UK GDPR

  • Updated on Feb 28, 2023
  • Published on Feb 15, 2023
  • 2 minute(s) read
Prev Next

Who is this article for?

Any organization in the UK
Any organization that deals with people in the UK

Areas of Jurisdiction

  • If you are operating solely in the UK, you will need to comply with the UK GDPR and DPA.
  • If you are operating solely in the EU, you will need to comply with the EU GDPR.
  • If you are operating both in the UK and EU, you will need to comply with both the UK and EU GDPR, in addition to the UK DPA.

Following Brexit, the UK has adopted the EU GDPR for the UK legal system. The UK, including Northern Ireland, has also received an Adequacy Decision from the EU, which is valid until June 27, 2025. The UK GDPR works alongside the Data Protection Act (2018).

The UK GDPR is very similar to the EU GDPR, almost word-for-word. However, there are a few deviations from the EU GDPR detailed in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulation.

Key Differences between the UK and EU GDPR:

  • The age of valid consent has been lowered to 13 years old (the EU GDPR is 16).
  • The Information Commissioner's Office (ICO), an independent supervisory body regarding the UK's data protection legislation, is the leading supervisor, regulator, and enforcer.
  • The Secretary of State can determine or revoke adequacy decisions on behalf of the UK GDPR and without consultation of the ICO.
  • The UK GDPR covers personal data collected for national security, immigration, and intelligence services (with some exceptions).

See our related article for additional information on EU GDPR.

GDPR Compliance Checklist

  • You will need at least one lawful reason/basis to collect and process personal data.
    • Legitimate Interest will be the most common nonprofit lawful basis.
    • The lawful basis is to be stated on your privacy notice.
    • It is valuable to consider the lawful basis as it applies to the data’s processing (use and keeping), not the data itself. When you run out of any of the six lawful bases to process it, you can't use or keep it anymore.
  • You will need a GDPR Privacy Policy
  • You will need a GDPR Privacy Notice
    • A best practice is to have the privacy notice on your website and a link to the notice in your email signature.
  • Your organization may need to register and pay a fee, especially in the UK; most nonprofit organizations do not. If you do need to pay, you will be notified by the UK government.
    * Under the Data Protection Act 2018, a data protection fee needs to be paid to ICO if you process personal data. This is for organizations that are data controllers and separate fees must be paid for individual companies.
    * The ICO has an online registration self-assessment form to determine whether you and your company need to pay a fee, or if you are exempt.

For additional guidance on GDPR compliance, see our GDPR Compliance Guide. Take note that this is an abridged version of what an organization needs to know to be GDPR-compliant. Though we vet as much of our resources as possible, consult your attorney before implementing compliance or legal advice.

Related articles