UK GDPR: What Organisations Need to Know

Introduction

When the United Kingdom left the European Union, the EU General Data Protection Regulation did not simply cease to apply to UK organisations. Instead, the GDPR was incorporated into UK domestic law through the European Union (Withdrawal) Act 2018, creating what is now referred to as the UK GDPR. The UK GDPR sits alongside the Data Protection Act 2018, which provides supplementary provisions specific to the UK context.

For most purposes, the UK GDPR closely mirrors the EU GDPR. The core principles, individual rights, lawfulness bases, accountability requirements, and security obligations are substantially the same. However, there are meaningful differences that matter in practice — particularly around supervisory authority, international data transfers, and the UK’s ongoing data protection reform programme.

Organisations that process personal data in or from both the EU and the UK are not operating under a single framework. They are operating under two distinct frameworks that must each be addressed.

Who UK GDPR applies to

The territorial scope of UK GDPR mirrors the extraterritorial reach of EU GDPR. It applies to:

• Organisations established in the United Kingdom, regardless of where the data subjects are located.
• Organisations not established in the UK that offer goods or services to individuals in the UK, or that monitor the behaviour of individuals in the UK.

This means South African organisations with UK clients, UK-based website users, or UK operations may be subject to UK GDPR obligations independently of whether they are also subject to EU GDPR.

Organisations subject to UK GDPR must:

• Appoint a UK Representative if they are not established in the UK but are subject to UK GDPR on the basis of monitoring or offering services (equivalent to the EU GDPR Article 27 representative requirement, but specific to the UK jurisdiction).
• Maintain a UK-focused Record of Processing Activities that reflects processing activities directed at or involving UK data subjects.
• Designate a Data Protection Officer where required (the thresholds mirror EU GDPR: large-scale processing of special category data, public authorities, or systematic large-scale monitoring).

The ICO: the UK’s supervisory authority

The Information Commissioner’s Office (ICO) is the independent supervisory authority for data protection in the United Kingdom. It is the UK equivalent of the EU data protection authorities (DPAs) such as France’s CNIL or Germany’s BfDI.

For organisations operating under both EU GDPR and UK GDPR, this creates a dual-authority structure. Regulatory enquiries, complaints and enforcement investigations involving UK data subjects fall under ICO jurisdiction. Those involving EU data subjects fall under the relevant EU DPA — with the lead supervisory authority determined by the organisation’s main establishment in the EU.

ICO registration (the data protection fee)

Most organisations that process personal data in the UK are required to pay a data protection fee to the ICO. This is a registration obligation, not just a notification. Failure to register and pay the appropriate fee is a criminal offence under UK law.

Organisations are assessed against a tiered fee structure based on size and turnover. The obligation applies even to organisations not established in the UK that are processing personal data subject to UK GDPR — though in practice the ICO has focused enforcement on UK-established controllers.

Organisations with UK clients or UK operations should confirm whether they are within scope of the registration requirement and, if so, register before commencing or continuing processing.

Key divergences from EU GDPR

1. International data transfers

This is the area where EU GDPR and UK GDPR differ most significantly in practical terms.

From the EU to the UK: The European Commission granted an adequacy decision in favour of the UK in June 2021, allowing personal data to flow from EU member states to the UK without additional transfer safeguards. This decision was subject to a periodic review mechanism. Organisations relying on EU-to-UK data flows should confirm the current status of this adequacy decision, as it is subject to ongoing review and was not granted unconditionally.

From the UK to third countries: The UK has established its own international transfer framework, operating independently of the EU’s adequacy and transfer mechanism regime. The key mechanisms are:

• UK Adequacy Regulations — the UK has made its own adequacy determinations for a list of countries it considers to provide adequate protection. The UK’s list does not automatically match the EU’s list; they overlap substantially but differ in some respects.
• International Data Transfer Agreement (IDTA) — the UK’s equivalent of EU Standard Contractual Clauses. The IDTA was issued by the ICO and came into effect in March 2022. Organisations that use EU SCCs for transfers from the UK were required to transition to the IDTA (or an approved addendum to EU SCCs) by March 2024.
• Binding Corporate Rules (BCRs) — UK BCRs operate separately from EU BCRs and require ICO approval.

Organisations that assumed their EU GDPR transfer mechanisms automatically covered UK data flows were incorrect post-Brexit. A UK-to-South Africa data transfer requires a UK transfer mechanism — either a UK adequacy decision covering South Africa (which does not currently exist) or an IDTA.

2. Exemptions and derogations

The Data Protection Act 2018 contains a number of UK-specific exemptions that are broader in some respects than their EU equivalents. These include exemptions for journalism, research, national security and law enforcement. Organisations relying on specific derogations should confirm whether the applicable provision is EU-GDPR-derived or UK-specific.

3. UK data protection reform

The UK has pursued a reform programme aimed at diverging from the EU GDPR framework in targeted areas. The legislative trajectory has been subject to political change and successive parliamentary processes, and organisations should monitor current UK legislation to understand what obligations apply at any given time. Areas of reform have included risk-based approaches to Data Protection Impact Assessments, the DPO requirement, cookies and consent, and the operation of the legitimate interests basis.

The core accountability and rights framework has remained stable, but the regulatory interpretation and enforcement approach of the ICO has in some areas diverged from the position of EU supervisory authorities.

Implications for organisations subject to both

Organisations subject to both EU GDPR and UK GDPR face a dual compliance obligation. In many areas, compliance with one framework will substantially satisfy the other — the core principles, rights and accountability structures are aligned. However, the following areas require separate attention:

• Transfer mechanisms — EU and UK transfer mechanisms operate independently. A transfer to a third country requires a valid mechanism under each framework separately.
• Representative appointments — EU GDPR and UK GDPR each require a local representative for non-established controllers. A single entity cannot serve both functions; separate appointments are required.
• Supervisory authority engagement — complaints, breach notifications, and regulatory engagement are directed to the ICO for UK data subjects and the relevant EU DPA for EU data subjects.
• ICO registration — this is a UK-specific obligation with no direct EU equivalent at the framework level.
• Policy documentation — privacy notices, DPIAs and processing records may need to reflect both frameworks if a single document is used across jurisdictions.

Practical steps for affected organisations

Organisations with UK data processing activities that have not separately addressed UK GDPR compliance should:

1. Confirm whether UK GDPR applies on the basis of establishment, service offering, or monitoring.
2. Assess whether ICO registration and fee payment is required.
3. Review international data transfer mechanisms to confirm that UK-specific mechanisms (IDTA or adequacy) are in place for any transfers out of the UK.
4. Confirm whether a UK Representative appointment is required.
5. Review privacy notices and processing records to ensure they are accurate for UK data subjects.
6. Monitor UK data protection reform developments that may affect current compliance positions.

How this relates to POPIA and EU GDPR

For South African organisations that are already operating under POPIA and EU GDPR, UK GDPR adds a third framework with substantial overlap but distinct obligations in the areas above. The good news is that much of the governance infrastructure built for POPIA and EU GDPR — accountability frameworks, processing records, security controls, rights-handling processes — transfers directly. The incremental work required for UK GDPR compliance is largely confined to ICO registration, UK-specific transfer mechanisms, and Representative appointment where required.

Metatrans works with organisations across all three frameworks and can assess the gap between your current compliance position and UK GDPR requirements.