How to Comply with the UK GDPR

A person's hands picking up a file.

The General Data Protection Regulation (GDPR) is a law that governs how organisations process personal data.

It was introduced in Europe in May 2018 to ‘harmonise’ data privacy laws across EU member states and control how organisations, businesses, and the government use an individual’s data.

Previously, many companies treated customers’ personal data as a resource they could utilise without regard for the rights of individuals. For example, some companies sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to adequately protect data against hackers.

The GDPR was designed to provide further protection and rights to individuals by strengthening the safeguards shielding important information from corruption, compromise, or loss.

What is the UK GDPR?

Countries within Europe could make their own small changes to the GDPR to suit their needs. For the UK, this resulted in the creation of the Data Protection Act 2018 (DPA 2018), which superseded the 1998 Data Protection Act.

Following the UK’s exit from the EU (Brexit), the UK implemented its own version of GDPR (the UK GDPR) to sit alongside the DPA 2018. This came into effect on 1 January 2021.

The UK GDPR is enforced by the Information Commissioner’s Office (ICO) and is virtually identical to the EU GDPR, although it expands its scope in three areas: national security, intelligence services, and immigration.

The UK GDPR sets out seven key principles that UK businesses must abide by when processing customers’ personal data. These seven data protection principles are:

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security).
  • Accountability.

What are a business’s primary responsibilities under the UK GDPR?

The UK GDPR affects all businesses in the UK that collect personal data about their staff and customers and will impact many areas of commercial operations, such as recruitment, sales, and marketing.  

Under the UK GDPR, customers have the right to:

  • Access their personal data.
  • Be informed about the collection and use of their personal data.
  • Rectify any inaccurate personal data.
  • Erase their personal data (‘the right to be forgotten’).
  • Request to restrict or suppress their personal data.
  • Reuse their personal data for their own purposes across different services.
  • Object to their personal data being processed in certain circumstances, such as direct marketing.
  • Not be subjected to automated decision-making and profiling.

Under the UK GDPR, the onus is on the company to ensure they can prove compliance. For example, organisations must prove that an individual agreed to a certain action, such as receiving a newsletter.

Any data held must have a time-stamped audit trail detailing what the customer opted into and by what means.

What must a company do if there is a data breach?

The UK GDPR specifies that any data breaches (any incident that results in accidental or unlawful damage, disclosure, access, or loss of personal data) must be reported to the ICO within 72 hours of it first being noticed.

If the breach is likely to have a high risk of adversely affecting individuals’ rights and freedoms, the company must also inform those individuals without ‘undue delay’.

What are the penalties for non-compliance with the UK GDPR?

Penalties for non-compliance with UK GDPR can be severe. For serious breaches of the data protection principles, the ICO can issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover, whichever is higher.

 Over the past few years, the ICO has handed out significant penalties for data breaches where companies have failed to protect customer data. From 2020 to 2021, the enforcement body issued a record amount of £42m in fines, a 1580% increase from the previous year.

The heaviest ICO fines in recent years include:

  • British Airways: £20m fine (2020).
  • Marriott Hotels: £18.4m fine (2020).
  • TikTok: £12.7m (2023).
  • Clearview AI: £7.5m fine (2022).
  • Ticketmaster: £1.25m fine (2018).
  • Cabinet Office: £500k fine (2021).
  • Doorstep Dispensaree Ltd (Pharmacy): £275k fine (2019).

Not all GDPR infringements lead to data protection fines. The ICO can take a range of other punitive actions, including:

  • Issuing warnings and reprimands.
  • Imposing a temporary or permanent ban on data processing.
  • Ordering the rectification, restriction, or erasure of data.
  • Suspending data transfers to third countries.

Solutions for GDPR and Data Protection

Compliance with the GDPR and Data Protection Act 2018 is fundamental for all businesses and is particularly important for regulated entities, as a breach will not only create interest from the Information Commissioner’s Officer (ICO), but also from their regulator.

The impact of breaches can be significant, and avoiding breaches comes from ongoing maintenance of policies and regular reviews of their implementation.

Well-documented processes and procedures are critical for a business to ensure compliance and, importantly, to be able to respond quickly in the event of a breach or investigation.

Ongoing training of all staff members is also crucial to ensure employees remain aware of their obligations and to ensure a business can make a full, targeted and coordinated response.

At AML & Compliance, our services for GDPR and Data Protection Compliance include:

  • Policy drafting and maintenance.
  • General terms and conditions and contracts.
  • Website policies and documentation.
  • Breach advice and guidance.
  • Register management.
  • Training for Data Protection Officers and staff.
  • Independent auditing.
  • ICO breach reporting.
  • Subject Access Request responses and management.

The GDPR and Data Protection Act requires constant management, and our support will ensure that internal officers have additional support to ensure a business is compliant and remains compliant.

We can deliver our solutions in the following packages. Click the buttons below to view our brochures and find out more.

GDPR & Data Protection Compliance Service

GDPR & Data Protection Act 2018 Guidance

Get In Touch

To learn more about our data protection and GDPR services and to find out how AML & Compliance can help your business, call us on 0203 985 8553, email us at, or complete an online enquiry form.