • Perform a risk and impact analysis to determine an appropriate level of security to put into place.
  • Create an information security policy and regularly review and improve it.
  • Implement data pseudonymization and encryption to prevent unauthorized data access.
  • Adopt technical measures, such as those specified by Cyber Essentials.
  • Use backups so your organization can restore access to personal data in case of a breach.
  • Perform regular tests to review the effectiveness of your security measures.
× Enlarged Image

Frequently asked questions

No, the EU General Data Protection Regulation (GDPR) doesn’t apply in the UK. However, the UK has created its own domestic version of the GDPR, known as the UK GDPR. It has the same key principles as the EU GDPR and applies to all organizations that process the data of UK residents. Together with the Data protection Act 2018, they are called the UK data protection regime.

UK GDPR-compliant consent refers to a freely given, informed, specific, and unambiguous user agreement to personal data processing. This means providing users with real choices, such as granular consent for specific purposes and a consent withdrawal option.

The Information Commissioner’s Office (ICO) is the supervisory authority for the UK GDPR. Their responsibilities include enforcing the regulation and providing guidance for both organizations and individuals.

Yes, the UK GDPR applies to all controllers and processors that offer goods or services to UK residents or monitor their behavior, even if they’re outside the UK.

Both the UK and EU GDPR apply to UK companies that process the personal data of UK or EU residents respectively.

About the author
Kristina Jaruseviciute
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.