The UK GDPR is the data privacy regulation that governs the processing of the personal data of residents in the United Kingdom (UK). In simple terms, it is the UK’s version of the EU General Data Protection Regulation (GDPR).
Quick facts about UK GDPR
- UK GDPR is the UK’s own version of GDPR, implemented after UK’s exit from the EU (Brexit)
- The UK GDPR became effective from 01 January 2021
- It is nearly identical to the EU GDPR, but expands its scope in 3 areas: National security, Intelligence services and Immigration
- The UK GDPR merges two pre-existing data protection regimes namely, the EU GDPR and the DPA 2018.
- The Information Commissioner (ICO) is the enforcement agency of UK GDPR.
- UK GDPR sets the same standards for consent as the EU GDPR.
- You must have a valid lawful basis in order to process personal data.
- The six lawful basis for processing include: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
- Under UK GDPR, the transfer of data from the UK to the EEA is allowed.
- Transfer of data from the EU to the UK are also permitted as per the UK adequacy decision of June 2021 (valid till June 2025).
- Transfer of data from the UK to third countries like the US, Canada, etc. are allowed if businesses are subject to appropriate safeguards and exceptions.
- UK businesses need to appoint an EU representative if they offer goods or services to individuals in the EU or monitor their behaviour (which could include the use of cookies on a website).
- Find the UK GDPR Full Text
- For official rules, refer UK GDPR ICO Guidelines
How did the EU GDPR become the UK GDPR?
To prepare for Brexit, the UK government adopted the European Union (Withdrawal) Act 2018, which incorporates EU regulations into domestic law. The General Data Protection Regulation 2016/679 (EU) was included in UK’s domestic law till the end of the Brexit transition period on 31 December 2020. After this period, the EU GDPR does not apply in the UK and has been replaced by the UK GDPR.
The UK GDPR mirrors the EU GDPR regulations and officially came into effect on the 1st of January 2021.
Which UK Act of Parliament was created to incorporate GDPR?
The Data Protection Act (DPA) 2018 which set out the data protection framework in the UK was also amended on 01 January 2021 to reflect the UK’s status outside the EU. The DPA was tailored to be read in conjunction with the new UK GDPR.
Who does UK GDPR apply to?
UK GDPR applies to all organisations that process the personal data of UK residents. Any business that processes the data of the UK residents including third-party processors, can be held liable under GDPR.
The UK GDPR applies to
- Businesses based in the UK that process personal information of data subjects in the UK.
- Businesses that are not based in the UK, but offer products or services (paid or for free) to UK residents or monitor their behaviour.
Note: Businesses that operate in Europe need to comply with both the UK GDPR and the EU GDPR, which is regulated separately by European supervisory authorities.
What is UK GDPR?
The UK GDPR establishes the key principles of processing personal data in the UK, sets out the rights of consumers and obligations for businesses, based on the EU GDPR.
UK GDPR is built around two key principles
- Businesses need to establish a purpose for collecting and processing personal data and implement security measures to protect the data from breach or misuse.
- Individuals whose personal data is collected will have certain rights to the data including the ability to review, amend or challenge data processing practices.
How is UK GDPR different from EU GDPR?
The UK GDPR differs from EU GDPR in certain key areas including:
- National security
- Intelligence services
- Immigration
The UK GDPR sets out specific concessions wherein personal data rights can be circumvented e.g. in matters of national security or immigration or intelligence services.
What are the key definitions of UK GDPR?
- Personal data: Any information related to an identified or identifiable natural person i.e. a data subject.
- Processing: Any action performed on or with personal data including collecting, deleting, storing, sharing, modifying, erasure and destruction
- Controller: The organization that determines why and how personal data gets processed, usually refers to the business that’s collecting the data
- Processor: A company that processes personal data on behalf of the controller
- Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by a clear affirmative action that signifies agreement to the processing of personal data relating to him or her.
- Third-party: Any organization other than the data subject, controller, processor, person or entity under the direct authority of the controller or processor, who is authorised to process personal data.
What are the data subject rights under UK GDPR?
The UK GDPR provides the following rights for individuals:
- Right to be informed: Individuals have the right to be informed about what data is being collected, its purpose, how long it will be stored and whether it will be shared with any third parties.
- Right of access: Individuals have the right to submit data subject access requests (DSAR) requesting organisations to provide a copy of any personal data they hold concerning the individual.
- Right to rectification: Individuals have the right to request an organization to correct their inaccurate or incomplete personal data.
- Right to erasure: Individuals can request that organisations erase their data in certain circumstances if the data is no longer necessary, is unlawfully processed.
- Right to restrict processing: Individuals can request that an organisation limits the processing of their personal data.
- Right to data portability: Individuals have the right to obtain their personal data for their own purposes in a structured machine-readable format and transfer it to another organisation.
- Right to object: Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
- Rights in relation to automated decision making and profiling: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling.
UK GDPR Summary [Infographic]
How to comply with UK GDPR?
UK GDPR compliance requires that you understand the implications of the Regulation. Here’s a UK GDPR compliance checklist.
01 Audit and map personal data you process
The first and most important step is to identify the kind of personal data you are collecting, storing and processing. Auditing your data will enable you to make informed decisions about how you can comply with GDPR. Start with an internal audit to understand what data you process and how you process it.
Identify categories of data
Identify the categories of data you collect and catalogue them. Different types of data you may be collecting are:
- Names, emails, phone numbers
- Display pictures, social media IDs and profile URLs
- Website logs like IP addresses, user agents and device IDs
- Audio and video recordings of users
- Payment details like bank account number and credit card information
- Geolocation data
- Email and lead lists
- Current or previous employee data
- Sensitive categories of personal such as:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union membership
- Genetic data, biometric data
If you process sensitive data or minor’s data, you need to have additional provisions in place such as acquiring parental consent, a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).
Review the legal basis for processing
GDPR provides for six legal bases for processing personal data: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
- There must be only one legal basis for processing at a time and it must be established before the processing begins.
- The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user.
Review data storage
Under UK GDPR, businesses are obliged to comply with users’ rights to access, edit and delete their personal data collected by a business. So, it is crucial that you have a secure system in place to store data.
- Identify where all the data collected is stored i.e. conduct a successful data mapping exercise.
- Create a map of how data flows to, through and from your business to another and map your internal assets, vendors, third parties, with whom you share the data.
- Use this data map to identify risks in your data processing activities and determine if you require a streamlined data protection impact assessment.
- Ensure that data is stored on secure servers and that your business has technical and organisational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorised access, disclosure and alteration.
02 Obtain opt-in consent for personal data
GDPR mandates that to process personal data, you have to obtain clear and explicit consent. Consent is identified as a lawful basis for data processing. Consent under GDPR must be freely given, specific, informed and unambiguous. In order for consent to be free, it should be voluntary i.e. the user must have a real choice.
GDPR UK rules require that:
- User gives consent via unambiguous indication by clear affirmative action.
- Examples of active opt-in consent include:
- Ticking an opt-in box on paper or electronically
- Clicking an opt-in button or link online
- Selecting from equally prominent yes/no options
- Ensure that consent forms are placed prominently.
- Use jargon-free straightforward language to obtain consent.
- You cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent.
- Provide easy ways for the individual to opt-out or withdraw consent in the future.
03 Obtain cookie consent
Cookies are one of the most common ways in which businesses collect and share personal data online. Therefore GDPR’s consent standards extend to the use of cookies on websites i.e. you need to get active consent to drop cookies on a user’s browser.
Checklist for UK GDPR compliance for cookies
- Display a cookie consent banner that gives users the option to accept, reject or set cookie preferences.
- Give users granular control to change/set cookie preferences.
- Customize your cookie banner as per your site’s visual style and design.
- Auto-translate your banner as per the user’s browser language so the user can make an informed choice.
- Scan your website for cookies periodically and get your cookie list auto-updated.
- Auto-block third-party cookies like Google Analytics, Facebook pixels till users give consent.
- Record all cookie consents to demonstrate proof of consent.
- Display a callback widget so users can withdraw consent at anytime.
- Generate a custom cookie policy and add it on your website or link it to your cookie banner.
Here’s a sample GDPR cookie consent banner from CookieYes.
What not to do on your website
- Assume consent if users ignore the cookie banner and continue browsing
- Use pre-ticked boxes or pre-selected cookie categories like advertisement, analytics, performance cookies
- Use cookie walls and popups that prevent the user from accessing the website until the user gives consent
CookieYes for UK GDPR cookie compliance
CookieYes is a cookie consent solution used by over 1 million websites worldwide to comply with privacy laws like GDPR, CCPA, ePrivacy Directive, CNIL, Singapore PDPA and LGPD.
Step 1. Sign up on CookieYes for free
Fill in your email address, your website domain, password and get started. 14-days free.
Step 2. Select and customize the template
Select a cookie banner template and customize it or select the default GDPR compliant banner and preview it.
Step 3. Activate your cookie banner
Now, you can activate it on your website. Copy the script and paste it between the <head> and </head> tags on your website.
You are done!
You have added a GDPR compliant cookie banner to your website. Now head to the Dashboard and explore more features.
04 Update your privacy policy
A key principle of UK GDPR is to keep users informed of how businesses collect, use, share, secure and process their personal data. So, your privacy policy should aim to reflect this.
Your privacy policies should primarily:
- Inform users about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected
- Describe the users’ rights under GDPR
- Be available in a concise, transparent, and accessible form
- Be written in clear and plain language
- Direct users on how to access and rectify their data
Here’s a list of questions that your privacy policy should answer:
- What data do we collect?
- How do we collect data?
- How do we use your data?
- How do we store data?
- What are your rights under GDPR?
- What type of cookies do we use?
- How can you manage the cookies we use?
- Are there any recent changes to our privacy policy?
- How to contact us?
- How to access, modify or delete your data?
CookieYes features a free privacy policy generator that will help you create a GDPR compliant privacy policy in minutes. All you have to do is fill in the required fields and generate your privacy policy!
05 Manage DSAR request
The right of access is one of the rights under the UK GDPR. Data Subject Access Requests (DSAR) are a mechanism through which your users can contact your business and request access to information on the personal data you have collected about them, how you use it, or which third parties have access to it.
Under GDPR UK, an individual can make a subject access request using any available method, including in-person, over the phone, via email or social media, as a written request or via websites. In order to speed up and streamline the process, you can implement a DSAR form on your website. The following steps are recommended when dealing with DSAR:
- Verify the data subject’s identity
- Review and assess the nature of the request
- Collate the data
- Deliver the requested information
- Record your response
According to the Information Commissioner’s Office (ICO), organizations have to respond as soon as possible, without undue delay and within one month. You cannot charge a fee for DSAR fulfilment unless the request is unfounded or excessive.
06 Establish agreements with processors
If your business uses third parties or data processors such as vendors that process personal data on your behalf, you need to establish agreements with them. They could be cloud services, hosting companies, software, or tools where you share the personal data of users as part of your business operations.
Under GDPR UK, data controllers are responsible for the actions of data processors. Processors are required to act only on documented instructions from the controller.
- Identify and list vendors who process data on your behalf. It is important to keep track of who you share data with because you are required to provide this information in your privacy policy, as we have already seen in this article.
- Ensure that you have Data Protection Agreements (DPAs) with all your vendors so that they fulfil all the necessary GDPR requirements.
- Collaborate with your vendor to ensure that they implement technical and organizational measures for compliance.
- Ensure that the agreement requires the processor to delete or return all personal data to the controller after the end of their agreement and delete existing copies of data.
- Undertake audits, periodic inspections and surveys so that vendors can demonstrate compliance initiatives backed by documentation.
07 Implement technical safeguards to secure data
Article 32 of the UK GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.
- Review the state of your current security measures and assess if new measures need to be implemented.
- Implement an information security policy and ensure that it is implemented.
- Use encryption or pseudonymisation where appropriate.
- Have technical controls such as those specified by established frameworks like Cyber Essentials.
- Conduct regular testing and reviews of our measures to ensure effectiveness
- Put in place a mechanism to detect, report and investigate personal data breaches.
You can refer to the ICO guidelines for a complete checklist.
FAQ on UK GDPR
Yes. The UK is still covered by the domestic version of the EU GDPR, namely the UK GDPR. The UK GDPR came into effect on 01 January 2021, following Brexit. It is essentially equivalent to EU GDPR and will regulate the processing of personal data in the UK and requires the same legal grounds for managing personal data as EU GDPR.
Yes, the UK GDPR is currently in effect. After Brexit, the UK was in a transition period till 31 December 2020. After this transition period came to an end, the EU data protection legislation, GDPR was formally incorporated in UK domestic law and the UK GDPR came into effect on 01 January 2021.
The Data Protection Act, 2018 will also remain in place, in conjunction with the UK GDPR. Similarly, the Privacy and Electronic Communications Regulations (PECR) will also be applicable in the UK.
Yes, GDPR is still valid in the UK. Post-Brexit, it has been adopted into the domestic privacy law and termed UK GDPR. The regulation is almost word-to-word borrowed from its EU version, except that it protects the personal data of UK residents. So any organization that collects personal data of UK residents to offer them goods and services or monitor their behaviour taking place in the UK must adhere to the same requirements as before.
The UK GDPR which is supplemented by the Data Protection Act 2018 (DPA 2018) together form the UK data protection regime.
When the UK was preparing for Brexit, the government introduced a new data protection legislation under the Data Protection Act 2018 that replaced the old Data Protection Act 1998. It was passed to implement the provisions of the General Data Protection Regulation (GDPR) into UK law. The DPA 2018 extend the scope of GDPR to include provisions such as processing relating to immigration and automatic processing in public bodies.
The consent should meet certain conditions set forth by the GDPR in Article 4(11) and Article 7. UK GDPR compliant consent should be:
– Freely given i.e. the user should have a genuine choice.
– Specific and informed i.e. the user should have information about the data being collected, and the purposes for which they are used.
– Unambiguous and affirmative i.e. consent should be given through a clear and positive action.
– Data controllers should be able to demonstrate proof of consent.
– When asking for user consent, it should be easily accessible and available in clear and plain language.
– Users should have the right to withdraw consent easily and at any time.
The European Commission granted GDPR adequacy decision for the UK in July 2021 which will be valid till July 2025. The decision means that the EU has determined that the UK has adequate data protection laws to allow personal data transfer from the EU and EE) to the UK.
Along with GDPR, the Privacy and Electronic Communications Regulations (PECR) UK is another law that governs the electronic communication sector in the UK.
The PECR sits alongside the Data Protection Act and the UK GDPR and regulates:
– Marketing calls, emails, texts and faxes
– Cookies (and similar technologies)
– Electronic communication networks
PECR is the UK version of the ePrivacy Directive (or EU cookie law). Therefore, it regulates the use of cookies. As per the law, businesses cannot store or gain access to information stored, in the terminal equipment of users unless they provide clear and comprehensive information about the purposes of the storage of, or access to, that information.
There are two tiers of penalty – the higher maximum and the standard maximum, issued by the Information Commissioner’s Office (ICO).
– A maximum fine of £17.5 million or 4 per cent of annual global turnover, whichever is greater, for infringement of any of the data protection principles or rights of individuals
– A maximum fine of £8.7 million or 2 per cent of annual global turnover, whichever is greater, for infringement of other provisions, such as administrative requirements of the legislation
As the UK is no longer part of the EU after Brexit, the UK Government is exploring to diverge from the EU GDPR and consulting on whether it can “reshape its approach” to data privacy legislation.
In September 2021, the UK government unveiled a consultation document to reform its data protection laws, which is open for public comment until 19 November 2021. It is the first post-Brexit review of the GDPR in the UK and the Government sees it as an opportunity for radical change to UK’s the data protection regime.
The consultation document, titled Data: a new direction, has proposed several reforms, including the cookie rules. These include:
– Permitting organisations to use “analytics cookies and similar technologies” without consent i.e. treat them as strictly necessary. (198)
– Permitting organisations to store information on, or collect information from, a user’s device without consent for certain limited purposes. (200)
– Maintain the consent requirement for “invasive tracking purposes, micro-targeting and real-time bidding.” (202)
After the consultation process, where the Government received nearly 3,000 responses, the Department for Digital, Culture, Media and Sport (DCMS) detailed its proposed reforms to the UK GDPR in the Data Protection and Digital Information Bill.
In November 2023, the House of Commons approved a 124-page amendment to the Bill.
Is there a difference between UK GDPR and EU GDPR?
Notable differences between the GDPRs in the UK and EU include the following:
UK GDPR | EU GDPR | |
---|---|---|
Expanded scope | Includes personal data collected for national security, immigration, and intelligence services (with some exceptions) | Excludes personal data collected for national security, immigration, and intelligence services |
Age of consent | 13 | 16 (could be 13, depending on Member State law) |
Enforcing body | Information Commissioner’s Office (ICO) | European Data Protection Board (EDPB), European Commission, and Member State data protection authorities |