What is UK GDPR?
UK GDPR is the data protection law that applies to every UK organisation processing personal data. It is the retained version of EU GDPR, operating under the Data Protection Act 2018 and now amended by the Data (Use and Access) Act 2025. Understanding what it requires — and what evidence it demands — is the starting point for any compliance programme.
What UK GDPR is
UK GDPR stands for the United Kingdom General Data Protection Regulation. It is the version of the EU General Data Protection Regulation (EU GDPR 2016/679) that was retained in UK domestic law when the UK left the European Union. It was brought into law by the European Union (Withdrawal) Act 2018 and is given effect alongside the Data Protection Act 2018 (DPA 2018).
The key point for UK organisations is that EU GDPR no longer applies to them directly — it is UK GDPR that governs. The two regimes are substantially similar but have separate regulators, separate enforcement mechanisms, and are now developing independently following the UK's Data (Use and Access) Act 2025 reforms.
Who UK GDPR applies to
UK GDPR applies to any organisation or individual that processes personal data in the context of a UK establishment, regardless of where the processing actually takes place. It also applies to organisations outside the UK that offer goods or services to UK data subjects, or that monitor the behaviour of individuals in the UK — even if those organisations have no UK presence.
There is no minimum size threshold. A freelancer with a client contact list, a one-person accountancy practice, a small e-commerce business — all are data controllers subject to the full framework. The principle of proportionality applies to some decisions (such as whether to appoint a DPO or conduct a DPIA), but the core obligations apply universally.
Key concepts
Personal data
Personal data is any information relating to an identified or identifiable natural person. A name and email address is personal data. An IP address is personal data. A reference number that can be linked back to an individual is personal data. The definition is deliberately broad — if there is a real-world possibility of identifying the individual from the data, it is personal data.
Special category data — health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, genetic data, sexual orientation, and criminal records — attracts additional obligations under Article 9 and requires both an Article 6 lawful basis and a separate Article 9 condition to be documented.
Controller vs processor
A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of a controller. The distinction is critical — controllers bear the primary legal obligations; processors have specific but more limited duties, including the obligation to act only on documented instructions from the controller.
Many organisations are controllers for some data and processors for other data simultaneously. An accountancy firm is a controller for its own staff and operational data, and a processor for the client data it handles on clients' instructions. Both roles must be identified, documented, and governed separately.
The six data protection principles
Article 5 of UK GDPR sets out six principles that govern all processing of personal data. Every compliance programme must address all six:
- Lawfulness, fairness and transparency — processing must have a legal basis, must not be deceptive, and data subjects must be informed
- Purpose limitation — data collected for one purpose cannot be used for an incompatible purpose without fresh consent or legal basis
- Data minimisation — only data that is adequate, relevant, and limited to what is necessary should be collected
- Accuracy — personal data must be accurate and kept up to date
- Storage limitation — data must not be kept longer than necessary for the purpose for which it was collected
- Integrity and confidentiality — appropriate security measures must be in place to protect against unauthorised access, loss, or destruction
The seventh principle — accountability — appears in Article 5(2) and is arguably the most important from an enforcement perspective. It requires organisations to be able to demonstrate that they comply with the other six principles. Compliance that cannot be demonstrated is, from the ICO's perspective, effectively no compliance at all.
DUAA 2025 — what changed
The Data (Use and Access) Act 2025 introduced reforms to the UK data protection landscape. The core GDPR obligations for organisations — the six principles, lawful basis requirements, data subject rights, breach notification, and security obligations — remain substantially unchanged. The reforms primarily affect ICO powers, the legitimate interests basis (where the Act expanded the list of recognised legitimate interests), and the framework for data sharing between public sector bodies.
For most SMEs, DUAA 2025 does not materially change what a compliance programme must cover. The obligations that a structured governance programme addresses remain the same. The Act does, however, reinforce the accountability principle — the ICO's ability to conduct assessments and issue enforcement notices has been strengthened.
UK GDPR vs EU GDPR
UK GDPR and EU GDPR are substantially equivalent but separate. The European Commission renewed its adequacy decision for UK data in December 2025, valid to December 2031 — meaning personal data can flow freely from the EU to the UK without additional transfer mechanisms. UK organisations transferring data to the EU must still use appropriate transfer mechanisms, as UK GDPR is not automatically recognised by EU member states.
The regulatory and enforcement landscape differs: the ICO supervises UK GDPR, while EU member states' national data protection authorities supervise EU GDPR within their territories, coordinated by the European Data Protection Board (EDPB). An organisation that operates in both the UK and EU must comply with both regimes.
The ICO
The Information Commissioner's Office is the UK's independent supervisory authority for data protection. The ICO can issue fines of up to £17.5 million or 4% of annual global turnover for the most serious breaches, and up to £8.7 million or 2% of turnover for less severe infringements. The ICO also has power to issue reprimands, enforcement notices, and information notices. Failure to respond to an information notice within the specified period is itself an offence.
The ICO's fees register requires most data controllers to pay an annual fee: £52 for small organisations (turnover under £632,000 or fewer than 10 staff), £78 for medium organisations, and £3,763 for large organisations (all figures current from February 2025 — verify current rates at ico.org.uk). Failure to pay the fee when required is a separate civil monetary penalty offence, distinct from substantive GDPR breaches.
What a compliance programme covers
A structured UK GDPR compliance programme addresses the full scope of obligations across five interconnected areas: data audit and mapping; lawful basis and consent; privacy notices, policies, and third-party agreements; data subject rights and security; and training, accountability, and ongoing governance. Each area produces evidence — not just decisions — because accountability requires proof, not assertion.
For professional services firms regulated under the Money Laundering Regulations 2017, two additional complexity layers apply: the processor role for client data, and the conflict between MLR 2017 retention obligations and UK GDPR's storage limitation principle. These require specific documented procedures beyond a standard SME programme.