Posted: 11/12/2024
In the UK, the collection and use of personal data is governed by an adapted version of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The UK GDPR broadly mirrors the EU GDPR, but has been amended to allow it to operate effectively post-Brexit.
The legislation sets out seven principles that govern the processing of personal data (ie data relating to an identifiable living person):
Early-stage companies need to inform individuals about the processing of their personal data and should include a privacy policy on their website that covers:
This list is illustrative and not exhaustive - a useful resource in this area is provided by the ICO.
Information must be provided in a clear, concise and easily accessible form (also taking into account the types of users of the website). If the website is aimed at children, the privacy policy’s language should reflect this. The ICO has provided guidance indicating that layering is deemed a clear and accessible format. Also, privacy policies must be easy to find and not require the user to scroll to the bottom of the page.
The GDPR requires that personal data is held securely by means of ‘appropriate technical and organisational measures’. In addition, the NIS Regulations 2018 place a number of security related obligations on operators of essential services and certain relevant digital service providers such as online search engines, online marketplaces and cloud computing services. Both the GDPR and NIS regulations require security breaches to be notified in some instances and impose potentially substantial fines for breaches of the relevant obligations. Security breaches can also have a significant impact on the businesses’ reputation as well as customer and investor confidence. Consequently, security should be a key focus area for all e-commerce businesses.
Organisations that regularly monitor personal data on a large scale (or whose core activities consist of large-scale processing of ‘special’ categories of data and/or personal data relating to criminal convictions) must appoint a data protection officer (DPO).
There are enhanced obligations under UK GDPR for certain ‘special’ categories of personal data. Special category data encompasses data relating to an individual’s race or ethnicity, politics or religion or philosophical beliefs, trade union membership, genetic or biometric data, health data, and data relating to sex life or sexual orientation.
A privacy impact assessment (PIA) should be carried out for processing that is likely to result in a high risk to individuals.
Under the UK GDPR personal data must not be transferred to a country or territory outside the UK unless an adequate level of protection for the rights and freedoms of the data subject is in place in relation to the processing of that personal data. The UK has recognised EU/EEA member states, as well as other jurisdictions such as Canada and Japan (for commercial or private sector organisations only) as providing an adequate level of protection, so data transfers from the UK to the EU/EEA can flow without the need to meet international data transfer requirements. Organisations that transfer data outside the EU/EEA, to countries not deemed to provide an adequate level of data protection, will need to put in place a valid data transfer mechanism (such as standard contractual clauses).
The Information Commissioner’s Office (ICO - the UK supervisory authority) has released UK standard contractual clauses, known as the ‘International Data Transfer Agreement’ (IDTA) for transfers of personal data from the UK. For organisations that are subject to both the EU and UK GDPR, the ICO also released an addendum to be used for UK data transfers alongside the EU standard contractual clauses, instead of the IDTA. The UK government has also established a UK/US ‘data bridge’, which is an extension of the EU-US Data Privacy Framework. The data bridge entered into force on 12 October 2023, allowing personal data to flow from the UK to US organisations that have certified under the UK extension to the framework. An organisation intending to transfer personal data outside the EU/EEA should consider whether it is necessary to carry out a transfer impact assessment.
The UK GDPR applies to organisations with no business presence in the UK that offer goods or services to individuals located in the UK or that monitor UK residents’ behaviour. Such organisations will need to appoint a representative within the UK to deal with any queries relating to data breach or subject access requests.
The UK GDPR places a duty on all organisations to report certain personal data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach. If the data breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the organisation must also notify those individuals without undue delay.
The maximum level of fine in the UK for a serious data breach is up to 4% of annual worldwide turnover or £17.5 million, whichever is the higher. The ICO has issued a guide to the UK GDPR, which explains in detail the general data protection regime that applies to UK organisations.
The EU GDPR, like the UK GDPR, has extraterritorial effect. This means that it continues to apply to UK organisations that offer goods or services to individuals located in the EU or that monitor EU residents’ behaviour. Such organisations will need to comply with both the UK GDPR and the EU GDPR. UK organisations that do not have a business presence in the EU will need to appoint a representative there to deal with any queries relating to data breach or subject access requests.
The EU has recognised the UK as providing an adequate level of protection for data transfers from the EU to the UK (except for transfers for the purposes of UK immigration control) under the EU GDPR. This decision is expected to last until 27 June 2025 and means that, except for data transferred for the purposes of immigration control, personal data can continue to flow freely from the EU/EEA to the UK post-Brexit.
In June 2021, the EU Commission published EU standard contractual clauses for international data transfers from the EU/EEA. Organisations that transfer personal data from the EU/EEA should ensure that they are using the correct version of EU standard contractual clauses, as previous versions will not provide the required safeguards.
In addition to the UK GDPR obligations, UK organisations that send telephone and electronic marketing communications, use cookies on their websites or provide electronic communication services to the public must comply with the Privacy and Electronic Communications Regulations (PECR). The ICO has the power under PECR to impose monetary penalties of up to £500,000.
PECR prohibits the making of marketing calls to consumers who have opted out of receiving such communications. It also prohibits the sending of electronic marketing communications to consumers unless they have consented (the UK GDPR standard of consent applies under PECR), or have previously bought or sought to negotiate with the trader for similar goods/services. This is a complex area and specific advice should be sought for any proposed electronic marketing campaign, to ensure it complies with the law.
PECR requires that those using cookies on their websites provide details of the cookies used and do not collect cookies (other than ‘strictly necessary’ cookies) until consent has been obtained. The ICO has issued guidance, which sets out in detail the steps organisations need to take to ensure their use of cookies complies with PECR.
This article is an edited summary from Penningtons Manches Cooper’s guide on ‘Navigating the journey of growth: key legal considerations for scaling up’. For a copy of our guide, please click the banner below or get in touch with your usual contact.
© 2025 Penningtons Manches Cooper LLP.
All rights reserved.
Website design by Frontmedia / Dynamic Pear
Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.
Return to news headlines 