What is the GDPR?
The UK GDPR (referred to as the ‘GDPR’), implemented in the UK by the Data Protection Act 2018 (DPA), provides a legal framework protecting personal data within the UK.
What kind of information does the GDPR apply to?
The GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Examples of personal data include names, dates of birth, contact details and credit card details.
There is a further category of special category personal data which is awarded greater protection. This type of personal data includes information about someone’s mental or physical health and information about religious beliefs.
For more information, read Data protection.
What kind of behaviour does the GDPR apply to?
The GDPR applies whenever you are processing personal data. You are processing personal data whenever you use it (other than for personal reasons). Examples of processing include gathering, recording and storing. For more information, read Processing personal data.
What kind of behaviour does the GDPR apply to?
The GDPR applies whenever you are processing personal data. You are processing personal whenever you use personal data (other than for personal reasons). Examples of processing include gathering, recording and storing. For more information, read Processing personal data.
I am launching a website, what documents would I need if I collect user data?
The documents you need for your website will depend on the specifics of your situation, including the extent of data you collect from users. However, as a starting point, your website will generally require a Privacy policy and a Cookie policy.
What is a cookie policy and do I need one?
Cookies are text files with small pieces of data that are used to identify your computer, assist the operation of the website, and provide information to the owners of a website.
A cookie policy sets out what type of cookies a website uses, why these cookies are used and what they do. If you use cookies to uniquely identify a device or the person using that device, these are considered personal data under the GDPR. As a result, it is recommended that you have a cookie policy in place to stay GDPR-compliant.
For more information on the different types of cookies, read Different types of internet cookies.
What is a privacy policy and do I need one?
A website privacy policy sets out:
-
why your website is collecting data
-
what type of information your website collects and
-
the scope and limitation of data processing on your website
Essentially, your privacy policy outlines your business’ practices in relation to the collection, storage and use of personal data gathered on your website.
To comply with the GDPR, you need a privacy policy if you collect and process your users’ personal data.
How do I comply with the GDPR for website visitors from the EU?
The UK GDPR and EU GDPR are almost identical. Both GDPRs:
-
require you to safely store and document consent given by users to any data processing
-
require your website to enable users to change their consent just as easily as they gave it
-
gives certain rights to users, chief among them being the right to delete a user’s personal data
However, this means that there are two different GDPRs that you have to deal with - one that applies if you have visitors from inside the EU, the other if you have visitors from inside the UK.
You should Ask a lawyer if you have any questions or concerns about processing the personal data of EU users.
For how long should I store user personal data?
The simple answer is that you should store data for as long as you need it.
Neither the UK GDPR nor the EU GDPR specifies any retention periods for personal data. This way, you can keep data as long as you can justify its usage, which most often relates to the reason you collect it in the first place (to determine your target market, for example).
You should securely destroy or anonymise personal data when you no longer need it.
Does my business need a data protection officer (DPO)?
A DPO is a data protection expert who is appointed to assist with an organisation’s data protection compliance. They usually do this by, for example, monitoring data processing activities and providing data protection advice and training.
Not all organisations need to have a DPO. However, even if you don’t have to have a DPO you can appoint one voluntarily to help you comply with the GDPR. For more information, read Data protection officers (DPOs).
Can I transfer data outside of the UK?
Transferring personal data to recipients outside of the UK (known as ‘third countries’) is prohibited unless certain safeguards exist. Examples of such safeguards include:
-
‘adequate' third countries - data can be transferred internationally without the need for any further safeguards if the UK has decided that the country the recipient is located in has an adequate level of data protection (eg all European Economic Area countries are currently considered adequate)
-
the adoption of standard contractual clauses - data can be transferred internationally on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
How does the Data (Use and Access) Act affect GDPR?
The Data (Use and Access) Act 2025 (DUAA) came into law in June 2025 and has made some slight amendments to UK GDPR. Previously, individuals could not be subject to decisions based on automated processing which had legal (or similar) consequences.
Under DUAA, automated decision making using non-sensitive personal data can be used in much wider circumstances so long as the organisation has reasonable safeguards in place. Examples of safeguards that organisations may implement include:
-
notifying the subjects of significant automated decisions and providing them information about those decisions
-
allowing the subjects of significant automated decisions the opportunity to challenge the decision, and
-
giving the subjects of those decisions the opportunity to seek human intervention regarding those decisions
For more information, read the Information Commissioner's Office’s guidance.
