enactedGBEffective January 1, 2021

UK General Data Protection Regulation (UK GDPR)

Complete compliance guide for companies with <200 employees. Everything you need to know about UK GDPR requirements, deadlines, and penalties.

DSAR Deadline

1 month

+ 2 months extension

Max Penalty

£17,500,000/violation

Up to £17.5 million or 4% of annual worldwide turnover, whichever is higher (equivalent to GDPR Art. 83(5)). Lower tier: up to £8.7 million or 2% of annual worldwide turnover (equivalent to GDPR Art. 83(4)). The ICO has issued fines exceeding £20 million under this framework.

Threshold

No threshold

Est. Cost

$10,000 – $45,000

10-24 weeks

Mid-Market Compliance Guide

The UK GDPR is the retained EU GDPR as incorporated into UK law after Brexit, effective January 1, 2021. It works alongside the Data Protection Act 2018 (DPA 2018). For companies already GDPR-compliant, UK GDPR alignment is straightforward, but you must separately address UK-specific requirements: use UK International Data Transfer Agreements (IDTAs) instead of EU SCCs, register with the ICO if required, and pay the ICO data protection fee. The UK has its own adequacy decisions for international transfers.

Key Requirements

Lawful basis for processing (6 legal bases under Article 6)
Data Protection Impact Assessments (DPIA) for high-risk processing
Data Processing Agreements with processors
Data breach notification to ICO within 72 hours
Appoint DPO if required (public authority, large-scale monitoring, or special category data)
Records of processing activities (ROPA)
International transfer mechanisms (UK adequacy regulations, IDTAs, or UK Addendum to SCCs)

Enforced by: Information Commissioner's Office (ICO)Official site

Consumer Rights

Right of Access (Subject Access Request)

Right to Rectification

Right to Erasure (Right to be Forgotten)

Right to Restrict Processing

Right to Data Portability

Right to Object

Rights Related to Automated Decision-Making and Profiling

Business Obligations

1.Maintain records of processing activities
2.Implement data protection by design and by default
3.Conduct DPIAs for high-risk processing
4.Report personal data breaches to ICO within 72 hours
5.Appoint DPO where required
6.Use UK International Data Transfer Agreement (IDTA) or UK Addendum for cross-border transfers
7.Respond to subject access requests within 1 calendar month

Exemptions

•Purely personal or household activities
•Law enforcement processing (covered by Part 3 of DPA 2018)
•Intelligence services processing (covered by Part 4 of DPA 2018)
•Anonymized data (outside UK GDPR scope)

Related Privacy Laws

GDPR

General Data Protection Regulation

Recommended Compliance Tools

No vendors have been reviewed for UK GDPR coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for UK GDPR

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce UK GDPR in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under UK GDPR.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of UK GDPR