United Kingdom · updated 2026-06-15
United Kingdom
Post-Brexit Britain kept GDPR nearly wholesale as 'UK GDPR' — same rights, same 72-hour breach rule, fines in pounds. If you comply in the EU you're ~95% done, but you may need two representatives and the ICO's registration fee.
- Law:
- UK GDPR + Data Protection Act 2018 + PECR (+ DUAA 2025 reforms)
- Regulator:
- ICO (Information Commissioner's Office)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
£17,500,000 or 4% of global annual revenue, whichever is higher
What United Kingdom requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
ICO registration & data protection fee
Data Protection (Charges) Regulations 2018A UK-specific quirk: nearly every organisation processing personal data must register with the ICO and pay an annual fee (£40–£2,900 by size).
How to implement Register at ico.org.uk in about 15 minutes. Not paying is a fineable offence on its own, and the ICO chases non-payers by letter — this catches out foreign companies constantly.
Required -
Privacy policy
Art. 13–14 UK GDPRPrivacy notice naming the ICO as complaint authority, with UK-specific details like your ICO registration number and UK representative if you have no UK establishment.
How to implement One combined UK/EU policy works — add a jurisdiction section covering the ICO, your UK representative, and pounds-denominated rights info.
Required -
Cookie consent banner
PECR Reg. 6Opt-in consent for non-essential cookies; DUAA 2025 created narrow exemptions for statistical analytics, but marketing and cross-site tracking still require consent.
How to implement Keep your EU-grade banner for the UK. The ICO's 2023–24 sweep of top UK sites demanded 'reject all' at the first layer and named non-compliant publishers publicly.
Required -
UK representative
Art. 27 UK GDPRCompanies outside the UK regularly serving UK users need a UK-based representative (mirror of the EU's Art. 27 requirement).
How to implement Representative services cost roughly £100–300/year. If you're EU-based and serve both markets, you may need one representative in each — a common post-Brexit surprise.
Conditional -
Records of processing (ROPA)
Art. 30 UK GDPRRegister of processing activities; DUAA renames and slims this for smaller organisations but keeping a full ROPA satisfies both regimes.
How to implement Reuse your EU ROPA with a UK transfers column. The ICO publishes free templates sized for small businesses.
Required -
Breach notification process
Art. 33–34 UK GDPR72-hour ICO notification plus individual notification for high-risk breaches.
How to implement The ICO uniquely offers a phone line for breach reporting and a public self-assessment tool — bookmark both in your incident runbook.
Required -
Children's code (Age Appropriate Design Code)
DPA 2018 s.123Services likely accessed by under-18s must follow the ICO's 15 design standards: high-privacy defaults, no nudging, geolocation off by default.
How to implement The TikTok fine came from this territory. If minors plausibly use your product, run the ICO's children's code self-assessment before UK launch.
Conditional
The details
- Cookie consent
- PECR requires opt-in consent for non-essential cookies. The 2025 Data (Use and Access) Act relaxed this for low-risk analytics cookies, but marketing trackers still need consent — and the ICO now fines cookie-banner dark patterns directly.
- Data Protection Officer
- UK GDPR baseline mirrors the EU: mandatory for public bodies, large-scale monitoring, or large-scale special-category data. DUAA reforms replace the DPO with a 'senior responsible individual' regime for some organisations.
- Processing agreements
- Art. 28 UK GDPR contracts required with all processors. UK-EU data flows rest on an adequacy decision (renewed in 2025), so intra-UK/EU transfers need no extra mechanism for now.
- Breach notification
- Report qualifying breaches to the ICO within 72 hours via its online tool or phone line. The ICO's self-assessment checker helps decide whether a breach is reportable.
- Enforcement in practice
- British Airways was fined £20M (reduced from £183M) and Marriott £18.4M over breaches; the ICO has since fined TikTok £12.7M over children's data.
Data subject rights
What users can demand from you in United Kingdom, and the engineering that satisfies each right.
Right to access (SAR)
Art. 15 UK GDPRSubject access requests — the UK's highest-volume right, with one month to respond.
UK employees and consumers use SARs heavily, including in disputes. The ICO allows a 'stop the clock' for identity verification and clarification — document each pause.
Right to erasure
Art. 17 UK GDPRDeletion when data is no longer necessary or consent withdrawn.
UK tax law requires 6-year retention of business records — cite it for financial data.
Right to data portability
Art. 20 UK GDPRMachine-readable export of user-provided data.
The same JSON/CSV export you built for the EU satisfies UK GDPR.
Right to rectification
Art. 16 UK GDPRCorrection of inaccurate personal data.
Self-service edits plus a support channel.
Right to restrict processing & to object
Art. 18, 21 UK GDPRFreeze during disputes; absolute objection to direct marketing.
PECR adds marketing rules: consent for email/SMS marketing (soft opt-in for existing customers) and TPS/CTPS screening for calls. PECR fines are the ICO's most frequent enforcement action.
Automated decision-making
Art. 22 UK GDPRProtection against solely automated significant decisions — relaxed by DUAA 2025 for non-special-category data, with safeguards.
DUAA permits more automated decisions if you provide information, human-review routes, and contest mechanisms. Keep those three safeguards and you satisfy both old and new regimes.
Tools that cover United Kingdom
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
iubenda
Generates combined UK/EU policies with ICO-specific sections and PECR cookie policies.
Visit iubenda → -
compliance suite
OneTrust
Handles dual UK/EU compliance programmes, SAR workflows, and children's code assessments.
Visit OneTrust → -
cookie consent
Cookiebot
CMP with per-region rules — useful for running DUAA-relaxed analytics in the UK and stricter EU settings simultaneously.
Visit Cookiebot →
Frequently asked questions
Is UK GDPR different from EU GDPR?
It started as a copy-paste with pounds instead of euros. The 2025 Data (Use and Access) Act diverged modestly: relaxed analytics-cookie rules, a looser automated-decision regime, and reformed ICO governance. EU-grade compliance still satisfies UK requirements in practice — the reverse is no longer always true.
Do I need to pay the ICO fee if I'm not a UK company?
If you're established in the UK, yes. If you're abroad but monitor or sell to UK users, you need a UK representative, and registration is strongly advisable. The fee is £40–£2,900 a year, and non-payment is the ICO's most-issued penalty.
Can data flow freely between the UK and EU?
Yes for now — the EU renewed the UK's adequacy decision in 2025, so no SCCs are needed in either direction. Watch this space though: each UK reform round triggers an EU review of adequacy.
What catches SaaS companies out most in the UK?
Three things: the ICO registration fee (unknown outside the UK), needing a UK representative on top of an EU one, and PECR marketing rules — the ICO fines spam texts and emails far more often than GDPR violations.
Similar jurisdictions
Free download
Get GDPR updates for United Kingdom
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.