A Plain-English Guide for UK Business Owners
If you’ve ever felt confused by data protection terminology, you’re not alone. Many business owners we speak to aren’t sure whether they should be following “GDPR”, “UK GDPR”, or the “Data Protection Act”—or whether these are all different things entirely.
The good news is that once you understand the background, it all makes sense. This guide cuts through the jargon and explains exactly what UK businesses need to know about data protection law today.
A Brief History of Data Protection in the UK
Data protection law in the UK has evolved significantly over the past few decades. Understanding this history helps explain why we have the current framework.
The Data Protection Act 1998
The UK’s previous data protection framework was the Data Protection Act 1998. This legislation served British businesses for two decades, but as technology advanced and the digital economy grew, it became clear that stronger protections were needed.
The EU GDPR Arrives (May 2018)
In May 2018, the European Union introduced the General Data Protection Regulation (GDPR)—a comprehensive overhaul of data protection rules across all EU member states. As an EU regulation, it applied directly to all member countries, including the UK at that time.
The GDPR introduced significant changes, including much larger fines for non-compliance (up to €20 million or 4% of global turnover), stronger individual rights, and stricter requirements for obtaining consent. It was a major shift that required businesses of all sizes to review and update their data handling practices.
The Data Protection Act 2018
On the same day the EU GDPR came into force (25 May 2018), the UK also enacted the Data Protection Act 2018. This wasn’t a replacement for GDPR—it was designed to work alongside it.
The DPA 2018 served several important purposes. It implemented the GDPR into UK law, provided UK-specific provisions and exemptions (such as rules around national security, immigration, and law enforcement), defined the powers of the Information Commissioner’s Office (ICO), and set out criminal offences for serious data protection breaches.
Think of it this way: the GDPR provided the main framework of rules, while the DPA 2018 filled in UK-specific details and gave the regulations legal force in domestic law.
Brexit and the Birth of UK GDPR (January 2021)
When the UK left the European Union, we could no longer be governed directly by EU regulations. However, the government recognised that maintaining equivalent data protection standards was essential—both for protecting citizens and for enabling continued data flows with European partners.
The solution was elegantly simple: the EU GDPR was incorporated into UK domestic law on 1 January 2021, becoming what we now call the “UK GDPR”. The text is largely identical to the EU version, with minor amendments to make it work in a UK-only context (for example, references to “EU member states” were updated).
The Current Framework: What Applies Today
Today, UK businesses must comply with both the UK GDPR and the Data Protection Act 2018. These two pieces of legislation work together as a single data protection framework.
What the UK GDPR Does
The UK GDPR sets out the core principles and rules for processing personal data. It establishes the key data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability). It defines individuals’ rights, including the right to access their data, have it corrected or deleted, and object to certain processing. It sets requirements for lawful processing, consent, and data transfers. It also establishes the framework for fines and enforcement.
What the DPA 2018 Does
The DPA 2018 supplements the UK GDPR with UK-specific provisions. It grants and defines the powers of the Information Commissioner’s Office. It provides exemptions for specific purposes such as journalism, research, and national security. It sets rules for law enforcement and intelligence services’ use of personal data. It creates criminal offences for unlawfully obtaining personal data or obstructing the ICO. It also sets the age of consent for children’s data at 13 in the UK.
What This Means for Your Business
For most UK businesses, the practical implications are straightforward.
You Need to Comply With Both
The UK GDPR and DPA 2018 are designed to be read together. When you hear references to “data protection law” or “GDPR compliance” in a UK context, this means complying with both pieces of legislation. The good news is that they work as a unified framework, so you don’t need separate compliance programmes for each.
The ICO Is Your Regulator
The Information Commissioner’s Office (ICO) enforces data protection law in the UK. They provide extensive guidance, handle complaints from individuals, and have the power to investigate breaches and issue fines. Their website (ico.org.uk) is an excellent resource for practical compliance advice.
EU GDPR May Still Apply to You
If your business offers goods or services to people in the EU, or monitors the behaviour of individuals in the EU, you may also need to comply with the EU GDPR separately. This is particularly relevant for e-commerce businesses, online service providers, or companies with European customers.
The Core Principles Haven’t Changed
Despite the legislative complexity, the fundamental requirements remain the same as they were under the original GDPR. You must have a lawful basis for processing personal data. You must be transparent about what you do with people’s data. You must keep data secure and only retain it as long as necessary. You must respect individuals’ rights over their data. You must be able to demonstrate your compliance.
Recent Developments
Data protection law continues to evolve. The Data (Use and Access) Act 2025 has introduced some reforms to the UK framework, including changes to how organisations can respond to data subject access requests. The UK government has indicated it may diverge further from EU standards over time, though significant changes are not expected in the immediate future.
Staying informed about these developments is important, but for most businesses, the core compliance requirements remain stable.
Quick Reference Summary
UK GDPR: The core data protection regulation, incorporated from EU law after Brexit. Sets out the main principles, rights, and obligations.
DPA 2018: UK legislation that supplements the UK GDPR with domestic provisions, exemptions, and enforcement powers.
EU GDPR: The original European regulation. Still relevant if you do business with EU citizens.
ICO: The Information Commissioner’s Office—the UK’s data protection regulator and your first port of call for guidance.
How We Can Help
Data protection compliance doesn’t have to be overwhelming. With the right systems and processes in place, protecting your customers’ data becomes a natural part of how your business operates.
We help UK businesses implement practical data protection measures, from secure data storage and backup solutions to access controls and staff training. Whether you’re starting from scratch or looking to improve your existing practices, we can guide you through the process.
Questions about data protection compliance?
Get in touch for a friendly, no-obligation chat about your business needs.
Give our friendly experts a call on 020 3327 0310.