The UK GDPR: an overview

Following Brexit, the United Kingdom (UK) retained its own version of the EU’s General Data Protection Regulation (GDPR) framework with the aim of ensuring that privacy rights remain strong and consistent and that secure data continues to flow with UK trading partners. 

Together with the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR), the UK GDPR defines the modern rules of engagement for businesses that use data of UK residents — from online marketing and analytics to everyday customer interactions.

Data privacy regulation in the UK has also continued to evolve rapidly since January 2021 when the UK GDPR came into effect. Key legislation includes the Online Safety Act 2023, the Investigatory Powers (Amendment) Act 2024, and the Data (Use and Access) Act 2025.

This article explains what the UK GDPR and related statutes require by law, who it applies to, and how organizations can achieve and maintain UK GDPR compliance using practical, regulator-approved methods. Also learn how the Information Commissioner’s Office’s (ICO) 2025 online tracking strategy is shaping the next phase of digital privacy and consent management in the UK.

The UK General Data Protection Regulation (UK GDPR) is the UK’s retained version of the EU GDPR, brought into domestic law in 2021 after Brexit. It regulates how organizations collect, store, secure, and use personal data of UK residents, and aims to ensure that individuals maintain control over their information.

The law protects individuals’ privacy rights and enforces principles of fairness, lawfulness, and transparency to strengthen trust and accountability in digital operations.

Who does UK GDPR apply to?

The UK GDPR is extraterritorial, i.e., it applies to any organization processing personal data of people in the UK — whether that organization is located inside or outside the country. 

This includes:

• UK-based organizations processing personal data within the UK
• Non-UK-based organizations offering goods or services to, or monitoring, UK individuals, and collecting/using personal data to do so

In other words, if you handle personal data belonging to people in the UK, the UK GDPR applies to you — regardless of where your company operates. 

Key definitions of the UK GDPR

Art. 4 UK GDPR provides important definitions for terms used throughout the regulation. The following are some of the most relevant and frequently used to help organizations and individuals understand important provisions and compliance requirements.

Personal data

Information relating to an identified or identifiable natural person, i.e., the “data subject”. An identifiable person is one who can be identified, directly or indirectly, e.g., by name; ID number; location data; online identifier; or factors specific to physical, genetic, cultural, economic, social identity. 

Special categories of personal data

Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health, or data concerning a natural person’s sex life or sexual orientation. Processing of these kinds of data is prohibited unless specific circumstances apply, per Art. 9 UK GDPR.

Processing

Any operation or set of operations on personal data — whether automated or not — including collection, storage, alteration, retrieval, disclosure, deletion, or destruction. 

Controller

The entity — natural or legal — that determines the purposes and means of processing personal data. Controllers have primary responsibility for meeting the regulation’s obligations, and responsibility for data processing by contracted third-party processors. 

Processor

Any person or organization that processes personal data on behalf of a controller. Under UK GDPR, processors carry their own set of obligations and may be directly liable in certain circumstances. This can include entities like email or marketing automation vendors, cloud service providers, or HR and payroll software companies.

Consent

A freely given, specific, informed, and unambiguous indication of an individual’s wishes, by which they signify agreement to the processing of their personal data via a clear affirmative action, e.g., ticking a box. Pre-ticked boxes, ignoring a consent banner or closing it without action, or other actions that are not an explicit affirmation do not count as valid consent. 

Data subject

The individual to whom the personal data relates, that is, the person whose rights — access, correction, erasure, portability etc. — the regulation protects. 

Third party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data, e.g., vendors of business or technology software or services.

Personal data breach

A breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Often resulting in harm to data subjects.

Profiling

Any form of automated processing that uses personal data to evaluate certain personal aspects relating to a natural person. In particular, analyzing or predicting aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymization

Processing personal data in a way such that it can no longer be attributed to a specific data subject without additional information, which is kept separately and subject to technical and organizational measures to prevent re-identification.

Key principles and lawful bases under the UK GDPR

At the heart of the General Data Protection Regulation UK are seven key principles guiding lawful and ethical processing of personal data:

• Lawfulness, fairness, and transparency: Data must be processed transparently, fairly, and per regulatory requirements and allowances.
  
• Purpose limitation: Use data only for specified, legitimate purposes, i.e., one of the six lawful bases. Valid user consent is one such lawful basis, contractual fulfillment is another.
  
• Data minimization: Collect only the personal data necessary to fulfill the stated purpose(s).
  
• Accuracy: Keep data accurate and up to date, including making changes if notified by the data subject.
  
• Storage limitation: Keep data — securely — only as long as needed to fulfill the stated purpose, after which it must be securely deleted or anonymized.
  
• Integrity and confidentiality: Meaning security, to protect data from unauthorized access, use, or loss.
  
• Accountability: Demonstrate compliance with all principles and be prepared to provide proof to authorities or data subjects.

Consent under the UK GDPR

Consent is one of the most strictly defined of the six lawful bases for processing personal data under the UK GDPR. Outlined in Art. 4(11) and Art. 7 UK GDPR, the law requires that consent be freely given, specific, informed, and unambiguous, and it must be demonstrated through a clear affirmative action. 

Requirements for valid consent

To meet UK GDPR requirements for valid user consent for data processing, organizations must:

• Obtain consent before collecting or processing personal data for non-essential purposes, e.g., marketing, analytics, or tracking

• Use clear, plain language explaining what data is collected, how it will be used, and who it will be shared with

• Enable users to actively opt in, e.g., by ticking an unchecked box or clicking an “Accept” button after reviewing relevant information and choices

• Give users the ability to withdraw consent at any time, as easily as they gave it, and stop processing immediately once consent is withdrawn

• Keep secure, detailed records of consent, including the date, method, and content of the notice shown at the time consent was given

Exceptions to consent requirements for use of storage and access technologies

The ICO provides guidance on the use of storage and access technologies, including five exceptions to the requirement for user consent. Due to the Data (Use and Access) Act having come into effect in 2025, the guidance for these exceptions is under review and subject to change.

The following exceptions apply when the sole purpose of the storage or access is:

• Communication: For the transmission of a communication
• Strictly necessary: Essential to provide the service the subscriber or user requests.
• Statistical purposes: So you can collect information for statistical purposes about the use of your service
• Appearance: To adapt the way your service appears or functions in line with the subscriber’s or user’s preference
• Emergency assistance: To identify the geographical position of the subscriber’s or user’s device to provide emergency assistance

The exceptions only apply if your use of storage and access technologies is aligned with the purposes and requirements outlined for each one. If your usage goes beyond these exceptions, you must obtain valid consent.

Additional information on the statistical purposes exception and ICO guidance

The statistical purposes exception under the PECR allows organizations to store or access information on a user’s device without consent, but only when it’s done solely to collect aggregate statistics about how a website or service is used. 

Examples of acceptable data collection and usage under the exception include improving navigation or content by measuring number of visitors, pages viewed, features used, session duration, or navigation paths.

This exception applies only if the organization is an information society service (ISS) provider — delivering a service over the internet, such as a website or mobile app — and the storage or access is exclusively for statistical purposes related to improving the service.

The resulting data collected can be shared with a third party, like an analytics provider, but only if the third party also only uses it for the same limited purpose of service improvement.

To be able to use the exception, organizations must provide clear, transparent information to users about what data is being collected and why, and provide a way for users to object that is free, easy to access, and simple to use.

The statistical exception does not cover any activity that identifies, tracks, or profiles individuals, for example, online advertising or behavioral analytics. It applies to aggregate, non-personal, non-identifying data only.

If any of the data processing for this specific purpose includes personal data, the data collection and processing must also comply with the UK GDPR’s requirements. This includes aggregation and data minimization requirements.

The statistical exception no longer applies if the data is used to make decisions about people, stored longer than necessary, or linked to identifiers like IP addresses, and valid consent from all users must be obtained.

Opt-in vs. opt-out consent models

The UK GDPR follows an opt-in consent model, meaning consent must be obtained before data processing has started. Also, data subjects must take a positive action to indicate agreement. Pre-ticked boxes, inactivity, or blanket acceptance (all kinds of data for all uses) are not permitted.

In contrast, an opt-out model, where consent is assumed unless a user declines and data can be collected for processing without consent in most cases, is noncompliant under the UK GDPR for processing that relies on consent as its lawful basis.

How the UK GDPR and consent requirements apply to online advertising

Further to the use of storage and access technologies, employing them for online advertising requires valid user consent. This applies for technical processes involved in ad selection and delivery, as well as for associated tracking and profiling.

Generally, you do not have to obtain separate consent for advertising measurement, as the collection of information for campaign effectiveness measurement is linked to the purpose of online advertising.

Use of contextual advertising can enable you to comply with both UK GDPR and PECR requirements more easily than other types of targeted advertising can.

Consent requirements and ad tech innovation

The ICO emphasizes the importance of ensuring that individuals can easily withdraw their consent from all organizations in possession of their personal information within the ad tech ecosystem.

To that end, they have been engaged with the Interactive Advertising Bureau (IAB) Tech Lab since January 2025, regarding the Data Deletion Request Framework. The goal is to improve how consent withdrawal and data deletion requests are handled by third parties in the online advertising and ad tech industries. The ICO endorses and will encourage implementation of the Framework.

Consent for use of cookies and trackers

Cookies and other tracking technologies that are not strictly necessary for the operation of a website or fulfillment of a contractual obligation — including analytics, advertising, or personalization cookies — require prior, explicit opt-in consent before being placed on a user’s device.

This requirement is reinforced by the PECR, which works alongside the UK GDPR. Consent for cookie use must meet the same high standard of validity as any other data processing consent.

To achieve and maintain cookie compliance

Implement a consent management platform (CMP) to provide users, such as website visitors or e-commerce customers, with information about cookie use and consent options. Enable them to accept use of all cookies, or granular options, e.g., by purpose or vendor.

Do not set non-essential cookies until the user has opted in. A comprehensive CMP can block the use of cookies and trackers until consent is obtained. Make it easy to change cookie preferences or withdraw consent at any time. Synchronize those choices across all systems and devices when initially set, and any time they’re updated.

Valid consent under UK law requires equally displayed and accessible options to accept or reject data collection and use, like “Accept” and “Reject” buttons on the cookie banner. 

The law currently provides little exception to omitting an option to reject consent, so it is strongly recommended to ensure both “accept” and “reject” options are used and equally presented. The Usercentrics CMP customization options for consent buttons help mitigate risk of noncompliance in this area.

Invalid consent actions

As is fairly standard with other data privacy laws, there are a number of actions — and inactions — that cannot be considered valid consent, or that render consent invalid under the UK GDPR.

• Pre-ticked or pre-selected boxes or other consent mechanisms
• Silence, inactivity, ignoring or closing a consent banner, or continuing to browse a website
• Bundled or forced consent, e.g., combining consent for multiple purposes into one checkbox or denying access to a site or services unless full consent is given (unless consent is essential to the service functioning)

Data subjects’ rights under the UK GDPR

One of the core principles of the UK GDPR is empowering individuals, referred to as data subjects by the regulation, with control over their personal data. These rights aim to ensure transparency, accountability, and fair processing across all organizations that collect or use personal data. Data subjects’ rights are set out in Chapter III UK GDPR (Sections 1–5).

Organizations must provide clear information on these rights, e.g., in their privacy notices, and also be able to respond to data subjects’ requests relating to exercising their rights within the required time frame of one month.

Right to be informed 

Art. 13 UK GDPR and Art. 14 UK GDPR: Individuals have the right to be informed about how their data is collected and used. This information must be clear, concise, and easily accessible — usually through a privacy notice or policy.

Right of access 

Art. 15 UK GDPR: Also known as a subject access request (SAR) — data subject request or data subject access request under similar laws — individuals can obtain confirmation of whether their personal data is being processed and receive a copy of it, including details about the purposes, categories, and recipients of that data.

Right to rectification 

Art. 16 UK GDPR: If a person’s data is inaccurate or incomplete, they have the right to request correction or completion. Controllers must respond promptly and inform any third parties who received the incorrect data.

Right to erasure (“right to be forgotten”)

Art. 17 UK GDPR: Individuals can request deletion of their personal data when it is no longer needed, consent is withdrawn, or the processing is unlawful. However, this right is not absolute and certain legal or public interest grounds may justify an organization’s retention of the data.

Right to restrict processing

Art. 18 UK GDPR: Data subjects may request that processing be temporarily restricted, e.g., while verifying data accuracy or contesting its use. The data may be stored during this period, but further processing cannot take place.

Right to data portability 

Art. 20 UK GDPR: Individuals can request and receive their personal data in a structured, commonly used, machine-readable format, e.g., CSV, and transfer it to another controller. This right applies when processing is based on consent or contract and is carried out by automated means.

Right to object 

Art. 21 UK GDPR: Individuals can object to data processing carried out on the basis of legitimate interests, public tasks, or for direct marketing. Processing must stop when the objection is received unless the controller demonstrates compelling legitimate grounds that override the individual’s interests.

Rights related to automated decision-making and profiling

Art. 22 UK GDPR: Data subjects have the right not to be subject to decisions made solely through automated means, including profiling, that produce legal or similarly significant effects. Human intervention must be available to review such decisions.

Exceptions to the scope of the UK GDPR

While the UK GDPR has a broad reach, covering almost all personal data processing carried out by organizations operating in, or targeting, UK residents, there are specific situations where it does not apply. These exceptions are mainly outlined in Art. 2(2) UK GDPR, the material scope.

Personal or household activities

The UK GDPR does not apply to processing carried out by individuals purely for personal or household purposes, such as maintaining personal contact lists, sending private correspondence, or using social media for personal communication.

For example, a person storing friends’ birthdays in their phone calendar is not subject to the UK GDPR, but a business storing customer birth dates for age verification or marketing personalization would be.

Law enforcement and national security

Processing carried out by competent authorities for law enforcement purposes falls under the Law Enforcement Directive, which is implemented through Part 3 of the Data Protection Act (Law Enforcement Processing). Data processing for national security purposes is also excluded from the scope of the UK GDPR.

Activities outside UK law

The regulation does not apply to data processing that lies outside the scope of UK law, such as foreign state activities unrelated to UK jurisdiction.

Processing by EU or international bodies

Data processing carried out by UK public authorities, such as government departments, acting under international agreements or by EU institutions and bodies, such as the European Commission (EC) or Court of Justice of the European Union (CJEU) — where applicable — is not covered by the UK GDPR.

Anonymized or truly anonymous data

Data that has been irreversibly anonymized, i.e., no individual can be identified directly or indirectly using it, falls outside the scope of the UK GDPR. However, pseudonymized data — where re-identification remains possible — is still subject to the regulation.

Deceased persons’ data

The UK GDPR applies only to the personal data of living individuals. Information relating to deceased persons is not covered, though other legal or ethical duties, such as confidentiality, may still apply.

Compliance obligations under the UK GDPR

Organizations subject to the UK GDPR must comply with a comprehensive set of obligations designed to protect individuals’ personal data and uphold transparency and accountability. These requirements apply to both data controllers and data processors.

These obligations are primarily outlined in Chapters II–IV (Arts. 5–30). They are supported by related provisions in the Data Protection Act.

Follow the data protection principles 

Art. 5 UK GDPR: All processing of personal data must adhere to the seven data protection principles.

Establish a lawful basis for processing 

Art. 6 UK GDPR: Every processing activity must have one of the six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Sensitive data, referred to as “special category” data in the regulation, requires additional conditions as outlined under Arts. 9 and 10 UK GDPR.

Uphold individuals’ rights 

Arts. 12–23 UK GDPR: Organizations must respect data subjects’ rights and enable exercising of them, including access, rectification, erasure, portability, and objection. Requests from data subjects must typically be fulfilled within one month.

Maintain transparency through privacy notices 

Arts. 13–14 UK GDPR: Controllers must inform individuals about how their data will be used, including the purposes of processing, legal basis, data retention, and their rights and how to exercise them. Privacy notices or policies should be clear, concise, easily accessible, and written in plain language.

Implement appropriate technical and organizational measures

Arts. 24–32 UK GDPR: Organizations must implement measures proportionate to the risks involved in their processing. This includes:

• Conducting risk assessments and Data Protection Impact Assessments (DPIAs) for high-risk activities (Art. 35 UK GDPR.)
• Ensuring data security through encryption, access control, and regular testing (Art. 32 UK GDPR.)
• Using only processors providing sufficient guarantees of compliance (Art. 28 UK GDPR.)

Keep detailed records of processing 

Art. 30 UK GDPR requires controllers and processors to maintain internal records describing the categories of data processed, purposes, recipients, and retention periods. These must be available to the ICO upon request.

Notify of data breaches promptly

Per Arts. 33–34 UK GDPR, serious personal data breaches must be reported to the ICO within 72 hours of discovery, unless unlikely to result in risk to individuals’ rights. In certain cases, affected individuals must also be informed directly.

Designate a Data Protection Officer (DPO) if required

Arts. 37–39 UK GDPR require organizations engaged in large-scale monitoring or processing of special category data, or public bodies, to appoint a DPO to oversee privacy compliance and act as a contact point with the ICO.

Apply privacy by design and by default

Art. 25 UK GDPR requires that data protection must be embedded into all planning and development of all systems, processes, and products from the outset, ensuring that only the minimum personal data necessary for each specific purpose is collected and processed.

International data transfers under the UK GDPR

The UK GDPR places strict limits on the transfer of personal data outside the United Kingdom to ensure that individuals’ privacy rights continue to be protected wherever their data travels. These rules are designed to prevent personal data from being sent to countries or organizations that do not offer an adequate level of protection.

The legal framework for international transfers is set out in Chapter V of the UK GDPR (Arts. 44–50.)

What counts as an international transfer

An international transfer occurs when personal data is sent, accessed, or made available to a recipient outside the UK, including cloud servers or group companies located abroad. This applies whether the data transfer is direct, e.g., sending data to a foreign partner, or indirect, e.g., hosting data on non-UK servers.

Transfers based on adequacy regulations 

Art. 45 UK GDPR: This is the simplest and most secure way to transfer data internationally to a country or organization recognized by the UK government as providing adequate protection. 

These agreements are known as adequacy regulations or adequacy decisions. They confirm that a destination jurisdiction’s laws and oversight mechanisms offer a level of protection essentially equivalent to that under the UK GDPR. Data can flow freely to these destinations without additional safeguards.

As of 2025, all EEA countries have adequacy regulations with the UK, as do a variety of other countries around the world, including Argentina, Canada, Japan, South Korea, and Switzerland. The United States is considered adequate for data transfers with the UK for organizations that are certified under the UK Extension to the EU–US Data Privacy Framework.

Transfers subject to appropriate safeguards 

Art. 46 UK GDPR: If no adequacy regulation or decision exists, organizations may still transfer personal data by implementing appropriate safeguards to protect individuals’ rights and ensure enforceable legal remedies. These include:

• Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) approved by the UK Secretary of State
• Binding Corporate Rules (BCRs) for multinational groups (Art. 47 UK GDPR)
• Approved codes of conduct or certification mechanisms with enforceable commitments by the recipient

Where any of these mechanisms are used, organizations must assess the legal environment of the destination country and implement supplementary measures, such as encryption, pseudonymization, or access controls, where necessary to uphold equivalent protection.

Derogations for specific situations 

Art. 49 UK GDPR: In limited cases, transfers may occur without adequacy or safeguards. However, these exceptions must be interpreted narrowly and used only as a last resort. Such instances include:

• With the data subject’s explicit consent after being informed of possible risks
• When necessary for contract performance or legal claims
• When justified by important public interest grounds

Accountability and documentation

Controllers and processors must: 

• Document all transfer mechanisms used via Records of Processing Activities (RoPA) (Art. 30 UK GDPR)
• Conduct a transfer risk assessment (TRA) or similar analysis to evaluate the destination’s legal protections
• Keep transfer arrangements under review, particularly where geopolitical or legal changes occur

Enforcement and penalties under the UK GDPR

The Information Commissioner’s Office is the independent data protection authority and oversight body for the UK GDPR. The ICO has broad investigative and corrective powers to promote transparency, investigate breaches, and impose sanctions where necessary.

Enforcement and penalties are primarily governed by Arts. 77–84 UK GDPR, as well as under corresponding provisions of the Data Protection Act in Chapter II (Enforcement), Chapter III (Offences), and additional relevant sections. 

Information Commissioner’s Office: enforcement authority

The ICO has a variety of responsibilities for enforcing the UK GDPR. Some, but not all, relate to investigations and levying penalties. They include:

• Monitoring and enforcing compliance with the UK GDPR and Data Protection Act
• Handling complaints from individuals regarding data protection violations (Art. 77 UK GDPR)
• Conducting investigations, audits, and data protection impact assessments (Art. 58 UK GDPR)
• Issuing warnings, reprimands, and enforcement notices requiring corrective action
• Imposing administrative fines and referring certain offences for criminal prosecution under the DPA
• Publishing guidance, checklists, and best-practice frameworks to emphasize education and help organizations comply

Administrative penalties and fines

Art. 83 UK GDPR establishes a two-tier system of administrative fines — which the EU GDPR also has — depending on the nature and severity of the infringement.

Tier 1: Up to GBP 8.7 million or 2 percent of global annual turnover (whichever is higher).

This applies to infringements like: 

• Failures in record keeping, data security, or breach notification
• Inadequate processor contracts or lack of Data Protection Impact Assessments
• Noncooperation with ICO investigations

Tier 2: Up to GBP 17.5 million or 4 percent of global annual turnover (whichever is higher).

This applies to more serious breaches, including:

• Violations of data protection principles 
• Unlawful processing without a legal basis 
• Failure to respect data subject rights
• Unauthorized international transfers 

The ICO assesses fines based on factors like the nature, gravity, and duration of the breach, whether it was intentional or negligent, and the organization’s efforts to mitigate harm. Organizations with a record of repeat violations are likely to be assessed harshly.

Civil and criminal penalties

Under Art. 82 UK GDPR, data subjects have the right to seek compensation from controllers or processors for material or non-material damage caused by violations. Under the DPA, certain offences, such as unlawfully obtaining or disclosing personal data, or destruction of data to prevent access, may result in criminal prosecution.

Corporate officers or employees can be held personally liable if offences are committed with their consent, connivance, or neglect.

Corrective powers

In addition to financial penalties, the ICO can also exercise several other corrective measures. These are often used before fines are imposed, especially for first-time or lower-risk offenders who demonstrate willingness to improve compliance. They include:

• Issue warnings or reprimands for likely or actual infringements
• Order controllers or processors to bring operations into compliance
• Impose temporary or permanent processing bans
• Suspend data transfers to noncompliant countries or organizations

Appeals and judicial remedies

Organizations penalized under the UK GDPR may challenge ICO decisions, including by:

• Requesting an internal review or lodging an appeal before the First-tier Tribunal (Information Rights)
• Pursuing further appeals to higher courts on points of law

Data subjects also have the right to lodge complaints and seek judicial remedies if their data protection rights have been violated.

The UK GDPR and the Data Protection Act 2018

The UK’s Data Protection Act 2018 (DPA) is the domestic backbone of UK data law. It covers several key areas:

• Tailors general GDPR-style principles to the context of the UK
• Sets out UK-specific exemptions, e.g., journalism, research, national security)
• Creates separate regimes for data access and processing by law enforcement and intelligence services
• Establishes the ICO’s powers and duties
• Defines individual rights and organizational obligations
• Provides enforcement and penalty frameworks
• Creates certain criminal offences related to data misuse

The DPA implements data privacy across public and private bodies, helping to ensure proportionality and accountability. The DPA also complements the UK GDPR by filling specific gaps, setting exemptions and procedures, and giving regulatory teeth to the GDPR’s high-level rules.

The DPA vs GDPR: How the DPA complements the UK GDPR

The Data Protection Act complements the UK GDPR by addressing a number of national issues, including:

• Data processing for law enforcement and national security
• Provisions for special categories of personal data, e.g., health data
• Additional safeguards for children’s data
• UK-specific exemptions and enforcement rules

Together, these two regulatory frameworks create the foundation for data protection in the UK which can evolve as technologies and societal needs change.

DPA vs GDPR: How the DPA differs from the UK GDPR

The DPA and the UK GDPR differ in scope and function. The UK GDPR sets out the overarching rules and principles, while the DPA 2018 tailors and supplements them to the UK context. Key differences:

• Legal nature: 
  • DPA was drafted and passed by a UK Act of Parliament the same year as the EU GDPR came into effect.
  • UK GDPR is retained from the EU regulation, in effect since 2021, and forms the main body of data protection law. 
• Scope:
  • DPA also covers data access and processing by law enforcement and intelligence services, in addition to general data processing. 
  • UK GDPR governs most public and private sector processing of personal data, as well as core processing principles, rights, and responsibilities.
• Structure and detail: 
  • DPA provides procedural and operational detail for applying processing principles and rights within UK law.
  • UK GDPR sets the high-level data processing principles and rights.
• Derogations: 
  • DPA defines UK-specific exemptions and modifications, e.g., for journalism, research, national security, and child consent under age 13.
  • UK GDPR provides the overarching framework for exemptions, modifications, or restrictions, but relies on the DPA for flexibility in application.
• Enforcement and powers: 
  • DPA establishes the Information Commissioner’s Office, its authority, and enforcement mechanisms. 
  • UK GDPR is also under ICO authority for advising and enforcement.
• Criminal offences: 
  • DPA penalizes serious misconduct or deliberate misuse of personal data, and certain offences — like unlawfully obtaining or selling data — exist only under the DPA. 
  • UK GDPR does not directly create criminal offences, but rather focuses on fines and compliance orders for violations.

UK GDPR vs EU GDPR: What’s the difference?

Is there a difference between the UK GDPR and EU GDPR? In practice, they remain highly similar, but a few key distinctions exist in order for the UK GDPR to meet the specific needs of UK government, businesses, and residents:

• Supervisory authority: The ICO enforces the UK GDPR, providing one centralized regulatory body, whereas EU Member States each have their own data protection authorities.
  
• International data transfers: Data transfers from the UK must meet ICO international transfer rules. The UK maintains its own list of adequate countries separate from the EU’s.
  
• Future divergence: The UK may introduce reforms over time, but for now, the two frameworks remain closely aligned, though the UK GDPR is complemented and supplemented by an increasing amount of legislation.

What are the Privacy and Electronic Communications Regulations (PECR)?

The Privacy and Electronic Communications Regulations (PECR) complement the UK GDPR by regulating how organizations use cookies, trackers, and direct marketing tools. While the UK GDPR governs data processing, PECR governs how information is stored or accessed on users’ devices.

In practice, the PECR and EU ePrivacy Directive (ePD) guidelines can be treated as parallel, consent-first regimes that control use of cookies and trackers and direct marketing. 

How does the PECR compare to the ePD?

• Legal status
  • PECR: UK statutory instrument (amended in 2003) that implemented the EU ePrivacy Directive into UK law. Applicability continues post-Brexit alongside UK GDPR.
    
  • ePD: EU directive (in force from 2002); each Member State implements via national laws, e.g., France’s LCEN/CNIL rules or Germany’s TTDSG.
    
• Relationship to GDPR
  
  • Both function alongside the EU and UK GDPRs, specific to electronic communications, whereas the EU and UK GDPRs fill in definitions, lawful bases, consent standards, and enforcement.
    
• Scope:
  
  • Both cover cookies, trackers, and relevant related technology, like SDKs and local storage, as well as activities like unsolicited marketing, e.g., email or SMS, live/automated calls, and confidentiality of communications, e.g., for traffic/location data.
    
• Cookie and tracker rules
  
  • Both require prior consent required for use of non-essential cookies/trackers; exemptions for “strictly necessary” storage or access. Analytics often need consent unless truly low impact and anonymized per national guidance.
    
• Direct marketing
  
  • Email/SMS: Opt-in by default in both laws; “soft opt-in” allowed for existing customers for similar products/services with easy opt-out under the PECR and many EU ePD implementations.
    
  • Calls: Different rules for live vs. automated calling; national do-not-call registers and transparency requirements apply under both the PECR and ePD.
    
• Consent standard
  
  • Both require meeting GDPR-level consent standards, i.e., freely given, specific, informed, and unambiguous. This includes no nudges like pre-ticked boxes, and easy withdrawal of consent. Consent banner requirements and dark pattern bans extend from this.
    
• Territorial reach
  
  • Both apply to organizations targeting users in the relevant jurisdiction, i.e., UK or specific EU Member State, even if the controller organization is outside of those countries.
    
• Security and confidentiality
  
  • Both impose confidentiality of communications and security obligations on providers and tightly limit the processing of traffic/location data.
    
• Enforcement and penalties
  
  • UK PECR: Enforced by the ICO; fines can be significant. Fines are PECR-specific and/or UK GDPR-scaled for consent breaches.
    
  • EU ePD: Enforced by national DPAs/telecoms authorities. Penalty levels and practices vary by Member State, but GDPR-level fines may apply where GDPR is engaged, i.e., up to four percent of global annual revenue or EUR 20 million, whichever is higher.
    
• Practical differences for companies
  
  • UK vs. EU: Day-to-day expectations vary due to guidance from national regulators — ICO, CNIL, DSK, AEPD, etc. — e.g., analytics exemptions, cookie wall acceptability, or UX specifics.
    
  • National variations in the EU: ePD guidance is implemented per Member State, so details on B2B email, robocalls, and analytics carve-outs differ, and companies should always check local laws.

Cookie consent and tracking technologies under the PECR

Under the PECR, cookies used for analytics or advertising require prior user consent. There are specific requirements for organizations processing data in the UK:

• Clearly explain what cookies do and why
• Present accept and reject options equally
• Obtain informed, affirmative consent before activation
• Avoid manipulative interface designs
• Provide easy options for consent withdrawal
• Keep verifiable records of consent

These align with GDPR and other laws’ requirements for notifications and cookie consent. You can also review the ICO’s guide on the use of cookies and similar technologies, including specifically for online advertising and managing consent in practice.

The “consent or pay” model and ICO focus

The ICO’s 2025 Online Tracking Strategy identifies “consent or pay” models as a top regulatory priority, especially as their use continues to grow. 

With these mechanisms, users have to pay for access to sites or services if they refuse consent — typically to the collection and use of their data for personalized advertising — and are under scrutiny to ensure fairness and user choice. Currently, the ICO’s stance emphasizes that users must have genuine, freely given choices.

The UK ICO’s Online Tracking Strategy 2025: focus and expectations

The ICO’s Online Tracking Strategy 2025 outlines the regulator’s approach to improving online privacy and protecting users from invasive tracking practices.

Key problem areas with online tracking

Four key problem areas with online tracking have been identified by the ICO, including when choice is:

• Deceptive or absent: Many users aren’t given a genuine option to refuse non-essential data processing. Some websites set cookies or use alternative tracking methods (like fingerprinting) even when users decline consent.
  
• Uninformed: Consent mechanisms often fail to present simple, clear information about data use. Complex wording, poor design, and time pressures prevent users from making genuinely informed decisions.
  
• Undermined: Even when users give consent, organizations don’t always process data as promised. This disconnect between stated policies and real practices erodes trust and transparency.
  
• Irrevocable: Users frequently lack easily accessible ways to change or withdraw consent. Once data is shared, regaining control is difficult, leaving people feeling powerless over their personal information.

Plan of action to address key problem areas with online tracking

In response, the ICO has been implementing the following plan of action to strengthen control over online tracking:

• Make it easier for publishers to adopt more privacy-friendly forms of online advertising:
  
  • Encourage adoption of privacy-preserving advertising that avoids extensive profiling
  • Explore how PECR consent requirements may hinder privacy-friendly ad models and issue guidance on low-risk processing activities
  • Work with government on potential legislative amendments to support privacy-preserving advertising
  • Continue enforcing consent requirements for ad targeting and personalization.
    
• Ensure publishers give people meaningful control over how they are tracked on websites:
  
  • Extend compliance monitoring to the top 1,000 UK websites, supported by automated checks
  • Engage consent management platforms (CMPs) to align options with UK data protection law
  • Warn publishers when CMPs do not support compliance by default
    
• Ensure that people have meaningful control over tracking for personalized advertising on apps and connected TVs:
  
  • Act against noncompliant tracking on apps and internet-connected TVs
  • Consult on new guidance for Internet of Things (IoT) devices
  • Work with app developers and device manufacturers to promote compliance
    
• Confirm how publishers can deploy “consent or pay” models in line with data protection law, supporting their economic viability:
  
  • Publish guidance explaining lawful use of “consent or pay” models
  • Ensure consent under these models remains freely given and user rights are protected
  • Take enforcement action where models restrict meaningful control
    
• Provide industry with clarity on the requirements of data protection law, leaving no excuse for non-compliance:
  
  • Finalize guidance on storage and access technologies following the Data (Use and Access) Bill
  • Support compliant innovation through the Regulatory Sandbox and Innovation Advice services
  • Develop a certification scheme to help organizations demonstrate lawful processing
    
• Investigate compliance failures in the wider adtech ecosystem
  
  • Audit data management platforms linking advertisers and publishers
  • Consider further measures to make it easier for individuals to withdraw consent from all organizations sharing their data
    
• Support the public to take control of how they are tracked online:
  
  • Publish guidance to help people understand and manage online data use

Conduct public surveys and research to measure and build trust in personal data practices

How to achieve UK GDPR compliance: checklist of practical steps

Organizations should adopt a structured, ongoing approach to UK GDPR compliance. Like privacy laws in the EU and around the world, the legal landscape is always changing in response to consumer demand, technology advancements, and market needs.  It’s important that you regularly consult with your legal and privacy experts to stay updated for your business needs.

Embed privacy by design throughout organizational planning, processes, and development. Implement robust consent management wherever you collect and process personal data. These are two key best practices for achieving and maintaining UK GDPR compliance. 

The following checklist provides detailed steps to achieve and maintain your organization’s UK GDPR compliance. Data privacy isn’t a “one and done” project. It’s a critical and ongoing part of operations. But more importantly, it positions your company for sustainable growth and demonstrates that you’re worthy of customers’ trust.

Conduct data mapping and records of processing

Document what personal data you collect, for what purposes, who has access to it, and how long it’s retained. Use these insights to identify risks and gaps. Review your consent management processes and make sure they align with the data you collect and what you use it for.

Repeat this process at regular intervals, as data handling requirements, technology in use, involved staff, and business operations change.

Establish lawful bases and consent mechanisms

Define a lawful basis for each data processing activity and make sure you can justify it if required to by authorities. (Don’t use legitimate interest just because it’s easier.) For marketing, analytics, and tracking, explicit consent is usually required. Be able to prove you’ve obtained and signaled that consent as well.

Implement privacy notices and transparency measures

Create clear, accessible privacy notices, e.g., on a privacy policy page, to inform users about the data you collect, its use, who can access it, and about their rights and how to exercise them. You can use existing privacy policies or the ICO’s guidelines as a starter, but yours will need to be customized to your business and data processing to be compliant.

Also ensure the privacy notice is kept up to date, which is a legal requirement. Include the date of the most recent update and a link to the previous version.

Manage consent in practice with robust recordkeeping

Like your data mapping and privacy policy, reviewing your consent processes and management regularly helps you maintain privacy compliance and be able to provide proof to authorities or a copy of the information for data subject requests.

• Obtain valid consent before using non-essential cookies or trackers.
• Enable easy changes or withdrawal of consent any time and stop collecting or processing data as soon as possible if consent is revoked.
• Record and securely store consent information, user ID, including time and date stamps, consent mechanism, granular selections if relevant, if consent was on a child’s behalf, and specific information the user was shown. Update it over time if preferences change.
• Regularly review and update consent mechanisms as legal requirements, website expansion, and martech changes.

Prepare for data subject rights requests

Be ready to respond to data subject requests for access, correction, deletion, and portability of individuals’ data within the statutory one-month timeframe. Know where information is located, updated, or assembled from around the company, and be able to provide it in an accessible format. 

Depending on the size of your data processing operations, you may want an automated solution to manage request volume.

Secure data and assess risk

Implement robust security measures, such as encryption, access controls, and perform Data Protection Impact Assessments (DPIAs) for high-volume and/or high-risk processing. 

Train teams and assign responsibilities

Provide ongoing staff training on UK GDPR requirements and any other relevant laws and frameworks. Also train on data security in storing and using data, and common risks and threats customized to staff roles, e.g., marketing, support, development, etc. 

Where applicable, appoint a Data Protection Officer (DPO) to oversee privacy operations and compliance, as well as managing any issues and liaising with authorities.

UK GDPR and the future of data privacy

The UK GDPR is already demonstrably a living framework that is evolving alongside complementary legislation, new technologies, shifting political landscapes, growth in digital markets, and changing public expectations. 

Privacy compliance is not a one-time project with a single achievement goal, but an ongoing commitment requiring continuous monitoring, regular audits, and proactive adaptation to new regulatory guidance and enforcement trends, as well as consumer expectations.

As digital innovation accelerates, organizations must strengthen their privacy programs to stay ahead. The ICO provides comprehensive guidance, and robust consent management tools enabling ongoing compliance that aligns with your brand and Privacy-Led Marketing strategy to build trust and sustainable growth.

UK GDPR compliance is about more than avoiding fines. It’s about providing transparency and respecting the customers whose data powers your business. Companies that treat privacy as a foundation for credibility, customer loyalty, and growth strategy can more confidently meet their regulatory obligations while also strengthening long-term relationships and market reputation.

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Subscribe

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy