UK GDPR + Data Protection Act 2018 + PECR
TL;DR
Websites targeting users in United Kingdom must comply with GDPR as implemented locally through the UK GDPR + Data Protection Act 2018 + PECR. The supervisory authority is the Information Commissioner's Office (ICO). Notable enforcement: British Airways fined for data breach (£20 million). Use our free scanner below to check your website instantly.
Free audit — 25+ automated checks in 60 seconds
Scan My Website Free →Authority
Information Commissioner's Office (ICO)
Website
ico.org.uk ↗Local Law
UK GDPR + Data Protection Act 2018 + PECR
Language
English
Largest Fine
£20 million
Population
67 million
UK GDPR retained post-Brexit — largely mirrors EU GDPR
PECR (Privacy and Electronic Communications Regulations) governs cookies
ICO cookie guidance requires prior consent for non-essential cookies
Legitimate interest assessment (LIA) must be documented
Age-appropriate design code (Children's Code) for services targeting under-18s
International data transfers require UK adequacy assessment or safeguards
Post-Brexit, the UK retained GDPR as domestic law (UK GDPR). The ICO has been shifting toward a more risk-based, innovation-friendly approach while maintaining core data protection standards. The UK has adequacy status from the EU until 2025.
Cookie consent banner that requires opt-in before non-essential cookies
Privacy policy available in English
Clear identification of data controller and contact details
Data Processing Agreement (DPA) with all third-party processors
Lawful basis documented for each processing activity
Data Subject Access Request (DSAR) process in place
Data breach notification procedure compliant with 72-hour rule
Data Protection Impact Assessment for high-risk processing
International data transfer mechanisms documented (SCCs, adequacy decisions)
Records of processing activities (ROPA) maintained
In United Kingdom, websites must comply with GDPR as implemented by the UK GDPR + Data Protection Act 2018 + PECR. Key requirements include obtaining explicit consent before setting non-essential cookies, providing a clear privacy policy, appointing a DPO when required, and notifying data breaches within 72 hours to the Information Commissioner's Office (ICO).
The Information Commissioner's Office (ICO) is the supervisory authority responsible for enforcing data protection laws in United Kingdom. They can investigate complaints, conduct audits, and issue fines up to €20 million or 4% of annual global turnover.
Use PrivacyChecker's free scanner to perform an instant audit of your website. Our tool checks 25+ compliance points including cookie consent, privacy policy presence, security headers, tracker detection, and more — all relevant to United Kingdom's GDPR requirements.
Find out in 60 seconds with our free GDPR scanner
Run Free Audit →