# [UK-GDPR law after Brexit](https://www.cookiebot.com/en/uk-gdpr/) **The UK-GDPR (General Data Protection Regulation) and amended Data Protection Act 2018 affect how you as a website owner must obtain and store cookie consents from your visitors who reside in the United Kingdom and European Union.** · [Start now](https://admin.cookiebot.com/signup) · [Generate now](https://www.cookiebot.com/en/privacy-policy-generator-gdpr/) · [Check now](https://www.cookiebot.com/en/cookie-checker/) --- ## The GDPR post-Brexit Although the United Kingdom (UK) formally withdrew from the European Union (EU) on 31 January 2020, it remained subject to EU law, including the [General Data Protection Regulation (EU GDPR)](https://www.cookiebot.com/en/gdpr/), until the end of the transition period on 31 December 2020. After Brexit, as the UK’s withdrawal from the EU is commonly known, the UK passed [the United Kingdom General Data Protection Regulation (UK-GDPR)](https://www.legislation.gov.uk/eur/2016/679/contents) to protect the personal data of its citizens and residents. The new UK-GDPR took effect on January 1, 2021 so that there was no gap between the EU GDPR and UK-GDPR. Alongside the [Data Protection Act of 2018 (DPA)](https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted) and the [Privacy and Electronic Communications (EC Directive) Regulations 2003](https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted), it governs the processing of personal data belonging to individuals located in the UK. Since Brexit and the passing of the UK-GDPR, the EU GDPR no longer applies in the UK, as it applies only to the processing of personal data of individuals located in the EU and EEA. We look at the key provisions of the UK-GDPR, including its scope, main principles, and key obligations related to consent, data processing, and data subject rights. --- ## What is the UK-GDPR? The UK-GDPR is the UK's data protection regulation that governs the processing of personal data belonging to individuals located in the UK, including both citizens and residents. They are known as “data subjects” under the UK-GDPR, identified or identifiable natural persons. The UK-GDPR protects the personal data of individuals only, and not other legal entities. “Personal data” under the UK-GDPR means *“any information relating to an identified or identifiable natural person”* who can be directly or indirectly identified using it. Examples of personal data include: - names - ID numbers - phone numbers - online identifiers, such as an IP address - information collected via [tracking cookies](https://www.cookiebot.com/en/tracking-cookies/) - sensitive personal details, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership Processing includes both automatic and manual *"collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"* of personal data. The UK-GDPR is almost word for word identical to the EU GDPR, which was adapted after Brexit to suit UK-specific requirements. It provides the main principles, rights, and obligations for data protection in the UK. --- ## Who does the UK-GDPR apply to? Under [Art. 3 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/3), the regulation applies to the following: - a person or entity in the UK that processes personal data, whether or not the processing takes place in the UK - a person or entity located outside the UK that processes the personal data of UK citizens or residents, when the processing activities are related to: - goods and services offered to UK citizens and residents, even if no payment takes place - the monitoring of their behavior within the UK - a person or entity that processes personal data in a place where the law of the UK (or part of the UK) applies by virtue of public international law The UK-GDPR thus has extraterritorial scope and applies to entities located outside the UK if the regulation's requirements are met. ### Exemptions from the UK-GDPR [Art. 2 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/2) specifies that the regulation does not apply to the processing of personal data: - by an individual in the course of a purely personal or household activity - by a competent authority for law enforcement purposes - by intelligence services, such as MI5 The processing of personal data for law enforcement and intelligence services purposes is governed by the DPA, which supplements the UK-GDPR. The DPA expands the scope of data protection in the UK to include national security and intelligence services, which are outside the scope of the EU GDPR as it doesn’t have jurisdiction over national security within member states. [Schedule 2](https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/enacted) of the DPA also contains exemptions to some provisions of the UK GDPR for the processing of personal data for certain purposes. --- ## What are the principles of the UK-GDPR? The UK-GDPR sets out seven key principles ([Art. 5 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/5)) that you must uphold when processing your users’ personal data. - **Lawfulness, fairness, and transparency:** you must have a legal basis for processing personal data and must provide clear and transparent information about your data processing activities to users. - **Purpose limitation:** you must not process personal data for any purpose other than the ones for which you have obtained explicit, informed consent, unless you obtain new consent if purposes change. - **Data minimization:** you must only process that data that is adequate, relevant, and limited to what you need for the intended purposes. - **Accuracy:** you must keep users’ personal data up to date and accurate, and correct or delete inaccurate data without delay. - **Storage limitation:** you must keep personal data only for as long as necessary for the intended purposes. - **Integrity and confidentiality:** you must safeguard personal data and protect it against unauthorized or unlawful processing, accidental loss, destruction, or damage. - **Accountability:** you must be responsible for the personal data you process and be able to demonstrate compliance with these principles. --- ## What are the legal bases for processing data under the UK-GDPR? [Art. 6 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/6) provides six legal bases for processing personal data under the UK-GDPR. One of these must apply and be provable for the data processing to be lawful. 1. with the explicit consent of the data subject 2. to perform a contract you have entered into with the data subject 3. to comply with a legal obligation 4. to protect the vital interests of the data subject or of another person 5. to perform a task carried out in the public interest or in the exercise of official authority you may have 6. where you have legitimate interests, except where they infringe upon the interests or fundamental rights and freedoms of the data subject Consent under the regulation means *“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”* --- ## What is considered UK-GDPR compliant consent? The UK-GDPR gives users the right to withdraw consent at any time once it has been given ([Art. 7 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/7)). The method for withdrawing consent should be as easy as the method for giving it. To be UK-GDPR compliant, your cookie banner should: - provide clear information about the use of cookies and their purposes - obtain explicit consent before any non-essential cookies are stored on the user's device - enable users to make granular choices about the types of cookies they are willing to accept - be user-friendly, ensuring that users can easily navigate the options and provide (or withdraw) explicit consent --- ## Obtain valid consent with the help of a UK-GDPR compliant cookie banner. Sign up for your free Cookiebot CMP trial. · [Start now](https://admin.cookiebot.com/signup) --- ## What are the rights of data subjects under the UK-GDPR? Data subjects have eight rights under the regulation ([Chapter 3 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/chapter/III)). These are the same as the rights under the EU GDPR. - **Right to be informed** about how you collect and use their personal data ([Arts. 13](https://www.legislation.gov.uk/eur/2016/679/article/13) and [14](https://www.legislation.gov.uk/eur/2016/679/article/14)) - **Right of access** to their personal data and to receive a copy of it ([Art. 15](https://www.legislation.gov.uk/eur/2016/679/article/15)) - **Right of rectification** or correction of inaccurate data you may hold, including completion of incomplete data ([Art. 16](https://www.legislation.gov.uk/eur/2016/679/article/16)) - **Right of erasure** of their personal data in certain circumstances, such as when they revoke consent and there’s no other lawful basis for processing, among others — also known as the “right to be forgotten” ([Art. 17](https://www.legislation.gov.uk/eur/2016/679/article/17)) - **Right to restrict processing** in certain circumstances, such as when the processing is unlawful or you no longer need the personal data, among others ([Art. 18](https://www.legislation.gov.uk/eur/2016/679/article/18)) - **Right to data portability** or to receive the personal data they have provided to you in a “structured, commonly used and machine-readable format” ([Art. 20](https://www.legislation.gov.uk/eur/2016/679/article/20)) - **Right to object** to the processing of their personal data in certain circumstances, such as when it is used for direct marketing ([Art. 21](https://www.legislation.gov.uk/eur/2016/679/article/21)) - **Rights related to automated decision-making, including profiling** to provide data subjects with the right to not have decisions made about them automatically by computers (e.g. AI tools) if those decisions can significantly affect their legal rights or have other major impacts on their life ([Art. 22](https://www.legislation.gov.uk/eur/2016/679/article/22)) --- ## What are the obligations of controllers under the UK-GDPR? An overview of key requirements Controllers are responsible for compliance with all the obligations laid out by the UK-GDPR. ## Instantly create your privacy policy with the Cookiebot™ Privacy Policy Generator · [Generate now](https://www.cookiebot.com/en/privacy-policy-generator-gdpr/) --- ## Data transfers outside the UK under the UK-GDPR [Chapter 5 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/chapter/V) addresses the transfer of personal data from the UK to third countries or international organizations. --- ## Penalties under the UK-GDPR [Art. 83 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/83) outlines two levels of penalties for violations of the UK-GDPR. --- ## Who is responsible for enforcing the UK-GDPR? The Commissioner, who heads the Information Commissioner's Office (ICO), is responsible for enforcement of the UK-GDPR ([Art. 57 UK-GDPR](https://www.legislation.gov.uk/eur/2016/679/article/57)). --- ## Remedies for data subjects under the UK-GDPR The UK data protection law provides data subjects with multiple remedies if their rights have been violated. --- ## Steps to achieve UK-GDPR compliance If you’re a data controller or processor under the UK-GDPR, you can take steps to comply with its requirements. ### 1. Audit your website’s use of cookies Tools like Cookiebot CMP can scan your website to detect all cookies and other trackers and generate a detailed audit report. ### 2. Create a comprehensive privacy policy Creating a detailed privacy policy that’s easily accessible to users can help meet the UK-GDPR’s transparency requirements. ### 3. Obtain explicit user consent A UK-GDPR compliant cookie banner from Cookiebot CMP helps you secure user consent that meets regulatory standards. ### 4. Maintain records of data processing activities Both data controllers and processors must keep detailed records of processing activities. --- ## Scan your website for free to find out which cookies and tracking technologies it uses. · [Check now](https://www.cookiebot.com/en/cookie-checker/) --- ## What are the differences between the UK-GDPR and EU GDPR? The UK-GDPR is nearly identical to the European GDPR, with changes to accommodate domestic areas of law. A notable difference between the UK-GDPR and EU GDPR is that the age for obtaining valid consent is lowered to 13 years in the UK from 16 years in the EU. --- ## Frequently asked questions Does the EU GDPR apply to the UK? The EU GDPR still applies to UK companies that process personal data belonging to individuals in the EU, but it doesn’t apply to personal data collected from UK citizens and residents after Brexit. What is the UK-GDPR? The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK's data privacy law that governs the processing of personal data from individuals inside the UK. What are the differences between UK-GDPR and EU GDPR? The UK-GDPR and its EU equivalent are nearly identical. Does the UK-GDPR apply to the US? The UK-GDPR has extraterritorial application. If you’re a US-based entity that processes the personal data of individuals in the UK, then yes, the UK-GDPR applies to you. What does the UK-GDPR require by law? The UK-GDPR requires you to handle personal data lawfully, fairly, and transparently while upholding the rights of data subjects. When did the UK-GDPR come into effect? The UK-GDPR came into effect on January 1, 2021. Who regulates the UK-GDPR? The Information Commissioner is responsible for enforcing the UK-GDPR. --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)