The UK GDPR is the data privacy regulation that governs the processing of the personal data of residents in the United Kingdom (UK). In simple terms, it is the UK’s version of the General Data Protection Regulation (GDPR) that came into effect in Europe on May 25, 2018.
How did the EU GDPR become the UK GDPR?
To prepare for Brexit, the UK government adopted the European Union (Withdrawal) Act 2018, which incorporates EU regulations into domestic law. The General Data Protection Regulation 2016/679 (EU) was included in UK’s domestic law till the end of the Brexit transition period on 31 December 2020. After this period, the EU GDPR does not apply in the UK and has been replaced by the UK GDPR. So, the UK GDPR officially came into effect on 01 January 2021.
Which UK Act of Parliament was created to incorporate GDPR?
The Data Protection Act (DPA) 2018 which set out the data protection framework in the UK was also amended on 01 January 2021 to reflect the UK’s status outside the EU. The DPA was tailored to be read in conjunction with the new UK GDPR.
What is UK GDPR?
The UK GDPR establishes the key principles of processing personal data in the UK, sets out the rights of consumers and obligations for businesses, based on the EU GDPR.
Essentially, UK GDPR is built around two key principles:
- Businesses need to establish a purpose for collecting and processing personal data and implement security measures to protect the data from breach or misuse.
- Individuals whose personal data is collected will have certain rights to the data including the ability to review, amend or challenge data processing practices
What are the key definitions of UK GDPR?
- Personal data: Any information related to an identified or identifiable natural person i.e. a data subject.
- Processing: Any action performed on or with personal data including collecting, deleting, storing, sharing, modifying, erasure and destruction
- Controller: The organization that determines why and how personal data gets processed, usually refers to the business that’s collecting the data
- Processor: A company that processes personal data on behalf of the controller
- Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by a clear affirmative action that signifies agreement to the processing of personal data relating to him or her.
- Third-party: Any organization other than the data subject, controller, processor, person or entity under the direct authority of the controller or processor, who is authorised to process personal data.
Who does UK GDPR apply to?
UK GDPR applies to all organisations that process the personal data of UK residents. Any business that processes the data of the UK residents including third-party processors, can be held liable under GDPR.
The GDPR applies:
- If a business is based in the UK and process personal information of data subjects in the UK
- If a business is not based in the UK, but offers products or services (paid or for free) to UK residents or monitor their behaviour
Businesses that operate in Europe need to comply with both the UK GDPR and the EU GDPR, which is regulated separately by European supervisory authorities.
What are the data subject rights under UK GDPR?
The UK GDPR provides the following rights for individuals:
- The right to be informed: Individuals have the right to be informed about what data is being collected, its purpose, how long it will be stored and whether it will be shared with any third parties.
- The right of access: Individuals have the right to submit data subject access requests (DSAR) requesting organisations to provide a copy of any personal data they hold concerning the individual.
- The right to rectification: Individuals have the right to request an organization to correct their inaccurate or incomplete personal data.
- The right to erasure: Individuals can request that organisations erase their data in certain circumstances if the data is no longer necessary, is unlawfully processed.
- The right to restrict processing: Individuals can request that an organisation limits the processing of their personal data.
- The right to data portability: Individuals have the right to obtain their personal data for their own purposes in a structured machine-readable format and transfer it to another organisation.
- The right to object: Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
- Rights in relation to automated decision making and profiling: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling.
How to comply with UK GDPR?
UK GDPR compliance requires that you understand the implications of the Regulation. Here’s a UK GDPR compliance checklist.
01 Audit and map personal data you process
The first and most important step is to identify the kind of personal data you are collecting, storing and processing. Auditing your data will enable you to make informed decisions about how you can comply with GDPR. Start with an internal audit to understand what data you process and how you process it.
Identify categories of data
Identify the categories of data you collect and catalogue them. Different types of data you may be collecting are:
- Names, emails, phone numbers
- Display pictures, social media IDs and profile URLs
- Website logs like IP addresses, user agents and device IDs
- Audio and video recordings of users
- Payment details like bank account number and credit card information
- Geolocation data
- Email and lead lists
- Current or previous employee data
- Sensitive categories of personal such as:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union membership
- Genetic data, biometric data
If you process sensitive data or minor’s data, you need to have additional provisions in place such as acquiring parental consent, a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).
Review the legal basis for processing
GDPR provides for six legal bases for processing personal data: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
It is important to note that there must be only one legal basis for processing at a time and that it must be established before the processing begins. The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user.
Review data storage
Identify where all the data collected is stored. Ensure that data is stored on secure servers and that your business has technical and organisational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorised access, disclosure and alteration.
Keep in mind that under GDPR regulations UK, you are obliged to comply with users’ rights to access, edit and delete their personal data collected by a business. So, it is crucial that you have a secure system in place to store data.
Answering these basic questions will help you to conduct a successful data mapping exercise. This will in turn help you create a map of how data flows to, through and from your business to another and map your internal assets, vendors, third parties, with whom you share the data. Use this data map to identify risks in your data processing activities and determine if you require a streamlined data protection impact assessment.
02 Obtain opt-in consent for personal data
GDPR mandates that to process personal data, you have to obtain clear and explicit consent. Consent is identified as a lawful basis for data processing. Consent under GDPR must be freely given, specific and unambiguous. In order for consent to be free, it should be voluntary i.e. the user must have a real choice.
GDPR UK requires that the user gives consent via unambiguous indication by clear affirmative action. Clear affirmative action means someone must take deliberate and specific action to opt-in or agree to the processing. Ensure that consent forms are placed prominently, use jargon-free straightforward language to obtain consent. Some examples for seeking active opt-in mechanisms include:
- Ticking an opt-in box on paper or electronically
- Clicking an opt-in button or link online
- Selecting from equally prominent yes/no options
Under UK GDPR rules, you cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent. You must also provide easy ways for the individual to opt-out or withdraw consent in the future.
This CookieYes newsletter subscription form is a great example of a GDPR compliant opt-in form.
Stay in the know on privacy
Unsubscribe anytime using the link on the newsletter.
03 Obtain cookie consent
- Display a cookie consent banner that gives users the option to accept, reject or set cookie preferences.
- Give users granular control to change/set cookie preferences.
- Customize your cookie banner as per your site’s visual style and design.
- Auto-translate your banner as per the user’s browser language so the user can make an informed choice.
- Scan your website for cookies periodically and get your cookie list auto-updated.
- Auto-block third-party cookies like Google Analytics, Facebook pixels till users give consent.
- Record all cookie consents to demonstrate proof of consent.
- Display a callback widget so users can withdraw consent at anytime.
What not to do on your website:
- Assume consent if users ignore cookie banner and continue browsing
- Pre-ticked boxes or pre-selected cookie categories like advertisement, analytics, performance cookies
- Cookie walls and popups that prevent the user from accessing the website until the user gives consent
CookieYes for UK GDPR cookie compliance
You can display a custom, fully responsive cookie consent banner in 30+ widely spoken languages, record consent logs for proof of compliance and conduct thorough cookie audits from a database of 100,000+ cookies and scrips. CookieYes supports a built-in Do Not Track (DNT) feature, automatic script blocking, advanced CSS customization and can be integrated on any CMS or
Get cookie compliant in 3 steps!
- Sign up on CookieYes for free
- Customize your cookie banner
- Copy the code and paste it on your website
Create a custom cookie banner for your website
Your privacy policies should primarily:
- Inform users about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected
- Describe the users’ rights under GDPR
- Be available in a concise, transparent, and accessible form
- Be written in clear and plain language
- Direct users how to access and rectify their data
- What data do we collect?
- How do we collect data?
- How do we use your data?
- How do we store data?
- What are your rights under GDPR?
- What type of cookies do we use?
- How can you manage the cookies we use?
- How to contact us?
- How to access, modify or delete your data?
05 Manage DSAR request
The right of access is one of the rights under the UK GDPR. Data Subject Access Requests (DSAR) are a mechanism through which your users can contact your business and request access to information on the personal data you have collected about them, how you use it, or which third parties have access to it.
Under GDPR UK, an individual can make a subject access request using any available method, including in-person, over the phone, via email or social media, as a written request or via websites. In order to speed up and streamline the process, you can implement a DSAR form on your website. The following steps are recommended when dealing with DSAR:
- Verify the data subject’s identity
- Review and assess the nature of the request
- Collate the data
- Deliver the requested information
- Record your response
According to the Information Commissioner’s Office (ICO), organizations have to respond as soon as possible, without undue delay and within one month. You cannot charge a fee for DSAR fulfilment unless the request is unfounded or excessive.
06 Establish agreements with processors
If your business uses third parties or data processors such as vendors that process personal data on your behalf, you need to establish agreements with them. They could be cloud services, hosting companies, software, or tools where you share the personal data of users as part of your business operations.
Under GDPR UK, data controllers are responsible for the actions of data processors. Processors are required to act only on documented instructions from the controller.
- Ensure that you have Data Protection Agreements (DPAs) with all your vendors so that they fulfil all the necessary GDPR requirements.
- Collaborate with your vendor to ensure that they implement technical and organizational measures for compliance.
- Ensure that the agreement requires the processor to delete or return all personal data to the controller after the end of their agreement and delete existing copies of data.
- Undertake audits, periodic inspections and surveys so that vendors can demonstrate compliance initiatives backed by documentation.
07 Implement technical safeguards to secure data
Article 32 of the UK GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.
- Review the state of your current security measures and assess if new measures need to be implemented.
- Implement an information security policy and ensure that it is implemented.
- Use encryption or pseudonymisation where appropriate.
- Have technical controls such as those specified by established frameworks like Cyber Essentials.
- Conduct regular testing and reviews of our measures to ensure effectiveness
- Put in place a mechanism to detect, report and investigate personal data breaches.
You can refer to the ICO guidelines for a complete checklist.
FAQ on UK GDPR
Does GDPR apply to the UK 2021?
Yes, the UK GDPR is currently in effect. After the Brexit, UK was in a transition period till 31 December 2020. After this transition period came to an end, the EU data protection legislation, GDPR was formally incorporated in UK domestic law and the UK GDPR came into effect on 01 January 2021.
The Data Protection Act, 2018 will also remain in place, in conjunction with the UK GDPR. Similarly, the Privacy and Electronic Communications Regulations (PECR) will also be applicable in the UK.
Is GDPR still valid in the UK?
Yes, GDPR is still valid in the UK. Post-Brexit, it has been adopted into the domestic privacy law and termed UK GDPR. The regulation is almost word-to-word borrowed from its EU version, except that it protects the personal data of UK residents. So any organization that collects personal data of UK residents to offer them goods and services or monitor their behavior taking place in the UK must adhere to the same requirements as before.
What is the Data Protection Act 2018?
When the UK was preparing for Brexit, the government introduced a new data protection legislation under the Data Protection Act 2018 that replaced the old Data Protection Act 1998. It was passed to implement the provisions of the General Data Protection Regulation (GDPR) into UK law. The DPA 2018 covers extend the scope of GDPR to provisions that are not part of GDPR, such as processing relating to immigration and automatic processing in public bodies.
What is PECR UK?
Along with GDPR, the Privacy and Electronic Communications Regulations (PECR) UK is another law that governs the electronic communication sector in the UK. The PECR sits alongside the Data Protection Act and the UK GDPR and regulates:
- Marketing calls, emails, texts and faxes
- Cookies (and similar technologies)
- Electronic communication networks
What are the UK GDPR fines?
There are two tiers of penalty – the higher maximum and the standard maximum, issued by the Information Commissioner’s Office (ICO).
- A maximum fine of £17.5 million or 4 per cent of annual global turnover, whichever is greater, for infringement of any of the data protection principles or rights of individuals
- A maximum fine of £8.7 million or 2 per cent of annual global turnover, whichever is greater, for infringement of other provisions, such as administrative requirements of the legislation
Is UK going to drop GDPR?
As UK is no longer part of the EU after Brexit, the UK Government is exploring to diverge from the EU GDPR and consulting on whether it can “reshape its approach” to data privacy legislation.
In September 2021, the UK government has unveiled a consultation document to reform its data protection laws, which is open for public comment until 19 November 2021. It is the first post-Brexit review of the GDPR in the UK and the Government sees it as an opportunity for radical change to UK’s the data protection regime.
What are the proposed reforms to UK GDPR rules?
The consultation document, title Data: a new direction, has proposed several reforms, including the cookie rules. These include:
- Permitting organisations to use “analytics cookies and similar technologies” without consent i.e. treat them as strictly necessary. (198)
- Permitting organisations to store information on, or collect information from, a user’s device without consent for certain limited purposes. (200)
- Maintain the consent requirement for “invasive tracking purposes, micro-targeting and real-time bidding.” (202)
The UK GDPR which is supplemented by the Data Protection Act 2018 (DPA 2018) together form the UK data protection regime. The UK GDPR is almost a word-to-word version of its EU counterpart.
Is there a difference between UK GDPR and EU GDPR?
Notable differences between the GDPRs in the UK and EU include the following:
|UK GDPR||EU GDPR|
|Expanded scope||Includes personal data collected for national security, immigration, and intelligence services (with some exceptions)||Excludes personal data collected for national security, immigration, and intelligence services|
|Age of consent||13||16 (could be 13, depending on Member State law)|
|Enforcing body||Information Commissioner’s Office (ICO)||European Data Protection Board (EDPB),
European Commission, and
Member State data protection authorities