United Kingdom · Last reviewed April 2026

Does UK GDPR Apply to Your Business? [2026 Guide]

Free applicability checker with statutory citations — covers UK GDPR scope, obligations, and penalties.

P
PrivacyLawApplies.com Editorial Team
CAMS · AIGP (IAPP) · Reviewed April 2026
Quick UK GDPR applicability check
Do you have users or customers in the United Kingdom?
Does your organisation have an establishment in the UK?
Do you monitor the behaviour of individuals in the UK?
Do you process personal data of UK individuals for any purpose?

About UK GDPR

UK GDPR is the United Kingdom's retained version of the EU General Data Protection Regulation, which was incorporated into UK law via the European Union (Withdrawal) Act 2018 and sits alongside the Data Protection Act 2018 (DPA 2018). It came into force on 1 January 2021 following the end of the Brexit transition period.

Extraterritorial scope: Like EU GDPR, UK GDPR applies beyond the UK's borders. Under Art. 3 UK GDPR, it applies to any controller or processor — regardless of where it is established — that processes personal data of individuals in the UK where the processing relates to: (a) offering goods or services to UK individuals; or (b) monitoring the behaviour of UK individuals that takes place within the UK. Non-UK organisations subject to UK GDPR must appoint a UK Representative under Art. 27 UK GDPR.

UK GDPR vs EU GDPR: The two regimes are substantially similar in structure and obligations, but they are now separate legal frameworks enforced by separate authorities. Key practical differences include: (1) the ICO (Information Commissioner's Office) is the UK supervisory authority, not EU Data Protection Authorities; (2) UK organisations must register with the ICO and pay the data protection fee; (3) international transfers from the UK are governed by UK adequacy regulations and International Data Transfer Agreements (IDTAs), not EU Standard Contractual Clauses; (4) the UK has issued its own adequacy decisions for transfers to specific countries.

ICO registration: Most organisations that process personal data in the UK are required to pay a data protection fee to the ICO. The fee ranges from £40 to £2,900 depending on organisation size and turnover. Failure to register when required is a criminal offence.

Key obligations under UK GDPR

Immediate
Register with the ICO (most UK organisations must pay the data protection fee)
UK GDPR + Data Protection (Charges and Information) Regulations 2018
Immediate
Appoint a UK Representative if your business has no UK establishment
Art. 27 UK GDPR — representatives of controllers or processors not established in the UK
Ongoing
Respond to UK data subject requests within one calendar month
Art. 12(3) UK GDPR
Ongoing
Report breaches to the ICO within 72 hours
Art. 33(1) UK GDPR
Max: £17,500,000 or 4% of annual global turnoverBreach: 72 hours to the ICOAuthority: Information Commissioner's Office (ICO)

Frequently asked questions

Does UK GDPR apply to businesses outside the UK?

Yes. UK GDPR applies to any organisation — wherever it is based — that offers goods or services to individuals in the UK, or monitors the behaviour of individuals in the UK. A US company, an EU company, or an Australian company with UK customers, UK website visitors it tracks, or UK users of its platform is subject to UK GDPR. This extraterritorial scope is set out in Art. 3(2) UK GDPR.

What is the difference between UK GDPR and EU GDPR?

UK GDPR and EU GDPR are separate legal frameworks that are structurally very similar but enforced independently. Key differences: (1) EU GDPR is enforced by EU Data Protection Authorities (DPAs); UK GDPR is enforced by the UK ICO. (2) International transfers from the UK use IDTAs (International Data Transfer Agreements), not EU SCCs. (3) UK organisations must register with and pay fees to the ICO. (4) The UK has its own adequacy decisions. If you have both EU and UK users, you may be subject to both regimes simultaneously.

Do EU companies need to comply with UK GDPR?

Yes, if they process personal data of UK individuals in connection with offering goods or services to UK individuals or monitoring UK individuals. Post-Brexit, EU and UK data protection are separate regimes. An EU company with UK customers must comply with UK GDPR in addition to EU GDPR.

What is a UK Representative under UK GDPR?

Under Art. 27 UK GDPR, non-UK organisations subject to UK GDPR must appoint a representative established in the UK. The UK Representative acts as a point of contact for the ICO and for UK data subjects. This obligation applies unless the processing is occasional, does not involve large-scale processing of special category data, and is unlikely to result in a risk to UK individuals.

What are the UK GDPR penalties?

UK GDPR provides for two tiers of civil monetary penalties: up to £17,500,000 or 4% of global annual turnover (whichever is higher) for the most serious violations; and up to £8,700,000 or 2% of global annual turnover for less serious violations. The ICO has broad enforcement powers including notices, enforcement action, and criminal prosecution for certain offences under the DPA 2018.

Does the UK have an adequacy decision from the EU?

Yes. The EU granted the UK adequacy decisions on 28 June 2021, allowing personal data to flow freely from the EU/EEA to the UK without additional transfer safeguards. These decisions are subject to periodic review. UK-based organisations receiving data from the EU can do so under EU adequacy decisions for the UK — but this is separate from the UK's own obligations when processing UK personal data under UK GDPR.

Related privacy laws

GDPR
EU/EEA
View guide →
CCPA / CPRA
California, USA
View guide →
PIPEDA
Canada (federal)
View guide →

Not sure if UK GDPR applies?

Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.

Start free assessment →
Compare with other laws
GDPR vs CCPA vs PIPEDA →Full law comparison matrix →
Last reviewed: April 2026
Not legal advice — educational information only