UK GDPR · Pillar guide

UK GDPR Compliance Guide for SMEs

Updated April 2026 UK GDPR · DPA 2018 · DUAA 2025 ICO aligned

UK GDPR applies to every UK organisation that processes personal data — regardless of size. This guide covers the full scope of obligations under the UK GDPR as retained in the Data Protection Act 2018 and as amended by the Data (Use and Access) Act 2025, with ICO guidance referenced throughout.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

⚠ Not legal advice

This guide is derived from UK GDPR (DPA 2018 / DUAA 2025) and ICO published guidance. It is informational only. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.

UK GDPR is the retained version of EU GDPR 2016/679, brought into UK domestic law by the European Union (Withdrawal) Act 2018 and given effect by the Data Protection Act 2018. Since Brexit, UK GDPR has operated as a standalone regime, supervised by the Information Commissioner's Office (ICO).

The Data (Use and Access) Act 2025 (DUAA 2025) introduced reforms to some ICO powers and enforcement mechanisms, but the core data protection obligations for organisations — lawful basis, transparency, data subject rights, security, and breach notification — remain substantially unchanged. UK adequacy was renewed by the European Commission in December 2025, valid to December 2031.

Source: UK GDPR as retained under the European Union (Withdrawal) Act 2018; Data Protection Act 2018; Data (Use and Access) Act 2025; ICO guidance

Who must comply

UK GDPR applies to any organisation established in the UK, and to organisations outside the UK that offer goods or services to UK data subjects or monitor their behaviour. There is no minimum size threshold — a sole trader with a customer email list is a data controller subject to the full framework.

Nine of the 54 governance tasks in a structured UK GDPR programme may legitimately be marked Not Applicable where processing conditions do not apply — but each N/A designation requires a documented, signed assessment as evidence. The remaining obligations apply to all organisations.

The five governance areas

A structured UK GDPR programme covers five interconnected areas. These areas reflect the architecture of the regulation itself.

1. Data audit and mapping

Before any other obligation can be addressed, an organisation must know what personal data it holds, why it holds it, where it came from, who it shares it with, and how long it keeps it. This is the foundation of the Article 30 Record of Processing Activities (ROPA) — the document the ICO will request first in any investigation.

Without a completed data audit, every subsequent compliance step is built on assumption. The ICO has been explicit: accountability under Article 5(2) requires organisations to demonstrate compliance, not just claim it.

2. Lawful basis and consent

Every processing activity must have a documented lawful basis under Article 6. For special category data, an additional condition under Article 9 must also be established and documented. Consent, where used, must meet the specific conditions of Article 7 — freely given, specific, informed, and unambiguous.

Legitimate Interests Assessments (LIAs) must be completed and retained for any reliance on the Article 6(1)(f) basis. Cookie consent mechanisms must comply with the Privacy and Electronic Communications Regulations (PECR) as well as UK GDPR.

3. Privacy notices, policies, and third-party agreements

Article 13 and 14 transparency requirements mandate that data subjects are informed of the purposes and legal basis for processing, their rights, retention periods, and controller identity — at the point of data collection. A privacy notice that is buried, vague, or generic is insufficient.

Where personal data is processed by a third party on your behalf, a Data Processing Agreement (DPA) compliant with Article 28(3) must be in place before any processing begins. Article 28 lists the mandatory contractual provisions — sub-processing restrictions, security obligations, deletion requirements, audit rights, and breach notification timelines.

4. Data subject rights and security

Articles 15 to 22 give data subjects eight distinct rights: access, rectification, erasure, restriction, portability, objection, rights related to automated decision-making, and the right not to be subject to solely automated decisions. Each right requires an operational procedure — not just a policy statement.

Technical and organisational security measures (Article 32) must be appropriate to the risk. Pseudonymisation, encryption, access controls, and regular testing of security measures are all referenced. A data breach log should be maintained and a 72-hour notification procedure to the ICO established before a breach occurs — not improvised after one.

5. Training, accountability, and ongoing governance

Article 5(2) — the accountability principle — requires organisations to demonstrate compliance, not simply achieve it. Staff training should be documented. Internal review processes are commonly used to demonstrate compliance with the accountability principle. A compliance calendar is commonly used to demonstrate ongoing accountability. Where a Data Protection Officer (DPO) is required under Article 37, their appointment, role specification, and independence must be evidenced.

Accountability is an ongoing obligation, not a one-time project. Circumstances change — new systems, new third parties, new data categories — and the compliance programme must update accordingly, with dated records of each review.

ICO enforcement

The ICO can issue fines of up to £17.5 million or 4% of annual global turnover for serious breaches, and up to £8.7 million or 2% of turnover for less severe infringements. Fines are not the only enforcement tool — the ICO also issues reprimands, enforcement notices, and information notices. Failure to respond to an information notice is itself an offence.

ICO investigations are typically triggered by data breach notifications, subject complaints, or proactive audit activity. In any investigation, the ICO's first requests are typically for the ROPA, privacy notices, and evidence of how data subject rights requests were handled. An organisation with documented, dated evidence of its governance programme is materially better positioned than one that cannot produce any records.

Record this. Every governance decision, every policy update, every rights request handled, every DPA executed — must be recorded with a date. The ICO does not assess intentions. It assesses evidence.

Professional services firms — additional complexity

Accountants, solicitors, and other AML-regulated professional services firms face a categorically different compliance challenge. They are simultaneously data controllers (for their own operational data), data processors (for client data), and entities regulated under the Money Laundering Regulations 2017 (MLR 2017) and Proceeds of Crime Act 2002 (POCA 2002).

The MLR 2017 requires CDD records to be retained for five years from the end of the client relationship. UK GDPR's storage limitation principle requires data to be deleted when no longer needed. These obligations conflict directly, and the conflict must be documented — the Article 17(3)(b) exemption from the right to erasure where retention is required by law must be established in writing and reflected in the privacy notice.

A DSAR from a client who is the subject of a Suspicious Activity Report filed with the NCA creates a further conflict: responding fully risks the tipping-off offence under POCA 2002 s.333A. Professional services firms need a documented procedure for this scenario — not improvisation when it arises.

The evidence record

Compliance is not a state. It is a process that must be documented continuously. An organisation that does the work but cannot produce dated evidence of having done it is, from a regulatory perspective, in the same position as one that did nothing.

GDPRLedger governs the proof the work was done. It does not write your policies, make legal determinations, or certify compliance. It provides a structured governance programme — 54 tasks for Standard, 87 for professional services Pro — that produces a timestamped, SHA-256 tamper-evident evidence pack. That pack is yours permanently, regardless of what happens to your access period.

UK GDPR guides

The following guides cover each area of UK GDPR in depth. Each is derived from UK GDPR (DPA 2018 / DUAA 2025), ICO guidance, and EDPB published guidelines.

Fundamentals

By sector

Research

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. It is provided for informational purposes only. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.