🇬🇧United Kingdom
GDPR compliance in the UK
The UK GDPR (retained EU law post-Brexit) applies alongside the Data Protection Act 2018. The UK is diverging from EU GDPR in certain areas through ongoing reform.
Enforcement authority
ICO (Information Commissioner's Office)
Maximum sanctions
Up to GBP 17.5 million or 4% of global turnover. The ICO has issued fines exceeding GBP 40 million.
Key obligations
What GDPR requires from organizations operating in the UK.
Register with the ICO and pay the data protection fee annually
Appoint a DPO where required (same criteria as EU GDPR)
Use UK-specific Standard Contractual Clauses (IDTA) for international transfers
Follow ICO guidance on AI, cookies, and direct marketing
Conduct Data Protection Impact Assessments for high-risk processing
Local context in the UK
The UK Data Protection and Digital Information Bill introduces divergences from EU GDPR including relaxed rules on legitimate interest, research processing, and subject access requests. Companies operating in both UK and EU must track both regimes.
Frequently asked questions
How does GDPR apply in the UK?
The UK GDPR (retained EU law post-Brexit) applies alongside the Data Protection Act 2018. The UK is diverging from EU GDPR in certain areas through ongoing reform.
Who enforces GDPR in the UK?
ICO (Information Commissioner's Office)
What are the penalties for GDPR non-compliance?
Up to GBP 17.5 million or 4% of global turnover. The ICO has issued fines exceeding GBP 40 million.
GDPR in other jurisdictions
Check your GDPR compliance now
Start free scan to see your risk score and applicable obligations.