A UK GDPR privacy policy must comply with the Data Protection Act 2018 and UK GDPR, regulated by the Information Commissioner's Office (ICO). Your policy must disclose the lawful basis for each processing activity, your ICO registration details, how you handle international data transfers post-Brexit using the IDTA, all individual rights available to UK residents, and your data breach notification procedures. Non-compliance can result in ICO fines up to 17.5 million GBP or 4% of global annual turnover.
Since Brexit, the UK has operated its own data protection framework separate from the EU. While UK GDPR is closely aligned with its EU counterpart, there are important differences that affect your privacy policy. The ICO is the UK's independent supervisory authority, and it sets its own guidance, enforcement priorities, and transfer mechanisms.
If your website collects personal data from UK residents, whether you are based in the UK or abroad, UK GDPR applies to you. This means you need a privacy policy that specifically addresses UK requirements, not just a generic GDPR template designed for the EU.
This guide provides a detailed breakdown of UK GDPR requirements, explains how they differ from EU GDPR, covers ICO registration, and gives you a template you can use to create your own compliant policy.
What Is UK GDPR?
UK GDPR is the United Kingdom's version of the General Data Protection Regulation. When the UK left the EU on 31 January 2020, EU GDPR was retained in domestic law through the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This retained version is commonly referred to as UK GDPR.
UK GDPR works alongside the Data Protection Act 2018 (DPA 2018), which supplements it with UK-specific provisions including exemptions, special category data rules, and law enforcement processing. Together, these two pieces of legislation form the UK's complete data protection framework.
The Information Commissioner's Office (ICO) is the UK's independent authority for enforcing UK GDPR. The ICO investigates complaints, conducts audits, publishes guidance, and has the power to issue fines up to 17.5 million GBP or 4% of global annual turnover for serious infringements.
Q: Does UK GDPR apply to organisations outside the UK?
Yes. UK GDPR has extraterritorial reach. If you offer goods or services to people in the UK, or monitor the behaviour of UK residents, UK GDPR applies regardless of where your organisation is based. This is identical to how EU GDPR applies to non-EU organisations.
Q: Do I need to comply with both UK GDPR and EU GDPR?
If you serve users in both the UK and the EU/EEA, you need to comply with both frameworks. In practice, the two are closely aligned and a single well-drafted privacy policy can cover both. You should reference both the ICO and the relevant EU data protection authority, and use both the IDTA and SCCs for international transfers.
UK GDPR vs EU GDPR: Key Differences
While the two frameworks share the same foundation, there are practical differences that affect what your privacy policy must include and how you operate.
| Area | UK GDPR | EU GDPR |
|---|---|---|
| Supervisory authority | ICO (Information Commissioner's Office) | National DPAs (e.g. CNIL in France, BfDI in Germany) |
| Maximum fine | 17.5 million GBP or 4% of global turnover | 20 million EUR or 4% of global turnover |
| Transfer mechanism | UK IDTA (International Data Transfer Agreement) | Standard Contractual Clauses (SCCs) |
| Adequacy decisions | UK makes its own adequacy assessments independently | European Commission issues adequacy decisions |
| Age of consent (children) | 13 years old (set by DPA 2018) | 16 years old (member states can lower to 13) |
| Representative requirement | Must appoint UK representative if no UK establishment | Must appoint EU representative if no EU establishment |
| Registration fee | ICO data protection fee required (40 to 2,900 GBP/year) | No equivalent registration fee in most EU states |
| EU adequacy status | EU has granted UK adequacy (subject to review in 2025) | EEA transfers need no safeguard within the EEA |
Did you know?
The EU granted the UK an adequacy decision in June 2021, allowing personal data to flow freely from the EU to the UK without additional safeguards. However, this adequacy decision includes a sunset clause and is subject to review. If the UK diverges significantly from EU data protection standards, the adequacy decision could be revoked, which would require UK organisations to implement SCCs or other transfer mechanisms for receiving EU data.
What the ICO Requires in Your Privacy Policy
The ICO provides detailed guidance on what your privacy policy (which it refers to as a privacy notice) must contain. Under Articles 13 and 14 of UK GDPR, you must provide the following information to individuals.
The identity and contact details of the data controller (and DPO if applicable)
The purposes of processing and the lawful basis for each purpose
The categories of personal data you collect
Recipients or categories of recipients of the data
Details of international transfers and the safeguards used
Data retention periods or the criteria used to determine them
Individual rights: access, rectification, erasure, restriction, portability, objection
The right to withdraw consent at any time (where consent is the lawful basis)
The right to lodge a complaint with the ICO
Whether providing data is a statutory or contractual requirement
Details of automated decision-making or profiling, if used
The source of the data if not collected directly from the individual
ICO enforcement in practice
The ICO has issued fines to organisations of all sizes for privacy notice failures. Common triggers include failing to disclose third-party data sharing, relying on the wrong lawful basis, not explaining individual rights clearly, and using vague retention periods. The ICO treats transparency failures seriously because they undermine the entire data protection framework. Learn more about what happens without a privacy policy.
UK GDPR Privacy Policy Template Preview
Below is a structured template showing what a UK GDPR-compliant privacy policy should contain. Replace bracketed placeholders with your specific details. A fully customised version can be generated in under 60 seconds.
1. Data Controller Identity
[Your Company Name] ("we", "us", "our") is the data controller responsible for your personal data under UK GDPR. We are registered in England and Wales (or [your jurisdiction]) and operate the website [yourwebsite.com].
ICO registration number: [ZA######]
For privacy-related enquiries, contact us at: [privacy@yourcompany.com]
2. Lawful Basis for Processing
We process your personal data on the following lawful bases under UK GDPR:
- Consent: You have given clear consent for a specific purpose (e.g., marketing emails, optional analytics cookies).
- Contractual necessity: Processing is necessary to perform a contract with you (e.g., account creation, order fulfilment).
- Legal obligation: Processing is necessary for compliance with UK law (e.g., tax reporting under HMRC requirements).
- Legitimate interests: Processing is necessary for our legitimate interests (e.g., fraud prevention, security monitoring), provided your rights do not override those interests.
3. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights:
- Right of access: Request a copy of your personal data (Subject Access Request).
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data where there is no compelling reason to continue processing.
- Right to restrict processing: Request that we limit how we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Rights re automated decisions: Not be subject to solely automated decisions that produce legal or significant effects.
- Right to withdraw consent: Withdraw consent at any time where consent is the lawful basis.
To exercise any right, contact us at [privacy@yourcompany.com]. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk.
4. International Data Transfers
Some of our service providers are based outside the UK, including in the United States and the EEA. Where we transfer personal data internationally, we ensure appropriate safeguards are in place under UK GDPR:
- UK adequacy regulations for countries with adequate protection
- The UK International Data Transfer Agreement (IDTA) approved by the ICO
- Binding Corporate Rules (BCRs) for intra-group transfers
A copy of the relevant safeguard is available on request by contacting [privacy@yourcompany.com].
5. Data Breach Notification
We have procedures in place to detect, investigate, and report personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
6. Complaints
If you are unhappy with how we have handled your personal data, you have the right to complain to the ICO:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Helpline: 0303 123 1113.
This is an educational preview. A complete, customised UK GDPR privacy policy requires tailoring every section to your specific data practices, ICO registration status, and international transfers. Not legal advice.
The Six Lawful Bases Under UK GDPR
UK GDPR requires you to identify a lawful basis before you process any personal data. There are six available bases, and you must determine which one applies to each processing activity. Your privacy policy must disclose which basis you rely on for each purpose.
Consent
The individual has given clear, affirmative consent for you to process their personal data for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are not valid consent. The individual must be able to withdraw consent as easily as they gave it.
Contract
Processing is necessary to perform a contract with the individual, or to take steps at their request before entering a contract. This covers activities like processing an order, creating a user account, or delivering a service the individual has signed up for.
Legal obligation
Processing is necessary to comply with a legal obligation under UK law. Common examples include tax reporting to HMRC, complying with court orders, employment law obligations, and anti-money laundering requirements.
Vital interests
Processing is necessary to protect someone's life. This basis is rarely applicable for website operators and is typically used in emergency medical situations or disaster response scenarios.
Public task
Processing is necessary to perform a task in the public interest or in the exercise of official authority. This basis is mainly relevant for public authorities and bodies carrying out public functions.
Legitimate interests
Processing is necessary for your legitimate interests (or a third party's), unless the individual's rights and interests override yours. You must complete a Legitimate Interests Assessment (LIA) to document why your interests outweigh the individual's. Common examples include fraud prevention, network security, and direct marketing to existing customers.
Did you know?
The ICO has stated that legitimate interests is the most flexible lawful basis but requires the most preparation. You cannot simply claim legitimate interests without documenting why. The ICO recommends a three-part test: (1) identify the legitimate interest, (2) show the processing is necessary to achieve it, and (3) balance it against the individual's interests and rights. If you cannot demonstrate all three steps, you should use a different lawful basis.
International Transfers Post-Brexit
After Brexit, the UK established its own framework for international data transfers, separate from the EU system. If your organisation transfers personal data outside the UK (including to the EU/EEA), you must use one of the approved transfer mechanisms.
The UK has issued its own adequacy regulations for countries it considers to provide adequate data protection. For transfers to countries without adequacy status, you must use either the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or Binding Corporate Rules approved by the ICO.
The IDTA was approved by the UK Parliament in March 2022 and is available on the ICO website. It is a standalone agreement designed specifically for UK transfers and replaces the EU SCCs for UK data. You can also use the "UK Addendum" which supplements EU SCCs with UK-specific terms, which may be more practical if you already use EU SCCs for EU data transfers.
Did you know?
The UK has granted adequacy to the EEA, meaning data can flow freely from the UK to EEA countries. The EU has also granted the UK adequacy, but this decision was set to expire in June 2025 and must be renewed. If you transfer data between the UK and EU, you should monitor whether the mutual adequacy decisions are extended. If either lapses, you would need to implement SCCs (for EU transfers to UK) or the IDTA (for UK transfers to EU) as a fallback.
ICO Registration
Under the DPA 2018, most organisations that process personal data must pay an annual data protection fee to the ICO. This is separate from compliance with UK GDPR and is a legal requirement in its own right. Failure to pay the fee when required is a criminal offence that can result in a fine of up to 4,350 GBP.
The fee is based on your organisation's size and turnover. There are three tiers: Tier 1 (40 GBP) for micro-organisations with fewer than 10 staff and turnover under 632,000 GBP, Tier 2 (60 GBP) for small and medium organisations, and Tier 3 (2,900 GBP) for large organisations with over 250 staff or turnover above 36 million GBP.
You can check whether you need to register and pay the fee using the ICO's online self-assessment tool. Once registered, including your ICO registration number in your privacy policy is a good practice that demonstrates transparency and accountability.
UK-Specific Rights and Provisions
While UK GDPR grants the same eight individual rights as EU GDPR, there are some UK-specific provisions that affect how you implement them in your privacy policy.
ICO as the complaint authority
Your privacy policy must specifically name the ICO as the supervisory authority and provide its contact details, including the postal address (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF) and website (ico.org.uk).
Subject Access Requests (SARs)
Under UK GDPR, you must respond to SARs within one calendar month (not 30 days). You cannot charge a fee for most SARs, but you can charge a reasonable fee or refuse the request if it is manifestly unfounded or excessive.
National security exemptions
The DPA 2018 includes broader exemptions for national security purposes than EU GDPR. If your organisation processes data for national security purposes, these exemptions may apply to certain rights and obligations.
Immigration exemption
The DPA 2018 includes an immigration exemption allowing the Home Office to restrict certain data subject rights when processing data for immigration control. This is a UK-specific provision not found in EU GDPR.
Children's Code (Age Appropriate Design Code)
The ICO's Age Appropriate Design Code sets out 15 standards that online services likely to be accessed by children must meet. Your privacy policy should reference compliance with this code if your service is accessible to children under 18.
Age of Consent for Children's Data
Under UK GDPR, the age at which a child can give their own consent for the processing of personal data in relation to information society services (websites, apps, social media) is 13 years old. This is set by the DPA 2018 and is lower than the EU GDPR default of 16 years.
If your website or app is likely to be accessed by children under 13, you must obtain verifiable parental consent before processing their data. You should also consider the ICO's Age Appropriate Design Code, which applies to online services likely to be accessed by anyone under 18.
Your privacy policy should clearly state your approach to children's data: whether you knowingly collect data from children, how you verify age, and how parents or guardians can exercise rights on behalf of their children. If your service is not intended for children, state this explicitly and describe what happens if you discover a child has provided data without parental consent.
Common UK GDPR Privacy Policy Mistakes
Here are five common mistakes organisations make with their UK GDPR privacy policies, and why each one creates a compliance risk with the ICO.
Mistake: "Using an EU GDPR template without UK adaptations."
Reality: While UK GDPR and EU GDPR are closely aligned, a template written purely for EU compliance will reference the wrong supervisory authority, the wrong transfer mechanisms, and the wrong currency for fines. Your UK privacy policy must specifically reference the ICO, the IDTA (not just SCCs), and GBP amounts where applicable. It should also reflect the UK's age of consent (13, not 16) and any UK-specific exemptions under the DPA 2018.
Mistake: "Not registering with the ICO."
Reality: Most organisations that process personal data must pay the ICO data protection fee. This is a legal requirement separate from UK GDPR compliance. Failure to pay is a criminal offence punishable by a fine of up to 4,350 GBP. Many small businesses are unaware of this requirement. Check the ICO's self-assessment tool to determine whether you need to register and which fee tier applies.
Mistake: "Claiming legitimate interests without a Legitimate Interests Assessment."
Reality: If you rely on legitimate interests as your lawful basis, the ICO expects you to have completed and documented a Legitimate Interests Assessment (LIA) for each processing activity. This is a three-part test: identify the interest, show the processing is necessary, and balance it against the individual's rights. Simply stating "legitimate interests" in your privacy policy without a documented LIA is a common ICO enforcement trigger.
Mistake: "Not disclosing international transfers."
Reality: If you use any US-based service (Google Analytics, AWS, Mailchimp, Stripe, Cloudflare), you are transferring personal data outside the UK. Your privacy policy must disclose each international transfer and the safeguard used (IDTA, UK Addendum, adequacy regulations). Many UK businesses use US-based tools without realising they need to disclose and safeguard these transfers in their privacy policy.
Mistake: "Ignoring the Children's Code."
Reality: The ICO's Age Appropriate Design Code applies to any online service likely to be accessed by children under 18. This is a broad scope that covers most consumer-facing websites and apps. The Code sets out 15 standards including data minimisation, high privacy default settings, and restrictions on nudge techniques. If your service could be accessed by children, your privacy policy should address how you comply with these standards.
How to Create a UK GDPR-Compliant Privacy Policy (6 Steps)
Follow these steps to create a privacy policy that meets ICO requirements and complies with UK GDPR.
Identify your lawful basis for each processing activity
Before writing your policy, determine which of the six lawful bases applies to each type of data processing. Document this in a lawful basis record. If you rely on legitimate interests, complete a Legitimate Interests Assessment for each activity. If you rely on consent, ensure your consent mechanism meets ICO standards (clear, specific, freely given, withdrawable).
Audit your data practices and third-party processors
List every category of personal data you collect, every third-party tool that processes data on your behalf, and every international transfer. This includes analytics, payment processors, email marketing, hosting, and advertising tools. Each must be disclosed in your privacy policy with the specific data shared and the lawful basis.
Check your ICO registration status
Use the ICO's self-assessment tool to determine whether you need to pay the data protection fee and which tier applies. Register if required and include your registration number in your privacy policy. Remember, failure to register when required is a criminal offence.
Map international transfers and apply the correct safeguard
Identify every transfer of personal data outside the UK. For each transfer, determine whether the destination country has UK adequacy status. If not, implement the IDTA or UK Addendum to EU SCCs. Document each transfer and safeguard in your privacy policy.
Draft your policy in plain English covering all ICO-required sections
Write each section covering: data controller identity, purposes and lawful bases, data categories, third-party sharing, international transfers, retention periods, all eight individual rights, how to complain to the ICO, automated decision-making (if applicable), and data breach notification. Use clear, plain language that avoids legal jargon.
Publish, link from every page, and set a review schedule
Link your privacy policy from the footer of every page. Add the last-updated date. Review at least annually and update whenever your data practices or tools change. Notify users of material changes. If you also serve EU users, add EU-specific sections referencing EU GDPR and the relevant national DPAs.
Shortcut: A privacy policy generator automates the entire process. Answer questions about your data practices, select UK GDPR compliance, and get a complete ICO-compliant policy in under 60 seconds. Generate your UK GDPR policy.
Frequently Asked Questions
What is UK GDPR and how is it different from EU GDPR?
UK GDPR is the UK's version of the General Data Protection Regulation, retained in domestic law after Brexit. Key differences include the supervisory authority (ICO vs national DPAs), transfer mechanisms (IDTA vs SCCs), fine currency (GBP vs EUR), age of consent for children (13 vs 16), and the UK's independent adequacy decisions for international transfers.
Do I need to register with the ICO?
Most organisations processing personal data in the UK must pay the ICO data protection fee. Fees range from 40 GBP to 2,900 GBP per year depending on your size and turnover. Limited exemptions exist for some not-for-profits and individuals. Failure to register when required is a criminal offence. Use the ICO's self-assessment tool to check your obligation.
What are the fines for non-compliance with UK GDPR?
The ICO can issue fines up to 17.5 million GBP or 4% of global turnover for serious infringements, and up to 8.7 million GBP or 2% of global turnover for less serious breaches. The ICO can also issue enforcement notices, reprimands, and orders to stop processing.
Can I use the same privacy policy for UK and EU users?
Yes, a single well-drafted policy can cover both. It should reference both UK GDPR and EU GDPR, name the ICO as the UK authority, explain EU users can contact their national DPA, and cover both IDTA and SCCs for international transfers. Include EU Representative details if you target EU users from outside the EU.
What is the UK IDTA and when do I need it?
The UK International Data Transfer Agreement (IDTA) is the UK's mechanism for lawful data transfers outside the UK where the destination country lacks adequacy status. Approved by the ICO in March 2022, it replaces EU SCCs for UK transfers. If you use US-based services like Google Analytics, AWS, or Stripe, you likely need either the IDTA or the UK Addendum to EU SCCs.
What is the age of consent for children under UK GDPR?
The age of consent for children's data in relation to online services is 13 under UK GDPR (set by the DPA 2018). This is lower than the EU default of 16. If your service is accessed by children under 13, you need verifiable parental consent. The ICO's Age Appropriate Design Code also applies to services accessed by anyone under 18.
How often should I update my UK GDPR privacy policy?
Review your policy whenever your data practices change, you add new tools or processors, ICO guidance is updated, or UK law is amended. At minimum, review annually. The ICO expects privacy policies to be living documents that always accurately reflect your current practices. Material changes should be communicated to users proactively.
Related Resources
GDPR Privacy Policy Template
EU GDPR template with all required disclosures
CCPA Privacy Policy Example
What a compliant California privacy disclosure looks like
PIPEDA Privacy Policy Template
Canada-compliant privacy policy covering all 10 principles
Australia Privacy Policy Template
Privacy Act 1988 and APPs compliant template
Privacy Policy for Websites
A comprehensive guide for standard website operators
How to Write a Privacy Policy
Step-by-step guide to drafting your own policy
What Happens Without a Privacy Policy
The real consequences of operating without one
How Often to Update Your Privacy Policy
When and why to review your privacy disclosures