GDPR, a data protection law, came into force across the EU in 2018 before the UK officially exited the European Union. Upon Brexit, the UK adopted this law among others, creating our own UK GDPR to maintain the same high standards of personal data confidentiality. GDPR applies to all businesses, big or small, that operate with data subjects in the UK. One challenge for the CISO is considering how and why your organisation is collecting the data of their customers, and to stop working with information that doesn’t meet the requirements.
By only working with third parties that can prove legal compliance to the UK Data Protection Act through certification, such as Trustpair, you can also avoid the liability of violations throughout the supply chain.
UK General Data Protection Regulation: definition
The UK GDPR is a law which governs how businesses can access and process personally identifiable information, such as names, ID numbers, contact details like addresses and more. It was largely created in response to some businesses that were selling on personal data relating to customers without consent. The UK GDPR therefore sets limitations around why customer data is collected and managed. It ensures that it meets fundamental rights and is for legitimate interest purposes only.
The data protection regulation involves three types of participants:
- Data subjects: these are the individuals whose personally identifiable data is collected. Under this law, data subjects have various rights, which will be discussed later on.
- Data controllers: the body which determines how personal data is used and why it is required
- Data processors: the body which collects, uses, treats and stores the data, on behalf of the controller
If you’re already familiar with the EU’s version of GDPR, you can breathe a sigh of relief, because the UK’s version is pretty much identical. The law was initially brought into the EU while the UK was still a member state. When Brexit happened in December 2020, the UK experienced a transition period where they took over regulation of this law (and many others) domestically.
What are the UK GDPR’s 7 key principles?
The 7 key principles of UK GDPR are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
| Principle | Definition | Example |
|---|---|---|
| Lawfulness, fairness and transparency | There must be a legal basis for data processing, and this must be made clear to data subjects | A statement on your website explains why your business collects cookie data and asks for user consent |
| Purpose limitation | Data must only be collected for specified purposes that data subjects have consented to | Your collect customer address data only for the purpose of shipping, and not to send personalised advertising leaflets to your customers house |
| Data minimisation | You must only collect data that is necessary for the stated purpose, and nothing more | When a customer signs up for emails, you only collect their name and email address – not IP or location data |
| Accuracy | All reasonable steps must be taken to ensure data is accurate and up to date, with corrections or deletions where necessary | If a customer provides their date of birth as 1885, it’s likely there has been a typo, which, once recognised, must be rectified to legally store the information |
| Storage limitation | Keep data for only as long as necessary for its consented purpose | Once a supplier contract ends, their phone number must be removed from your vendor database |
| Integrity and confidentiality | Secure data against unauthorised sharing (accidental or intentional, such as corporate fraud) for data protection | Best practices include data access restrictions, encryption and incident response planning |
| Accountability | Demonstrate compliance and show you are responsible for the data in your care | Implementing a reporting structure with documented responses to data subject request |
Who does it apply to?
Businesses are the primary group subjected to GDPR, but you must confirm whether you are considered a data controller or processor, since the rules differ slightly for each. The most common occasions for GDPR enforcement are in the collection of customer data or supplier information.
In fact, any organisation that operates with data subjects based in the UK are subject to GDPR, and those also operating in the EU must comply with the EU’s version of the data protection law.
How to be compliant?
Compliance with UK GDPR is all about following the regulations’ principles in an organised and purposeful way.
An overall data matrix is helpful to know the data you hold and its purpose- acting as a data audit function. Use this to figure out which of the data is sensitive, and might require different treatment, to the non-personally identifiable information.
Determine your data governance strategy and implement any policies necessary to succeed with GDPR compliance. This includes securing your data.
A common pitfall here is for businesses to secure their own data, but forget about the information flowing through their supply chain, leading to cracks and areas of vulnerability. But if you’re subject to UK GDPR, then companies doing work on your behalf are also subject to UK GDPR, and you could get penalised for their non-compliance.
Know Your Supplier (KYS) is a helpful due diligence measure in this instance, and any changes can consistently be monitored throughout your vendor management database.
Side note: if you partner with Trustpair, you won’t have this issue. We respect the highest data security standards on behalf of our clients thanks to certifications for SOC 2 and ISO 27001.
Finally, consider planning for a data breach, including devising strategies for detection and response. While your data security measures should prevent personal data breaches, documenting response plans can help to prove compliance with GDPR. It can also help you prepare, so that the effects of a breach are minimised and don’t lead to worst case scenarios.
Penalties for non compliance to UK GDPR
Part of the UK government, the Information Commissioner’s Office (ICO) is the official authority for GDPR non-compliance penalties. The top fine could reach £17.4 million, or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. There have been a few cases of criminal convictions alongside these fines for individual failings, too.
In the European Union, the biggest fine thus far has been €1.2 billion by the Irish Data Protection Commission (DPC) issued to Meta. The UK’s fines seem to pale in comparison, and in 2024, the two biggest fines totalled £750,000 and £350,000 respectively.
A turning point happened in 2023 when the ICO began cracking down on website cookie policies. Sky Betting and Gaming was reprimanded for its ill-fitting consent gathering when using advertising cookies on its website. Since January 2025, the regulators has been actively reviewing the UK’s 1000 biggest websites regularly for compliance. But smaller companies are not exempt – and should make every effort to demonstrate their compliance to the UK’s GDPR.
Compliance with UK GDPR is key
The UK’s GDPR is a unique type of regulation because it applies at a widespread level – to any entity that collects or processes the personally identifiable information of UK citizens. Demonstrating compliance means auditing and securing your data, especially across the supply chain, and certified SOC 2 or ISO third parties like Trustpair help respect these rules.
