UK GDPR: The Basics
UK GDPR is the version of the European Union's General Data Protection Regulation that was written into United Kingdom domestic law on 1 January 2021, the day the Brexit transition period ended. Rather than drafting an entirely new privacy framework, the UK government retained the full text of the EU GDPR and adapted it to work within the British legal system. The result is a regulation that mirrors the EU original in structure and substance but operates under UK jurisdiction, enforced by the Information Commissioner's Office (ICO) rather than the European Data Protection Board.
Three pieces of legislation now form the backbone of UK data protection:
- UK GDPR - sets out the core principles, data subject rights and obligations for controllers and processors.
- Data Protection Act 2018 (DPA 2018) - supplements and tailors the UK GDPR, covering areas such as law enforcement processing, national security exemptions and the age of consent for children's data (set at 13 in the UK, compared to 16 under EU GDPR).
- Privacy and Electronic Communications Regulations 2003 (PECR) - governs cookies, direct marketing, and electronic communications. If you run a website that drops cookies on visitors' browsers, PECR is the law that dictates when and how you must obtain consent.
Any organisation that processes personal data of individuals located in the United Kingdom must comply with UK GDPR, regardless of where that organisation is based. A software company headquartered in Sydney that sells subscriptions to UK customers is caught by UK GDPR just as much as a London-based retailer.
The Seven Principles of UK GDPR
UK GDPR is built on seven data protection principles, listed in Article 5. Every decision you make about collecting, storing or using personal data should trace back to these principles. They are not aspirational guidelines - they are legally binding, and breaching them can result in enforcement action.
| Principle | What It Means in Practice |
|---|---|
| Lawfulness, fairness and transparency | You must have a valid legal basis for processing personal data (e.g. consent, legitimate interest, contract) and be upfront about what you do with it. |
| Purpose limitation | Collect data for a specific, stated reason. Do not repurpose it for something unrelated without a lawful basis. |
| Data minimisation | Only collect what you actually need. A newsletter sign-up form does not need a date of birth. |
| Accuracy | Keep personal data correct and up to date. Provide mechanisms for individuals to request corrections. |
| Storage limitation | Do not hold personal data longer than necessary. Set retention periods and stick to them. |
| Integrity and confidentiality | Protect personal data with appropriate technical and organisational security measures. |
| Accountability | You must demonstrate compliance - not just claim it. Document your processing activities, conduct impact assessments where required and maintain records. |
The accountability principle is worth particular attention. It shifts the burden of proof onto the controller. If the ICO investigates your organisation, saying "we think we're compliant" is not enough. You need to show your working: records of processing activities, data protection impact assessments (DPIAs), evidence of staff training, and documented lawful bases for every type of processing.
Lawful Bases for Processing Personal Data
Article 6 of UK GDPR sets out six lawful bases that justify processing personal data. You must identify and document a valid basis before you begin processing - not after the fact.
The six bases are: consent, contract, legal obligation, vital interests, public task and legitimate interests. For most website owners, the three that matter most are consent (particularly for marketing cookies and email lists), contract (processing an order or delivering a service the user has requested), and legitimate interests (a balancing test where your reason for processing is weighed against the individual's rights).
The Data Use and Access Act 2025 (DUAA), which received Royal Assent on 19 June 2025, introduced a seventh category called "recognised legitimate interests" under a new Article 6(1)(ea). This covers specific activities such as responding to emergencies, safeguarding individuals and detecting crime. For these recognised interests, organisations no longer need to conduct a full legitimate interests assessment (LIA). The scope is narrow, though, and most routine website data processing still requires one of the original six bases.
Data Subject Rights Under UK GDPR
UK GDPR grants individuals a set of rights over their personal data. As a website owner or app developer, you need mechanisms in place to respond to these requests within one calendar month.
The right of access (commonly called a Subject Access Request or SAR) is the most frequently exercised. Individuals can request a copy of all personal data you hold about them, along with details of how it is used, who it is shared with and how long it will be retained. The DUAA clarified that controllers are only required to carry out "reasonable and proportionate" searches when responding to access requests - a codification of existing ICO guidance that was backdated to 1 January 2024.
Other rights include the right to rectification (correcting inaccurate data), the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability and the right to object to processing. There is also a right related to automated decision-making, though the DUAA has loosened restrictions on automated decisions involving non-special-category data.
The DUAA also introduced a new right for data subjects to complain directly to controllers. Organisations must provide an accessible complaint form, acknowledge complaints within 30 days, investigate and advise the individual of the outcome without undue delay.
Cookies and PECR: Where UK GDPR Meets Your Website
If you operate a website aimed at UK visitors, cookies are where UK GDPR becomes most tangible. The rules on cookies sit primarily in PECR, specifically Regulation 6, but PECR and UK GDPR work together. PECR tells you when consent is needed; UK GDPR tells you what valid consent looks like.
The general rule: you must obtain informed, freely given, specific consent before placing any non-essential cookie or similar tracking technology on a visitor's device. Essential cookies - those strictly necessary for a service the user has explicitly requested, such as a session cookie that keeps a shopping basket alive - are exempt. Marketing cookies, analytics trackers like _ga or _fbp, and advertising pixels are not exempt and require prior consent.
The ICO has made cookie compliance a priority. In January 2025, the regulator expanded its national cookie compliance review to cover the top 1,000 UK websites, up from the top 200 in previous rounds. The findings were not encouraging: 30% of the top 100 UK websites were setting advertising cookies without valid consent, and 134 out of the top 200 failed to meet compliance standards. Some 60% of cookie-related complaints in 2024 involved sites that did not give users the option to reject non-essential tracking.
Pre-ticked boxes, implied consent through continued browsing and "accept only" banners without a genuine reject option all fail the UK GDPR consent test. A compliant cookie banner must give visitors a clear, equally prominent choice to accept or reject non-essential cookies before any such cookies are set.
The DUAA's Changes to Cookie Rules
The Data Use and Access Act 2025 introduced several changes to PECR's cookie provisions. The most headline-grabbing is the alignment of PECR fines with UK GDPR penalties: the maximum fine for cookie-related non-compliance has jumped from the previous cap of 500,000 pounds to the greater of 17.5 million pounds or 4% of global annual turnover. At the time of writing, the higher fine provisions have not yet been formally commenced, but they are expected to take effect around December 2025 or early 2026.
The DUAA also removed a key barrier to enforcement. Under the old rules, a cookie violation had to be both "serious" and likely to cause "substantial damage or substantial distress" before the ICO could even consider issuing a fine. That threshold has been scrapped. Once the relevant DUAA provisions commence, any contravention of Regulation 6 of PECR is potentially subject to a financial penalty, without needing to clear a harm threshold first.
There are new exemptions too. The DUAA allows certain low-risk, non-essential cookies to be placed without prior consent, provided users receive clear information and a simple opt-out mechanism. These include cookies that collect statistical information (such as basic analytics) and cookies that adapt a website's appearance or functionality to user preferences. The ICO is currently consulting on draft guidance for these exemptions, with finalised guidance expected in spring 2026.
How UK GDPR Differs from EU GDPR
For the first few years after Brexit, the two versions of the GDPR were functionally identical. That is beginning to change. The DUAA introduced targeted amendments that create specific points of divergence, though the core architecture remains aligned.
| Area | EU GDPR | UK GDPR (post-DUAA) |
|---|---|---|
| Supervisory authority | Multiple DPAs across member states, coordinated by the EDPB | Single authority: the ICO |
| Age of consent for children | 16 years (member states may lower to 13) | 13 years |
| Recognised legitimate interests | Not applicable - standard LIA required for all legitimate interest processing | New Article 6(1)(ea) - no LIA needed for specified activities (emergencies, safeguarding, crime detection) |
| Automated decision-making | Restricted under Article 22 for all personal data | Restrictions removed for non-special-category data; restrictions remain for special category data |
| International transfer test | Third country must offer "essentially equivalent" protection | Third country standard must be "not materially lower" - a slightly loosened threshold |
| Subject access requests | No explicit statutory guidance on search scope | "Reasonable and proportionate" search standard codified, with stop-the-clock provisions |
| Maximum fines | Up to 20 million euros or 4% of global turnover | Up to 17.5 million pounds or 4% of global turnover |
| Cookie consent exceptions | Strictly necessary cookies only | Extended: analytics and appearance/functionality cookies may be exempt (with transparency and opt-out) |
The divergence on automated decision-making is particularly notable for organisations deploying AI tools. Under EU GDPR, decisions based solely on automated processing that significantly affect individuals are broadly restricted under Article 22. Under the amended UK GDPR, those restrictions have been lifted for decisions involving non-special-category personal data, provided there is meaningful human involvement defined more explicitly in the legislation.
Enforcement: What Happens If You Break UK GDPR
The ICO can issue fines of up to 17.5 million pounds or 4% of an organisation's worldwide annual turnover, whichever is greater. In practice, the ICO has historically favoured warnings, reprimands and enforcement notices over large fines - but 2025 marked a shift.
In the first half of 2025, the ICO issued just six fines but collected approximately 5.6 million pounds - already more than double the 2.7 million pounds collected across eighteen fines throughout 2024. The average fine jumped from roughly 150,000 pounds to over 2.8 million pounds. Two-thirds of those fines were for UK GDPR breaches, compared to just one-sixth in 2024.
The largest single enforcement action of 2025 was a 14 million pound settlement with Capita following a data breach that affected 6.6 million people. The original proposed fine was 45 million pounds, reduced after Capita cooperated and settled early.
For cookie compliance specifically, enforcement has been slower. The ICO's crackdown on cookies resulted in only one enforcement action in 2024 - a reprimand issued to Bonne Terre Ltd (trading as Sky Betting and Gaming) for defective consent procedures on its website. No fine was imposed. But with PECR fines soon to be aligned with UK GDPR maximums and the harm threshold removed, the regulatory risk around cookies is increasing significantly.
European precedents reinforce the direction of travel. In September 2025, France's CNIL fined Shein 150 million euros for placing cookies on users' devices even after they had opted out. The ICO has explicitly referenced CNIL's approach to cookies as a benchmark.
UK-EU Adequacy: Can Data Still Flow Freely?
One of the biggest post-Brexit concerns was whether the European Commission would continue to recognise the UK as providing adequate data protection - a status that allows personal data to flow from the EU to the UK without additional safeguards like Standard Contractual Clauses.
The original adequacy decisions, adopted in June 2021, were set to expire in June 2025. The European Commission extended them by six months while it assessed the impact of the DUAA. On 19 December 2025, the Commission formally renewed both adequacy decisions, confirming that the UK continues to provide protection that is "essentially equivalent" to EU standards. The renewed decisions are valid until 27 December 2031, with a mid-point review planned after four years.
This renewal is significant for any UK business that receives personal data from EU customers, partners or group companies. Without adequacy, those data flows would require organisations to implement Standard Contractual Clauses or other transfer mechanisms - adding cost and complexity.
The renewal is not unconditional. The Commission will continue monitoring UK developments, and the European Data Protection Board flagged several areas for scrutiny, including the Secretary of State's new powers to make changes to the data protection framework through secondary legislation with limited parliamentary oversight. If the UK were to diverge too far from EU standards, the adequacy decisions could be amended, suspended or revoked before 2031.
Practical Steps for Website Owners
Compliance with UK GDPR is not a one-off task. It requires ongoing attention, particularly as the DUAA's provisions are rolled out in stages through 2025 and 2026. Here is what matters most for anyone running a website that handles UK visitors' data.
Audit your cookies
Run a scan of your website to identify every cookie and tracking technology in use. Classify each one: strictly necessary, analytics, functional or marketing. If you are unsure what cookies your site sets, a tool like Kukie.io's cookie scanner can detect first-party and third-party cookies and categorise them automatically. Pay attention to third-party scripts that may set cookies you did not explicitly add - embedded YouTube videos, social sharing buttons and chat widgets are common culprits.
Fix your cookie banner
Your cookie consent mechanism must offer a genuine, equally prominent choice to accept or reject non-essential cookies. The ICO has been clear: a banner with a large "Accept All" button and a tiny "Manage Settings" link buried in a paragraph does not constitute fair consent. Reject must be as easy as accept. No non-essential cookies should fire before the visitor makes a choice.
Review your privacy notice
Your privacy policy must be written in clear, plain language and cover: what personal data you collect, your lawful basis for each type of processing, who you share data with, how long you retain it, and how individuals can exercise their rights. Under the DUAA, you also need to inform users about the new right to complain directly to your organisation.
Document your processing activities
Maintain a Record of Processing Activities (ROPA) if you are required to - generally, this applies if you have more than 250 employees, or if your processing involves high-risk data, is not occasional, or includes special category data. Even if you fall below the threshold, documenting your processing is good practice and helps demonstrate accountability.
Prepare for subject access requests
Have a process in place for responding to data subject requests within one month. The DUAA's "reasonable and proportionate" search
