Skip to main content

What is the UK GDPR?

The UK GDPR, or United Kingdom General Data Protection Regulation, came into effect on January 31, 2020. It sets out rules for how companies collect, use, and share personal data. This regulation is a British data law with the aim of protecting the privacy and right of individuals and ensure that their personal data is not misused or mishandled. The UK GDPR was introduced as a part of the UK’s commitment to data protection standards after leaving the European Union. It essentially mirrors the European GDPR, with some specific provisions tailored for the UK’s legal and regulatory framework. Within United Kingdom, the UK GDPR regulates data protection along with the Data Protection Act of 2018 and 2003’s Privacy and Electronic Communication Regulations (PECR).

Does the UK GDPR apply to me?

UK GDPR applies to you if:

  • You process personal data as a company established in the UK
  • Your company processes the personal data of people in the UK

Therefore, if you do business in the UK or offer goods and services to people in the UK, make sure you are familiar with the UK GDPR and how it affects your day-to-day activities.

How can I comply with UK GDPR principles?

The UK GDPR is derived from the European GDPR, which it shares key principles with. Here is how you can comply with them:

  1. Process data fairly and lawfully, and tell people what you do with their data and why.
  2. Collect personal data only for specific, explicit and legitimate purposes.
  3. Limit data you collect to only what is adequate, relevant and needed for your stated purposes.
  4. Keep personal data accurate and up to date. Correct or erase inaccurate or incomplete data.
  5. Do not keep personal data when you no longer need it for its original purpose.
  6. Take measures to protect data from unauthorised access, loss, destruction or damage.
  7. Be accountable and demonstrate your compliance with documentation.

Want to know more about the UK GDPR?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Sensitive personal data under UK GDPR

According to the UK GDPR, “sensitive personal data” refers to special categories of personal data. These special categories are similar to those outlined in the EU GDPR, and they include:

  • Race or ethnicity
  • Political opinions
  • Religion
  • Union
  • Genetics
  • Biometrics
  • Health
  • Sexual information

Additionally, there are specific safeguards required for data about criminal convictions and offences. If you want to collect any of the above data, you must show you have an exceptionally good reason. For instance, to protect public health, or to conduct important scientific research. Otherwise, you would need explicit consent from the person.

When can I collect data legally in the UK?

There are six lawful bases you can use to collect and process personal data.

  1. To perform a task in the public interest or as part of an official function.
  2. For your legitimate interests or for a third party’s interests.
  3. To fulfil a contract you have with the data subject.
  4. To comply with legal or regulatory obligations or to prevent or detect a crime.
  5. In order to protect the vital interest of someone, usually to protect their life and safety.
  6. When you get clear, informed consent to process someone’s personal data.

You must have at least one of these legal bases to collect personal data that can be used to identify someone. Remember to specify your legal basis and purposes for collecting personal data in your privacy policies.

What does UK GDPR say about consent?

Under DPA and UK GDPR consent should be:

  • Freely given. Above all, give people a choice and full control over whether you get their personal data. Then, give them a chance to refuse consent or withdraw consent at any time without any negative consequences.
  • Informed. Always let people know why you need their data and what you will do with it when asking for consent. Make this information clear, concise and easy to understand.
  • Specific. Get specific consent for specific data processing purposes. To this end, separate consent forms from other terms and conditions.
  • Unambiguous. Use clear affirmative action, such as unticked checkboxes to get consent. Do not use pre-ticked checkboxes.

Consent for children's data in the UK

Currently, in the UK, the age at which a child can give their consent for you to process their personal data is 13 years old. Therefore, if a child is under the age of 13, their parent or guardian must give consent on their behalf.

This is known as the “digital age of consent”. It is intended to protect children’s privacy while recognising that young people do use digital services. The GDPR, which applies in the UK, sets this age limit at 16 years old, but the UK government has chosen to lower the age limit to 13.

Meanwhile, it is important to note that the age limit only applies to the processing of personal data for online services. For example, social media, all types of mobile apps and webshops. Other types of processing, such as for medical treatment or legal proceedings, may have different age limits or requirements for parental consent.

Can I share or sell people's data?

If you are going to share or sell someone’s personal data, you must make this very clear to them in advance. You must specify with whom you will share the data, why, what is your legal basis for doing so, and how the person can opt-out. You should also be sure that anyone you share personal data with will protect it properly.

Do I need special security measures?

The UK GDPR and the DPA require you to protect all the data you collect with technical, physical and organisational security controls, such as:

  • Strong passwords
  • Access controls
  • Encryption and pseudonymisation, depending on the data’s risk level.
  • Policies to guarantee confidentiality, integrity, availability of data; and upkeep of data storage systems.
  • A plan and procedures to restore access to personal data quickly in case of a security incident.
  • Regular testing, assessments and evaluations to make sure all these measures are effective.

Do I still need to respond to data requests?

Yes. The UK GDPR includes a familiar series of rights to give people more control over their own data. Usually, when a person asks you to honor one of these rights you should respond within 1 month. In the UK, people have the right to make requests asking you to:

  • Tell them about how you use their data.
  • Give them access to their personal data.
  • Update incorrect data about them.
  • Forget them/erase their data.
  • Restrict the way you process their data.
  • Forward their data to a third party. (For example, when they want to change services.)
  • Stop using their data altogether.
  • Stop automated decision-making and profiling.

What else might compliance involve?

Here are some other administrative rules under the UK GDPR:

  • Record keeping. Maintain a record of all your data processing activities.
  • Data breach reporting. Report data breaches within 72 hours.
  • DPIAs. Certain types of data processing activities require a data protection impact assessment.
  • Cross-border protections. Check if countries you send data to have adequacy decisions with the UK, or if organisations you share with guarantee adequate protections.
  • DPOs. Appoint a DPO if you are a public authority, you conduct large-scale, regular and systematic monitoring (including tracking and profiling); or if your core activities include large-scale processing of special categories of data, or data related to criminal convictions and offences.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

What changes in UK GDPR vs. EU GDPR?

Overall, the principles, requirements, and even the wording of the UK GDPR are very similar to EU’s GDPR. But here are a few key differences between EU’s GDPR and the UK GDPR:

  • A child can consent to data processing at age 13, while the GDPR sets it at 16 by default.
  • Private companies can process data about criminal offences, in some cases.
  • Automated decision-making is allowed with legitimate grounds and built-in protections.
  • Exceptions to data subject rights for historical, scientific, statistical and archiving purposes.
  • Additional lawful bases for processing sensitive personal data (with appropriate safeguards).
  • Some exemptions when you process personal data for publication in the public interest.
  • Prosecution or unlimited fines in some cases. For example, if you knowingly or recklessly obtain or disclose personal data without consent.

Need help with UK GDPR compliance?

Our suite of user-friendly software is designed to help businesses like yours comply with the UK GDPR and other privacy regulations worldwide. These three solutions simplify the most important (and tedious!) data management and compliance tasks.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit