Skip to content
GDPR by Law

United Kingdom · updated 2026-06-15

United Kingdom

Conditional

Post-Brexit Britain kept GDPR nearly wholesale as 'UK GDPR' — same rights, same 72-hour breach rule, fines in pounds. If you comply in the EU you're ~95% done, but you may need two representatives and the ICO's registration fee.

Law:
UK GDPR + Data Protection Act 2018 + PECR (+ DUAA 2025 reforms)
Regulator:
ICO (Information Commissioner's Office)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

£17,500,000 or 4% of global annual revenue, whichever is higher

What United Kingdom requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. ICO registration & data protection fee

    Data Protection (Charges) Regulations 2018

    A UK-specific quirk: nearly every organisation processing personal data must register with the ICO and pay an annual fee (£40–£2,900 by size).

    How to implement Register at ico.org.uk in about 15 minutes. Not paying is a fineable offence on its own, and the ICO chases non-payers by letter — this catches out foreign companies constantly.

    Required
  2. Privacy policy

    Art. 13–14 UK GDPR

    Privacy notice naming the ICO as complaint authority, with UK-specific details like your ICO registration number and UK representative if you have no UK establishment.

    How to implement One combined UK/EU policy works — add a jurisdiction section covering the ICO, your UK representative, and pounds-denominated rights info.

    Required
  3. Cookie consent banner

    PECR Reg. 6

    Opt-in consent for non-essential cookies; DUAA 2025 created narrow exemptions for statistical analytics, but marketing and cross-site tracking still require consent.

    How to implement Keep your EU-grade banner for the UK. The ICO's 2023–24 sweep of top UK sites demanded 'reject all' at the first layer and named non-compliant publishers publicly.

    Required
  4. UK representative

    Art. 27 UK GDPR

    Companies outside the UK regularly serving UK users need a UK-based representative (mirror of the EU's Art. 27 requirement).

    How to implement Representative services cost roughly £100–300/year. If you're EU-based and serve both markets, you may need one representative in each — a common post-Brexit surprise.

    Conditional
  5. Records of processing (ROPA)

    Art. 30 UK GDPR

    Register of processing activities; DUAA renames and slims this for smaller organisations but keeping a full ROPA satisfies both regimes.

    How to implement Reuse your EU ROPA with a UK transfers column. The ICO publishes free templates sized for small businesses.

    Required
  6. Breach notification process

    Art. 33–34 UK GDPR

    72-hour ICO notification plus individual notification for high-risk breaches.

    How to implement The ICO uniquely offers a phone line for breach reporting and a public self-assessment tool — bookmark both in your incident runbook.

    Required
  7. Children's code (Age Appropriate Design Code)

    DPA 2018 s.123

    Services likely accessed by under-18s must follow the ICO's 15 design standards: high-privacy defaults, no nudging, geolocation off by default.

    How to implement The TikTok fine came from this territory. If minors plausibly use your product, run the ICO's children's code self-assessment before UK launch.

    Conditional

The details

Cookie consent
PECR requires opt-in consent for non-essential cookies. The 2025 Data (Use and Access) Act relaxed this for low-risk analytics cookies, but marketing trackers still need consent — and the ICO now fines cookie-banner dark patterns directly.
Data Protection Officer
UK GDPR baseline mirrors the EU: mandatory for public bodies, large-scale monitoring, or large-scale special-category data. DUAA reforms replace the DPO with a 'senior responsible individual' regime for some organisations.
Processing agreements
Art. 28 UK GDPR contracts required with all processors. UK-EU data flows rest on an adequacy decision (renewed in 2025), so intra-UK/EU transfers need no extra mechanism for now.
Breach notification
Report qualifying breaches to the ICO within 72 hours via its online tool or phone line. The ICO's self-assessment checker helps decide whether a breach is reportable.
Enforcement in practice
British Airways was fined £20M (reduced from £183M) and Marriott £18.4M over breaches; the ICO has since fined TikTok £12.7M over children's data.

Data subject rights

What users can demand from you in United Kingdom, and the engineering that satisfies each right.

Right to access (SAR)

Art. 15 UK GDPR

Subject access requests — the UK's highest-volume right, with one month to respond.

UK employees and consumers use SARs heavily, including in disputes. The ICO allows a 'stop the clock' for identity verification and clarification — document each pause.

Right to erasure

Art. 17 UK GDPR

Deletion when data is no longer necessary or consent withdrawn.

UK tax law requires 6-year retention of business records — cite it for financial data.

Right to data portability

Art. 20 UK GDPR

Machine-readable export of user-provided data.

The same JSON/CSV export you built for the EU satisfies UK GDPR.

Right to rectification

Art. 16 UK GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 UK GDPR

Freeze during disputes; absolute objection to direct marketing.

PECR adds marketing rules: consent for email/SMS marketing (soft opt-in for existing customers) and TPS/CTPS screening for calls. PECR fines are the ICO's most frequent enforcement action.

Automated decision-making

Art. 22 UK GDPR

Protection against solely automated significant decisions — relaxed by DUAA 2025 for non-special-category data, with safeguards.

DUAA permits more automated decisions if you provide information, human-review routes, and contest mechanisms. Keep those three safeguards and you satisfy both old and new regimes.

Tools that cover United Kingdom

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    iubenda

    Generates combined UK/EU policies with ICO-specific sections and PECR cookie policies.

    Visit iubenda →
  • compliance suite

    OneTrust

    Handles dual UK/EU compliance programmes, SAR workflows, and children's code assessments.

    Visit OneTrust →
  • cookie consent

    Cookiebot

    CMP with per-region rules — useful for running DUAA-relaxed analytics in the UK and stricter EU settings simultaneously.

    Visit Cookiebot →

Frequently asked questions

Is UK GDPR different from EU GDPR?

It started as a copy-paste with pounds instead of euros. The 2025 Data (Use and Access) Act diverged modestly: relaxed analytics-cookie rules, a looser automated-decision regime, and reformed ICO governance. EU-grade compliance still satisfies UK requirements in practice — the reverse is no longer always true.

Do I need to pay the ICO fee if I'm not a UK company?

If you're established in the UK, yes. If you're abroad but monitor or sell to UK users, you need a UK representative, and registration is strongly advisable. The fee is £40–£2,900 a year, and non-payment is the ICO's most-issued penalty.

Can data flow freely between the UK and EU?

Yes for now — the EU renewed the UK's adequacy decision in 2025, so no SCCs are needed in either direction. Watch this space though: each UK reform round triggers an EU review of adequacy.

What catches SaaS companies out most in the UK?

Three things: the ICO registration fee (unknown outside the UK), needing a UK representative on top of an EU one, and PECR marketing rules — the ICO fines spam texts and emails far more often than GDPR violations.

Similar jurisdictions

Free download

Get GDPR updates for United Kingdom

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.