The UK GDPR explained

Blog
Vibeke Specht
The United Kingdom has its own version of GDPR. But why is that, and how is it different? Here we explain everything you need to know about the UK GDPR, including what you should do to comply with it.
Table of Contents
UK GDPR

What is the UK GDPR?

Since Brexit the General Data Protection Regulation (the GDPR) no longer applies in the UK. But it kind of does anyway because the UK implemented its own version of the GDPR.

So it’s a same-same-but-different-kind-of-a-situation.
Let’s figure out why.
Realising Brexit was unavoidable, the United Kingdom implemented its own version of the GDPR, almost identical to the original. It took effect back in 2020, January 31, to be precise.
But this was not done in a heartbeat. The country needed to make some adjustments.
One way of understanding why is realising that the word regulation in the General Data Protection Regulation does not mean the same thing in the UK as in the EU.
In the EU, a regulation is a law that applies directly to all member states; there is no need to transpose it into national legislation. In the UK, however, a regulation is a piece of sub-law that supports a primary law by clarifying things about it. And a primary law is more of the real deal, a.k.a. a law enacted by the Parliament.
A Primary Law is passed by Parliament, also called an Act of Parliament. Regulations are passed by authorities under powers given by an Act of Parliament and are known as Statutory Instruments.
Authorities refer to government ministers or departments. “Under powers” means they have been granted specific legal authority by an Act of Parliament to create detailed rules or regulations necessary to implement the primary law.
Anyway.

In order for there to be a UK GDPR in the post-EU-United Kingdom, there needed to be a primary legislation that could envelope it. Luckily there was one, called the Data Protection Act 2018, which was passed by the UK Parliament already in 2018.

So, the UK GDPR was “put inside” the Data Protection Act 2018.
But isn’t this just semantics?

One could say that because, formally, the UK GDPR is part of the Data Protection Act 2018. Or as the Government in the UK writes on their site:

“The Data Protection Act 2018 is the UK’s implementation of the GDPR”.

Or at least it was at the start, and then it became so again, but differently during/after Brexit.

Why did this primary law come into force on the same day as the GDPR?

Because the UK had to, or chose to, create a data protection framework “inhouse” that could align with the EU GDPR. They basically wanted to roll out the red carpet for the GDPR so it felt comfy and welcomed in the UK legal landscape in its unaltered entirety, and thus could be consistently implemented across the country.

When Brexit came along, the UK had to, as explained, adjust the legal context by transforming the GDPR to a UK GDPR. This meant that things had to be moved around a little bit so data protection in the UK could keep calm and carry on in a “same, same, but different” way.

The need for data flow between the UK and EU

Do note that the UK has a huge interest in ensuring free flow of data between the UK and the EU post Brexit. By “keeping” the GDPR they made it easier for the EU Commission to clear them as a safe third country which EU-states could share data with.
And then there’s those supporting legislations. As mentioned, the Data Protection Act 2018, as for any primary law in the UK, needed (and needs) some secondary legislation to be operational.

EXPERTS OPINION

What do you think increased enforcement activities from the ICO will mean for digital marketers and advertisers moving forward in the UK? What is your advice to them?

“Right now, marketers must prepare as well as they can, but they shouldn’t be overly fearful of the ICO. The truth is actual fines for marketing haven’t occurred in over a year! And these fines are just for SMS spam, Robo calls or unsolicited emails. I can’t see any cookie banner fines or remarketing fines in the list.

With this being said, the ICO do have a new executive director and they did mention ‘Our bots are coming for your bots’. This probably means that the ICO are about to ramp things up, and they’re potentially deploying some new tech to do so.  

My advice is always to maintain a strict adherence to privacy compliance. But if you are especially concerned about what the ICO are actually clamping down on, keep a close eye on what fines have been issued by the ICO.

Another piece of advice is to find out tools/tech the ICO are using and to run the testing on your own site before they do. We developed a Consent Mode Monitor tool to check your GTM setup compliance and whether you have Consent Mode v2 active. This could be the type of thing the ICO uses.”

Phil Pearce
Founder & CEO, MeasureMinds

Secondary legislations for UK GDPR

Primary legislation like the Data Protection Act 2018—and subsequently the UK GDPR—needs detailed rules and guidelines to be actionable. These secondary supporting regulations are also known as statutory instruments (SI).

The SIs are created by government ministers or other authorities and make, as mentioned, the primary body of legislation fit for battle.

The 4 most important secondary regulations for the UK GDPR

1. The Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019: This is like the Brexit Update Pack regulations. They tweak the existing rules to fit the new post-Brexit context.
2. The Data Protection Act 2018 (Amendment) (EU Exit) Regulations 2019: Like no.1 but more like fine-tuning the primary data protection law.
3. The Data Protection (Charges and Information) Regulations 2018: Data controllers need to pay a fee to the data protection authority in the UK, meaning the Information Commissioner’s Office (ICO). These regulations set out the requirements around this.

4. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR):
So this one is special. PECR is not strictly part of the UK GDPR framework. But it works so closely alongside it—to regulate electronic marketing, cookies, and other aspects of online privacy—that it feels inseparable from the framework in practice.

Note that the PECR came about way back in 2003 and was, until Brexit, an SI for another primary law: the European Communities Act 1972.
Yes, the PECR is basically the so-called ePrivacy-directive—often a bit misleadingly called the cookie law— which all EU countries (including the UK, which became an EU member in 1973) had to implement into their own national legislation by 2003. Because, unlike an EU-regulation, an EU-directive is a more flexible instrument.
Let’s summarise.

The UK GDPR in a nutshell

The UK GDPR is formally (within) The Data Protection Act 2018.

Alongside its various supporting regulations, plus the PECR (the “UK version” of the ePrivacy Directive), this act constitutes the legal framework for data protection in the UK.

Now, the question begs: How do you, as a marketer, become compliant with the UK GDPR?

As with its template, complying with the UK GDPR might seem daunting. Let’s make it less so.

I’ll start by addressing whether adhering to the original GDPR is sufficient. Then, I’ll dive into the specific areas marketers need to focus on, from obtaining consent to managing cookies. I’ll also mention something about data subject rights.

EXPERTS OPINION

What advice would you offer marketers who want to adhere to current and upcoming UK data and tracking protection laws? Additionally, what are your thoughts on the ICO’s enforcement activities?

“It is important to understand which market you serve. Do your compliance obligations mainly lie in the UK, possibly the US, or continental Europe?

While it is true that the UK GDPR still runs parallel to the GDPR, if it had not been for the elections the parliament would have voted on a bill proposing to reform the UK GDPR in a way that is not in line with the European project. If it goes through, it could affect the current data transfer agreement between the UK and the EU, which is up for review next year (2025).
On the Western end, since Brexit, the UK and the US have grown closer, especially in opportunities related to fundamental human rights like privacy, as seen in recent changes in international data transfers. This might indicate a shift away from recent PECR interpretations where the ICO does not allow “continuing to scroll a website’s page” to count as consent for tracking.

I would not be surprised if the UK moves towards an opt-out model for data privacy within the next five years instead of the current opt-in obligations. The main issue is the right to action, which allows individuals to sue for data privacy violations. This is being tested in UK courts, while the US seems to oppose such a right, as shown by Vermont’s recent veto of similar legislation.”

Aurélis Pols
DPO, Privacy Engineer & Founder of AP & Associates

Is complying with the Original GDPR enough?

If I am compliant with the ePrivacy directive and the GDPR, am I then also compliant with the UK GDPR?

The answer to this question is mostly yes. But there are some tweaks.

As stated previously, the UK GDPR mirrors the original GDPR closely. Still, there are some differences you need to be aware of due to the Brexit adjustments.

They are:
  1. Data Transfers
  2. UK representatives
  3. ICO Fees

Data Transfers

After Brexit, transferring data between the UK and the EU can involve additional steps.
There is currently a data transfer agreement between the EU and the UK, a so-called adequacy decision, in place until 2025. Hence, you do not need additional safeguards for most data transfers at the moment. Do keep tabs by bookmarking this guidance page from the ICO.

UK Representatives

Suppose you are not a marketing agency or business established in the UK, but you process data on UK residents. In that case, you might need to appoint a UK representative.
This is so the ICO can have a point of contact with your company for data protection issues.
Appointing a UK-based representative is also handy since you have someone on the ground who can handle data protection issues and liaise with the ICO. For more information, see the ICO’s guidance on UK representatives.

ICO Fees

As mentioned earlier, in the UK, data controllers pay a fee to the Information Commissioner’s Office (ICO). So make sure you are registered and up to date with your payments. For more information, see this page at the ICO.

How do you comply with the UK GDPR?

The UK GDPR is a big piece of legislation.

How you, as a website owner or marketer, need to address it depends on the company you represent and what they/you want to do, need to do, and have to do regarding collecting, storing, and processing personal data.

Usually, the more you want to collect, process, and share data, the more work you have to put down from a legal perspective.
To keep things simple, remember that it comes down to respecting every human being’s right to privacy. The UK GDPR does not allow you to collect and process any personal data without legal grounds.
With that said, let’s make UK GDPR tangible by outlining its building blocks so it makes sense for you as a digital marketer.

The ABC of the UK GDPR

1. What is the scope of the UK GDPR?

Every marketing agency, company, or organisation that processes the personal data of individuals in the UK, regardless of where in the world the company is based, has to comply with the UK GDPR by having legal grounds for it. Personal data is any data that can—directly or indirectly—identify an individual, from name to online identifiers like cookies and IP addresses.

2. What are the principles of the UK GDPR?

The backbone consists of a couple of supporting pillars.
One is that personal data must be processed in a transparent, fair, and lawful manner. So, those email addresses and other data you collect about leads and customers have to be handled with care.
Another is about knowing why you are collecting it and specifying the reason, and then making sure you do not use it for anything beyond that purpose. Closely related to the latter is the requirement that you collect only the minimum amount of data needed for your purpose.
The data also needs to be kept accurate and updated—and never longer than necessary. If you, for example, collect email addresses for a newsletter subscription, you can only use those email addresses to send the newsletter. Suppose you later decide to run a marketing campaign. In that case, you must obtain explicit consent from your subscribers before using their email addresses for this new purpose.
As a company owner, you have to ensure that the marketing department has processes set up for this. You also have to be able to show that you regularly update and correct data and delete it when it is no longer needed.

3. What rights do the UK GDPR address?

So, this one is also pretty straightforward. An individual—the data subject—has the right to their own data, which means that they are in charge of what you are allowed to do with it.

You have to give a person access to their data if they want it and correct and erase it if the person requests that. They also have the right to data portability* and the right to object and restrict how you process the data.
*Data portability means that the individual has the right to receive their personal data in a structured, commonly used and machine-readable format, so they can transfer that data to another organisation without hindrance. Luckily there are some pretty good systems that can help you automate these tedious tasks, so you can act on requests fast.

4. What obligations do I have under the UK GDPR?

As an organisation or company, you need to have processes and tools in place that allow you to handle personal data in a way that complies with all the requirements of the UK GDPR.

In addition, if you have high-risk processing activities, you have to assess the impact of this and also report any data breach to the ICO within 72 hours.
If you, for example, as a marketer, analyse online user behaviour across multiple platforms to send them targeted ads based on health or financial data, you are engaging in high-risk processing activities.
Also read: Fined 15 million for using the Meta pixel

Summary

When trying to understand how the UK GDPR applies to you, always remember that it is better to be safe than sorry, that less is always more, and that the data subject is king.
While keeping this in mind, it is time to move on to the part where the UK GDPR overlaps with the ePrivacy directive and thus online tracking and website compliance, which for most marketers is ground zero for data protection compliance.

Also read: What is the UK Data Protection and Digital Information (No. 2) Bill? 

EXPERTS OPINION

What do you think increased enforcement activities from the ICO will mean for digital marketers and advertisers moving forward in the UK? What is your advice to them?
“Digital marketers and advertisers have been talking about taking steps toward privacy-centric and customer-choice strategies for several years now. Increased enforcement and regulation are really the only options the ICO has to effect change. There is no incentive for businesses to adopt different practices, and there has been very little incentive for browsers or suppliers to change their profitable models.
I think it will mean digital marketers and advertisers begin to finally consider the value exchange required in data transactions. To leverage their audiences, digital marketers will need to demonstrate an offering that is so compelling it can’t be found elsewhere, or they will need to be prepared to pay in some metaphorical way for the use of audience data. My advice centers on first-party data and brand loyalty/brand identity—and the impact brands will have on data collection in the coming years.
Brands need to increase advocacy levels to the point of maximum benefit to the individual. Only then will they believe parting with their data is worth it. Sure, on the technical side, there are many tips and tricks I could offer—there is a huge movement to leverage server-side tracking, and that will help in the short to medium term, but that will have regulations soon too. The only 100% future-proof way is to build an army of an audience—robust against regulation.”
Dan Truman
Director at Duga Digital

Where the UK GDPR meets the "UK ePrivacy Directive"

As mentioned, the UK has its version of the ePrivacy Directive (Directive 2002/58/EC, updated to 2009/136/EC where the consent requirements were changed from opt out to opt in) called the Privacy and Electronic Communications Regulations (PECR).

As the EU version, the PECR gives people specific privacy and confidentiality rights regarding electronic communications. And similar to how it is in many EU member states the PECR overlaps with the GDPR/UK GDPR.

The PECR is as a whole very relevant for marketers to understand even though the parts about marketing calls, emails and tracking technologies like cookies are the ones we as marketers need to take particular interest in.
Also note that the UK enforcement authority on the matter, the ICO, is explicit about its intent to take enforcement actions against organisations that do not comply with the PECR.

Also read: How the ICO is leveraging AI to enforce cookie- and tracking-compliance

They include criminal prosecution, non-criminal enforcement, audits, and monetary penalties of up to 500,000 pounds. They are also not mutually exclusive. The ICO can combine them “where justified by the circumstances.”
If you want to learn more about how the PECR regulates marketing through calls, text, emails, and faxes, the ICO has a great section about that here. Moving on, we will break down what you need to know and do as a website owner and advertiser to conduct compliant marketing.

The central role of consent in the UK GDPR

The UK GDPR has 6 (six) legal grounds or lawful basis one can lean on to collect and process personal data. However, to track and retarget visitors to your website, consent is the go-to legal basis.

The 6 lawful bases in the UK GDPR
  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public tasks
  6. Legitimate interest
See this guide at the ICO for more details on when the different lawful bases can be used.

Note that the PECR aligns with the ePrivacy Directive regarding consent. This means both require consent for using cookies and other similar technologies. Consequently, the ICO recommends that consent is the only lawful basis for using cookies. Don’t even think about using legitimate interest.

That last part is important since a “misunderstanding” exists that legitimate interest can be used. This has been “debunked” by the European Data Protection Board and the EU Court of Justice. The UK’s ICO post-Brexit is of the same sentiment.
So, while the PECR explicitly mentions consent, the UK GDPR holds its hand by defining it. This definition of consent is fundamental for understanding what you, as a marketer and website owner, are required to do if you want to deploy certain services that help you and your partners track, identify, and profile your visitors or users.
Also, be mindful that the same rules around consent apply if you have a mobile application.

What is consent?

While the PECR requires that users or subscribers consent to cookies and other similar technologies being set or used on their devices, it does not define consent.
Do you remember those Statutory Instruments or additional regulations which support and make the UK GDPR operational, as mentioned earlier in this post?

The first one on that list helps bridge the PECR with the UK GDPR regarding consent. It does so by stating that what the PECR means by consent is how the UK GDPR defines what consent is. This means that consent counts when the person has been able to give it freely to something that is specified and specific, and they have been able to do that based on clear and unambiguous information.

The UK GDPR also clarifies that if you are collecting consent, then:
  1. you have to be able to prove it,
  2. you cannot bundle consent with other other terms and conditions,
  3. the consent request must be easy to understand and access,
  4. it must be easy for your visitor to withdraw consent at any time. 

Note how the UK-GDPR bans pre-ticked boxes – silence or inactivity does not constitute consent.

What is cookie consent?

If we translate the consent requirements as per PECR and the UK GDPR, it can be jotted down to six (6) main dos and don’ts.
  1. A user who visits your website without touching the cookie-banner is not consenting. The person must actively give their consent to non-essential cookies.
  2. Your website must inform the visitors what cookies you want to set and what they do before they can say yes or no.
  3. And suppose you use scripts that set third-party cookies. In that case, you have to clearly and specifically name who the third parties are and explain what they will do with the information.
  4. You cannot use pre-ticked boxes or toggles set to “on” or anything similar for non-essential cookies.
  5. You must give visitors control over non-essential cookies and ensure they have access to the site even if they say no to these cookies.
  6. Last but not least, setting any non-essential cookies or running similar technologies before the user consents is a big no-no.

What is a strictly necessary cookie?

It’s easy to get confused when it comes down to the technicalities of cookies. But to sort out what makes some cookies necessary and others not, one can simply conclude that it is about whether they are vital for a website to work properly or not.

A necessary cookie helps with essential tasks like keeping your visitors’ shopping cart items “intact” or ensuring secure logins. So the reason you do not need to collect consent for strictly necessary cookies is because they are crucial for the website to function as a visitor would expect.
While this is a technical viewpoint of a cookie (and similar technologies), another angle is how the cookie relates to “personal data”.

What are the consent requirements for cookies in the UK?

If you want to store cookies on a visitor’s browser, for example, and, by doing so, access or store information, you must have consent. The PECR mandates this.

So, this consent requirement is not a UK GDPR thing but more of an electronic communications thing Ă  la PECR.

The distinction is quite interesting because while the UK GDPR is all about privacy* the PECR is wider or different in its scope because of its focus on electronic communications and the concept of confidentiality and “surveillance”.
This is why even if cookies do not contain personal data, consent is still necessary. It is necessary because the scope of the PECR takes into account that even if a specific variable in a tracking technology, like a cookie, is not classified as personal data*, it can still impact user privacy—and thus requires consent.

And yes, the same relationship exists between the ePrivacy Directive and the GDPR.

*The UK GDPR states that online identifiers, such as cookie identifiers, can be linked to individuals and used to create profiles, making them identifiable.

Do the UK GDPR and PECR cookie requirements only apply to websites?

No, not at all. The rules apply to ANY technology that stores information or access information stored on your users’/visitors’ devices.

The ICO is very helpful and clear on their guidance here, stating that, for example, mobile apps are very much included, even if they are developed with embedded software development kits (SDKs) or other frameworks—and thus do not technically use cookies. The ICO also politely asks you to remember this if you incorporate someone else’s software code into your app.

Do the cookie requirements also apply to fingerprinting?

Yes, as you have probably guessed, the cookie requirements under the PECR also apply to fingerprinting. There is plenty of room under the notion “[…] and other similar technology.”
The ICO underlines that the PECR covers any technology that stores or accesses information on a user’s device.

This includes not just cookies, but also methods like HTML5, local storage, Local Shared Objects, and fingerprinting techniques.
Fingerprinting is a concept that describes how someone’s device, like a computer or mobile phone, can be identified, such as:
  • Device configuration data
  • Network protocol data
  • CSS information
  • JavaScript objects
  • HTTP header information
  • Clock information
  • TCP stack variations
  • Installed fonts and plugins
  • API usage
Source: ICO
Other technologies, like pixels and plugins, are also subject to these rules. These include so-called tracking pixels in emails, which you can use to record information about when and where an email is opened.

Do the PECR and the UK GDPR ban tracking?

No, the PECR (and the UK GDPR) do not ban the use of these technologies, but they require you to inform your visitors and users about them and get their consent before you store or access information on their devices.

With that said, now what?
Where do you start as a marketer keen on being UK GDPR compliant while ensuring sound data collection?

Marketer, start your UK GDPR compliance journey here

Not all personal data at your marketing agency, your clients’ organisations, or at the company, if you’re working in-house, are leads or customers stemming from marketing endeavours. But as a marketer, you’re often responsible for the website and the content management systems, which makes it your job to ensure that the data you collect and how you handle it are done by the book.
This can seem daunting because few marketers feel they have a good overview and control over the “data situation”.
Luckily, there is a good place to start.

Step 1: Get a solid consent management platform in place

Start by getting a Consent Management Platform (CMP) like Cookie Information for your website.
Properly implemented, it will ensure you check all the tracking compliance boxes the ICO requires. This will ensure that you respect each and every user’s consent requirements and block tracking if the users say no.
With a compliant CMP on your site, which you can customise to reflect your brand, you’re also sending a strong signal to your visitors that you respect their right to choose privacy. Equally important, it scans your domain and categorises all your deployed scripts and the cookies they fire, which leads us to step 2.

Step 2: Clean up your website

With a proper CMP, you will get a tool that will give you a complete overview of all the scripts you know you have, suspect you might have and those you had no idea your site was harvesting.
A company or agency might have had different marketing managers throughout the years. If the marketing department lacks processes for how tools or services are vetted before they are deployed, there may be plenty of “things” to discover in the “code”.
A CMP will bring transparency by scanning your domain and presenting the result. All you have to do is review it, decide which services you want to keep and why, and then clean out the scripts and codes you do not wish to keep.
Note that it is always good to consult your Data Protection Officer or a legal counsel familiar with the UK-GDPR and the PECR when doing the cleanup, at least if you have questions regarding the services you wish to keep. Remember that you are responsible for all third-party tools on your site. You need to read their privacy policies to make sure you know how they process your users’ data and to assess whether you can agree to that.

Step 3: Ensure you have a cookie policy in place

Getting a cookie policy in place can be tedious. But if you integrate a CMP, you can also check that box.
A CMP from Cookie Information will generate your cookie policy, which categorises and specifies all cookie-placing scripts in accordance with the ICO’s requirements. Note that the cookie policy is dynamic, meaning the list of cookies will be updated after every regular scan the CMP is set to do.
The cookie policy is accessible from the cookie-banner. And you can easily integrate it into your privacy policy.

Step 4: Educate your marketing department

Make sure that your marketing team understands the basics of the UK GDPR and PECR, with a particular focus on the importance of consent and user rights. For example, but not solely, by making it part of the onboarding material.
Data protection compliance is a dynamic and ever evolving subject, where the tools and big service providers of the web, like Google, are adapting.
Understanding the UK GDPR and the PECR gives context to these changes since thes legal frameworks have cousins worldwide, not the least in the USA, where 17 states now have or are on the verge of adopting privacy regulations.
Keeping tabs on these changes is rewarding not only from a compliance perspective but also from a digital marketing perspective because it helps you transition from a hoarding mindset to a pickiness approach. Moving forward, your marketing endeavours will have much to gain from a quality-focused approach where you learn to leverage first-party and zero-party data.
Also read: The Demise of the Third Party Cookie | All you need to know
Also, keep in mind that you, as a marketer, not only have to take legal frameworks such as the UK GDPR into account. Privacy-enhancing features at major web browsers and the dense use of ad blockers are forcing marketers to rethink their web analytics and remarketing strategies. Add to this growing privacy and surveillance awareness amongst consumers.
Ensuring a compliant and privacy-focused marketing strategy is no longer a requirement; it is a must. And it starts with cleaning up your website.
Curious how your website is doing?
Do a compliance check now