When Did GDPR Become Law in the UK? Key Dates and Compliance Tips

byAlex Solo12 November 20258 min read

Software & IT Regulatory Compliance Data & Privacy

If you handle customer data, you’ve probably heard “GDPR” a thousand times. But when did GDPR actually become law in the UK, and what does that mean for your small business today?

In short: GDPR has applied to UK businesses since May 2018, and after Brexit, a UK version continues to apply alongside the Data Protection Act 2018. You still have to comply - the names and technicalities may have shifted slightly, but the core duties remain.

In this guide, we’ll break down the key dates, the laws that apply now, what changed post‑Brexit, and the practical steps to keep your business compliant (without the jargon).

Here are the milestones that matter for UK businesses:

25 May 2018 - The EU General Data Protection Regulation (GDPR) began to apply across the EU, including the UK. On the same day, the UK’s Data Protection Act 2018 took effect, sitting alongside GDPR to fill in UK‑specific details.
31 December 2020 (11pm UK time) - The Brexit transition period ended. EU law stopped applying directly in the UK.
1 January 2021 - “UK GDPR” took effect. This is the EU GDPR as it stood on Brexit day, adapted for the UK via legislation, and it now operates together with the Data Protection Act 2018.

So, GDPR became law here in 2018 and still applies today in the form of UK GDPR. If you process personal data in the UK, you must comply.

What Laws Apply To UK Businesses Now?

Three core regimes matter for most small businesses:

UK GDPR - the main framework for how you collect, use, store and share personal data. It sets out principles like lawfulness, transparency, minimisation and security, plus rights for individuals (access, erasure, etc.).
Data Protection Act 2018 - sits alongside UK GDPR and covers areas like law enforcement processing and exemptions. Together, they form the backbone of UK data protection law.
Privacy and Electronic Communications Regulations 2003 (PECR) - covers electronic marketing (email, SMS, calls), website cookies and similar technologies. This is where rules around consent for marketing and cookies live.

Depending on your operations, sector‑specific rules may also apply (for example, in health or financial services). But for most SMEs, your day‑to‑day obligations will stem from these three regimes.

If you use phone calls as part of your sales or support processes, make sure your handling of recordings and call data aligns with UK GDPR - our guide to GDPR and business calls explains the risk areas in plain English.

What Changed For Businesses After Brexit?

On the ground, your compliance checklist looks very similar, but a few practical points changed:

UK GDPR is essentially the EU GDPR tailored for the UK. The principles, lawful bases, rights and duties remain familiar. If you were compliant before Brexit, the steps you took should largely still hold - but you should review them to ensure they reference UK GDPR and the ICO (the UK regulator) where appropriate.

Transfers Of Personal Data

If you transfer data from the UK to other countries, you need a lawful transfer mechanism. Transfers from the UK to the EU are currently permitted under UK adequacy decisions. But if you send data elsewhere (e.g. the US or other third countries), you’ll generally need appropriate safeguards such as standard contractual clauses adapted for UK transfers.

EU Operations Or Marketing

If you offer goods or services to people in the EU or monitor their behaviour, EU GDPR may apply to those activities. In that case, you may need an EU representative and EU‑compliant transfer tools in addition to your UK obligations. Many UK businesses operate in both spheres, so keep both regimes in mind.

Documentation And Notices

It’s worth updating templates and notices to reflect UK GDPR terminology, the ICO’s oversight, and your current transfer mechanisms. If you have suppliers processing personal data on your behalf, make sure each has a robust Data Processing Agreement that reflects UK GDPR and meets the mandatory clause requirements.

UK GDPR is principles‑based - it tells you what you need to achieve, not exactly how to do it. Here’s what that looks like day‑to‑day for SMEs:

Lawful Basis And Transparency

Identify a lawful basis for each processing activity (e.g. consent, contract, legitimate interests).
Explain what you do in a clear and accessible Privacy Policy on your website and at relevant touchpoints.

Data Minimisation And Retention

Only collect what you need and keep it no longer than necessary.
Document retention periods and deletion processes. If you’re unsure how long to keep different categories of data, this guide to GDPR data retention periods will help you set sensible schedules.

Security And Breach Readiness

Implement technical and organisational measures proportionate to your risks (e.g. encryption, access controls, staff training).
Have an incident plan so you can deal with issues fast. A practical starting point is a Data Breach Response Plan, which sets roles, timelines and notification steps.

Individual Rights

Be ready to handle data subject requests (access, deletion, correction, objection). Build a simple internal playbook, including identity checks and deadlines.
When requests come in, it’s important to follow a consistent process - our plain‑English guide to responding to subject access requests walks through the steps and common pitfalls.

Marketing And Cookies

Make sure your email and SMS marketing complies with PECR (consent rules, soft opt‑in, clear unsubscribe).
For cookies and tracking tech, present clear choices and only drop non‑essential cookies with consent. A compliant Cookie Policy and user‑friendly controls are must‑haves.

If you use AI tools in your workflow, remember they can involve personal data. Our overview of GDPR steps for UK companies using AI tools explains how to approach risk assessments, data sharing and transparency in a pragmatic way.

Are There Any New UK Data Reforms You Should Watch?

Yes - the government has pursued reforms intended to streamline compliance while retaining high standards. Recent legislation has received Royal Assent and is being commenced in phases. The core takeaway for small businesses is that your foundational GDPR duties remain in place: you still need a lawful basis, transparency, security measures, and a plan for rights requests and breaches.

Reforms are expected to adjust some record‑keeping thresholds and clarify legitimate interests in certain contexts, but they don’t remove the fundamentals. If and when new rules impacting SMEs commence, you’ll likely focus on tightening your documentation and updating policies - not tearing up your entire compliance framework.

As always, keep an eye on official ICO guidance. In the meantime, making sure your current processes are solid is the best preparation for future tweaks.

A Practical Compliance Checklist For Small Businesses

If you’re looking for a straightforward action list, start here. Tackle these steps and you’ll cover the main UK GDPR and PECR bases:

1) Map Your Data

List what personal data you collect, where it comes from, why you use it, where it’s stored, who you share it with, and when you delete it.
Flag higher‑risk activities (e.g. special category data, children’s data, large‑scale profiling) for extra controls or a DPIA.

2) Confirm Your Lawful Bases

Assign a lawful basis to each processing activity and document your reasoning.
Don’t rely on consent if you can legally use another basis (consent must be freely given, specific, informed and easy to withdraw).

3) Update Your Notices And Policies

Publish a clear Privacy Policy that explains your purposes, lawful bases, retention, third‑party sharing, and rights.
Ensure your Cookie Policy and banner provide meaningful choices for non‑essential cookies.

4) Put The Right Contracts In Place

Where vendors process personal data for you (cloud, payroll, marketing platforms), sign a compliant Data Processing Agreement with each one.
Check international data transfer terms and add UK‑specific transfer clauses if needed.

5) Build Secure‑By‑Default Processes

Adopt reasonable security measures based on your risk profile (MFA, encryption, access controls, secure disposal).
Train your team - many incidents stem from human error. Short refreshers make a big difference.
Prepare a documented Data Breach Response Plan so you can act quickly and meet reporting timelines.

6) Set Up Governance And Housekeeping

Create a rights request playbook, with timelines and responsibilities. Our guide to handling SARs is a useful template for internal procedures.
Define realistic retention periods - this overview of how long to keep personal data can help you decide what to keep versus delete.
Check whether you must pay the ICO data protection fee or qualify for an exemption; the basics are covered in our piece on ICO fee exemptions.

7) Marketing And Communications

Review your email and SMS lists for valid consent or soft opt‑in where appropriate. Provide simple opt‑outs in every message.
Run a quick audit of your cookie consent banner and controls against PECR - fix dark patterns and avoid pre‑ticked boxes.

There are limited scenarios where you can share data without consent (e.g. legal obligations, vital interests), but you must have a valid basis and document your reasoning. This overview of sharing personal information without consent sets out the typical lawful routes.

Finally, keep everything proportionate. The law expects you to take “appropriate” measures. For a growing SME, that means sensible documentation and practical controls - not enterprise‑grade bureaucracy.

Key Takeaways

GDPR became law in the UK on 25 May 2018. Since 1 January 2021, UK GDPR applies alongside the Data Protection Act 2018 - and you still need to comply.
Core duties haven’t changed: identify lawful bases, be transparent, minimise data, secure it properly, respect individual rights, and follow PECR for marketing and cookies.
Post‑Brexit, watch international data transfers and terminology (UK GDPR, ICO, UK transfer mechanisms). If you target EU customers, EU GDPR may also apply.
Upcoming UK reforms are being rolled out in phases, but the fundamentals remain. Solid policies, vendor contracts and practical security are the best preparation.
Put foundations in place: a clear Privacy Policy, compliant Data Processing Agreements, a workable Cookie Policy, a documented Data Breach Response Plan, SAR processes, and sensible retention rules.
If you use phone calls, AI tools or international vendors, treat them as specific risk areas and update your documentation accordingly.

If you’d like tailored help getting your GDPR foundations right - from policies and contracts to marketing compliance - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call