UK GDPR: What Non-UK Businesses Need to Know

Your SaaS product just signed up a customer in London. Your Shopify store started getting consistent orders from Manchester. Your marketing agency landed a client headquartered in Edinburgh. Congratulations -- and welcome to the UK GDPR. When the United Kingdom left the European Union on January 1, 2021, it did not abandon the GDPR. It absorbed it into domestic law, creating what is informally called the "UK GDPR." If you are a non-UK business that collects data from people in the United Kingdom, this law applies to you regardless of your size, location, or revenue. This guide explains what the UK GDPR requires, how it differs from the EU version, and what your business needs to do.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney or data protection professional for guidance specific to your business. The information here is based on the UK General Data Protection Regulation (retained EU law) and the Data Protection Act 2018, as of the date of publication.

Does This Law Apply to Your Business?

The UK GDPR applies to your business if either of these is true (UK GDPR Article 3):

You are established in the UK. If your business has any presence in the United Kingdom -- an office, an employee, a branch -- the UK GDPR applies to all personal data you process in connection with that establishment.

You offer goods or services to people in the UK, or you monitor their behavior. This is the extraterritorial provision that reaches non-UK businesses. If your website ships products to UK addresses, displays prices in British pounds, targets advertising at UK audiences, or tracks the behavior of UK visitors through analytics or cookies, you are likely covered.

There is no size threshold. Unlike California's CCPA/CPRA, which requires meeting revenue or data volume thresholds, the UK GDPR applies to every business that processes UK residents' personal data, regardless of revenue, employee count, or business volume. A five-person e-commerce startup selling to UK customers is subject to the same rules as a multinational corporation.

Here are some practical signals that the UK GDPR applies to your business:

You accept payments in British pounds (GBP).
You ship physical products to UK addresses.
Your website uses a .co.uk domain or mentions UK-specific offerings.
UK residents create accounts or subscribe to your service.
You run advertising specifically targeting UK audiences.
You use analytics tools that track visitors from the UK.

If any of these describe your situation, plan for UK GDPR compliance. The cost of compliance for a small business is modest. The cost of getting caught ignoring it is not.

Do you need a UK representative? If you are not established in the UK but the UK GDPR applies to you, you must appoint a UK-based representative (UK GDPR Article 27). This is a designated person or organization in the UK that acts as a contact point for the Information Commissioner's Office (ICO) and UK data subjects. Several companies offer this service for a modest annual fee.

What Rights Do Consumers Have?

The UK GDPR grants individuals (data subjects) the same set of rights as the EU GDPR. When someone exercises one of these rights, you have 30 calendar days to respond (UK GDPR Article 12(3)), with the option to extend by two additional months for complex or numerous requests.

Right of Access (Article 15). Data subjects can request a copy of all personal data you hold about them and information about how you process it. This is the most frequently exercised right and the core of a Subject Access Request (SAR), the UK equivalent of a DSAR.

Right to Rectification (Article 16). Data subjects can ask you to correct inaccurate personal data or complete incomplete data without undue delay.

Right to Erasure (Article 17). Data subjects can request deletion of their personal data when it is no longer necessary, when they withdraw consent, or when they object to processing. This is not absolute -- you can refuse if you have a legal obligation to retain the data. See our right to erasure guide for details.

Right to Restrict Processing (Article 18). Data subjects can ask you to pause processing their data while a dispute about accuracy or lawfulness is being resolved.

Right to Data Portability (Article 20). Data subjects can request their data in a structured, machine-readable format to transfer to another controller. This applies only to data processed by automated means on the basis of consent or contract.

Right to Object (Article 21). Data subjects can object to processing based on legitimate interest or for direct marketing purposes. If someone objects to direct marketing, you must stop. No discretion.

Rights Related to Automated Decision-Making (Article 22). Data subjects can refuse to be subject to decisions made solely by automated processing that produce legal or similarly significant effects. They can request human intervention.

Right	UK GDPR Article	Key Detail
Access (Subject Access Request)	Art. 15	Copy of all personal data plus processing information
Rectification	Art. 16	Correct inaccurate or incomplete data without undue delay
Erasure (Right to Be Forgotten)	Art. 17	Delete data when no longer necessary or consent withdrawn
Restrict Processing	Art. 18	Pause processing during disputes without deleting data
Data Portability	Art. 20	Provide data in structured, machine-readable format
Object	Art. 21	Object to legitimate interest processing; mandatory stop for direct marketing
Automated Decision-Making	Art. 22	Right to human review of solely automated decisions

What Your Business Must Do

Establish a lawful basis for every processing activity. The UK GDPR requires one of six lawful bases before you process personal data (UK GDPR Article 6): consent, contract, legal obligation, vital interests, public task, or legitimate interest. For most small businesses, consent (marketing, analytics cookies), contract (order fulfillment), and legitimate interest (fraud prevention, basic analytics) cover the majority of processing activities. Document your lawful basis for each activity.

Write a transparent privacy policy. Your privacy notice must tell UK data subjects who you are, what data you collect, why, which lawful basis applies, who receives the data, how long you keep it, whether data is transferred outside the UK, and how to exercise their rights (UK GDPR Articles 13 and 14). The ICO publishes detailed guidance on what to include. Write it in clear, plain language -- not legalese.

Implement proper cookie consent. The Privacy and Electronic Communications Regulations 2003 (PECR) work alongside the UK GDPR. Non-essential cookies require active consent before they are set. That means a cookie banner that blocks analytics and marketing cookies by default and only loads them after the visitor opts in. The ICO has been increasingly clear that "implied consent" (continuing to browse = consent) does not meet the standard.

Handle Subject Access Requests (SARs). You need a process for receiving, verifying, and fulfilling data subject requests. Provide a clear contact method, designate someone to manage requests, and document your workflow. You have 30 calendar days to respond. The ICO recommends acknowledging receipt promptly and keeping the data subject informed if you need more time. For a practical guide, see our how to respond to a DSAR article and our SAR/DSAR response templates.

Sign Data Processing Agreements. If you use third-party services that process personal data on your behalf (hosting providers, email platforms, CRMs, payment processors), you need a written contract with each one specifying the scope, nature, and purpose of processing, along with security obligations and breach notification requirements (UK GDPR Article 28).

Manage international data transfers. Transferring personal data from the UK to countries outside the UK requires a legal mechanism. The UK has its own adequacy decisions, separate from the EU's. The UK recognized the EU/EEA as adequate, and the UK Extension to the EU-U.S. Data Privacy Framework covers transfers to certified U.S. companies. For countries without an adequacy decision, use the UK's International Data Transfer Agreement (IDTA) or the Addendum to the EU's Standard Contractual Clauses. This is an area where the UK has started to diverge from the EU, so check the ICO's current guidance.

Appoint a UK representative (if required). Non-UK businesses subject to the UK GDPR must designate a UK-based representative unless an exemption applies (UK GDPR Article 27). This is a separate requirement from any EU representative you may have appointed under the EU GDPR.

Report breaches to the ICO. If you suffer a personal data breach that poses a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware (UK GDPR Article 33). If the breach poses a high risk to affected individuals, you must also notify them directly without undue delay (UK GDPR Article 34).

How Is It Enforced?

The UK GDPR is enforced by the Information Commissioner's Office (ICO), the UK's independent data protection authority. The ICO has the power to investigate complaints, conduct audits, issue enforcement notices, and impose fines.

Maximum penalties are GBP 17.5 million or 4% of global annual revenue, whichever is higher (Data Protection Act 2018, Section 157). There is also a lower tier of GBP 8.7 million or 2% of global annual revenue for less serious infringements.

The ICO has been active in enforcement. Notable actions include a GBP 20 million fine against British Airways in 2020 for a data breach that compromised the personal data of approximately 400,000 customers (reduced from an initial proposed fine of GBP 183 million). Marriott International was fined GBP 18.4 million in 2020 for a breach affecting millions of guest records. On a smaller scale, the ICO regularly issues fines in the range of GBP 5,000 to GBP 500,000 for violations by smaller organizations, particularly around unsolicited marketing and inadequate security.

Data subjects also have a private right of action. Under Section 167 of the Data Protection Act 2018, individuals can bring claims for compensation for material or non-material damage caused by data protection violations. UK courts have seen a growing number of data protection compensation claims.

The ICO tends to take a proportionate approach. For small businesses that demonstrate genuine compliance efforts, the ICO often prioritizes guidance and corrective action over fines. But willful ignorance or repeated violations will attract enforcement.

How This Compares to Other Privacy Laws

The UK GDPR is closely modeled on the EU GDPR, but there are meaningful differences -- and more are emerging as the UK charts its own course post-Brexit. Here is how it compares:

Feature	UK GDPR	EU GDPR	CCPA/CPRA (CA)
Scope	Any business processing UK residents' data	Any business processing EU residents' data	For-profit businesses meeting thresholds
Size threshold	None	None	$26.625M revenue or 100K consumers
Consent model	Opt-in	Opt-in	Opt-out
Response deadline	30 days	30 days	45 days
Max penalty	GBP 17.5M or 4% global revenue	EUR 20M or 4% global revenue	$7,500 per violation
Enforcement body	ICO (single authority)	DPAs in each member state	CPPA + AG
Private right of action	Yes	Yes (Article 82)	Yes (data breaches only)
Cookie consent required	Yes (PECR)	Yes (ePrivacy Directive)	No (but 'Do Not Sell' link required)
Data transfer mechanism	UK IDTA / UK SCCs Addendum	EU SCCs	N/A

The UK GDPR and EU GDPR are still very similar, but the UK government has signaled intentions to diverge further. The Data Protection and Digital Information Act, which received Royal Assent in 2024, introduced some changes around legitimate interest, subject access requests, and international data transfers. These changes are generally seen as modest relaxations rather than wholesale reform, but non-UK businesses should monitor for updates. If you already comply with the EU GDPR, you are well positioned for UK compliance, but you need separate data transfer mechanisms and should appoint a UK representative if required.

The CCPA/CPRA is fundamentally different in its approach: it uses an opt-out consent model rather than opt-in, has revenue and data volume thresholds, and focuses penalties per-violation rather than as a percentage of revenue.

Action Checklist for Small Businesses

Determine whether the UK GDPR applies. If you have UK customers, UK website visitors you track, or UK-based employees, assume it does.
Appoint a UK representative. If you are not established in the UK but the law applies to you, designate a UK-based representative and publish their contact details in your privacy policy.
Map your data processing activities. Document every category of personal data you collect from UK residents, the lawful basis, retention periods, and any third parties that receive the data.
Write or update your privacy policy. Ensure it covers all UK GDPR-required disclosures, including your UK representative's contact details and information about international data transfers.
Implement cookie consent. Block non-essential cookies until visitors actively opt in. Comply with PECR requirements alongside the UK GDPR.
Set up SAR handling. Designate a point person, create a tracking system, and document your process for responding to Subject Access Requests within 30 days.
Get DPAs from your vendors. Ensure every third-party service that processes UK personal data on your behalf has a data processing agreement in place.
Set up lawful data transfer mechanisms. If you transfer UK personal data outside the UK, implement the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs. Verify whether your U.S. service providers are certified under the UK Extension to the EU-U.S. Data Privacy Framework.
Prepare breach notification procedures. Know how to contact the ICO, prepare a notification template, and establish an internal escalation process for the 72-hour reporting window.
Train your team and review annually. Run an initial training session on UK data protection basics, then refresh annually. Review your compliance posture whenever your data practices change.

Key Dates

May 25, 2018: EU GDPR took effect (applied to the UK as an EU member state).
January 1, 2021: Brexit transition period ended. The UK GDPR came into force as retained EU law under the Data Protection Act 2018.
June 28, 2021: EU adopted an adequacy decision for the UK, allowing data to flow freely from the EU to the UK.
July 2023: UK Extension to the EU-U.S. Data Privacy Framework established, enabling data transfers to certified U.S. companies.
October 2024: Data Protection and Digital Information Act received Royal Assent, introducing targeted reforms to the UK data protection regime.

References

UK GDPR: The General Data Protection Regulation as retained in UK law. Full text via legislation.gov.uk
Data Protection Act 2018: Full text via legislation.gov.uk
Data Protection and Digital Information Act 2024: Full text via legislation.gov.uk
Information Commissioner's Office (ICO): Guidance for organisations
ICO International Transfers Guidance: International data transfers
UK International Data Transfer Agreement (IDTA): ICO IDTA guidance

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Navigating international privacy compliance? Download our free GDPR Compliance Guide for a practical framework that covers both EU and UK requirements for small businesses.