Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you handle customer data in the UK, you’ve probably asked: which law actually “transposes” the EU GDPR into UK law? It’s a fair question - especially if you’re trying to figure out what rules your business must follow post‑Brexit.
The short answer is that the EU GDPR was implemented into UK law by the Data Protection Act 2018. After Brexit, the GDPR was then retained and adapted as the “UK GDPR” under the EU Exit Regulations. Today, the UK GDPR works alongside the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR).
In this guide, we’ll explain what those laws do, how they apply to small businesses, and the practical steps you should take to stay compliant from day one.
What Does “Transposes The GDPR” Actually Mean?
“Transposition” simply means taking an EU law and implementing it into a country’s domestic legal system, so it has effect at home. Before Brexit, the EU’s General Data Protection Regulation (GDPR) applied directly in the UK, and the UK Parliament passed the Data Protection Act 2018 to sit alongside it. The DPA 2018 filled in national-level details the GDPR left to individual countries (like exemptions and how regulators operate).
When the UK left the EU, we needed our own copy of the GDPR so the rules didn’t fall away. The government did this through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Those regulations “retained” the GDPR in UK law and tailored it - that’s what we now call the UK GDPR.
So in practice:
- Pre‑Brexit: GDPR (EU law) applied directly, supported by the DPA 2018.
- Post‑Brexit: UK GDPR (a UK version of the GDPR) applies, together with the DPA 2018.
On top of that, PECR (the Privacy and Electronic Communications Regulations 2003) continues to govern things like marketing by email/SMS and the use of cookies and similar technologies on your website and apps.
Which UK Laws Apply To Small Businesses Now?
As a UK business owner, you need to be aware of three main pillars:
1) UK GDPR
The UK GDPR is the core framework. It sets out the key data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability). It also spells out individuals’ rights - like the right of access, rectification, erasure, and objection - and your obligations when you collect, store, or use personal data.
2) Data Protection Act 2018 (DPA 2018)
The DPA 2018 complements the UK GDPR. It provides rules for specific types of data (e.g. criminal convictions data), includes important exemptions (such as for journalism or research in limited scenarios), and sets the framework for the Information Commissioner’s Office (ICO) - the UK data protection regulator.
3) PECR (Privacy and Electronic Communications Regulations)
PECR works alongside the UK GDPR and focuses on electronic marketing and privacy in communications. If you’re sending email or SMS marketing, placing cookies or other tracking technologies, or running telemarketing campaigns, PECR will affect what you can do and how you must obtain consent.
Together, these laws form the backbone of UK privacy compliance for businesses of all sizes.
What Does This Mean For Your Small Business In Practice?
Understanding the framework is one thing - but what do you actually need to do? Here’s how the UK GDPR, DPA 2018 and PECR translate into day‑to‑day obligations.
Identify Your Lawful Basis
Every time you process personal data (that’s any information that can identify an individual), you must have a lawful basis. Common ones for small businesses include consent, contract (necessary to perform a contract with the individual), legitimate interests (balanced against the person’s rights), and legal obligation.
Be Transparent
You need to explain clearly what you collect and why, who you share it with, how long you keep it, and what rights people have. This should be set out in a user‑friendly, up‑to‑date Privacy Policy that is easy to find on your website or app.
Collect Only What You Need
Data minimisation is a core principle. If you’re not going to use a field, don’t collect it. This reduces risk and makes compliance much easier.
Respect People’s Rights
You must handle requests from individuals (often called “data subject requests”), such as access, correction or deletion, within strict timeframes. Having a workflow and templates in place is essential so you can handle subject access request deadlines without scrambling.
Secure The Data You Hold
Security is not optional. You need appropriate technical and organisational measures to protect personal data - think access controls, encryption, secure disposal, staff training and vendor due diligence. You should also plan how you’ll respond if something goes wrong by preparing a Data Breach Response Plan.
Be Careful With Marketing
Under PECR, most email/SMS marketing to individuals requires consent or an applicable “soft opt‑in”. You also need to provide a clear unsubscribe in every message. For website tracking, your cookie banner and consent tools must be set up properly. If you’re not sure, review your approach against a compliant Cookie Policy and these practical tips on cookie banners that comply.
Which Law Transposes The GDPR Into UK Law - And Why It Matters
To answer the headline question plainly: the EU GDPR was implemented domestically via the Data Protection Act 2018 and, after Brexit, retained and adapted through the EU Exit Regulations as the UK GDPR. That combination keeps the GDPR’s structure and principles alive in UK law today. For your business, that means:
- The standards you may know from the EU GDPR still apply in the UK, with UK‑specific tweaks.
- Fines remain significant - up to £17.5m or 4% of global turnover (whichever is higher) for the most serious infringements.
- The ICO is your regulator, and you may need to pay an ICO fee (many small businesses do). Some organisations qualify for ICO fee exemptions, but don’t assume - check carefully.
You might also hear about plans to reform UK data law. The government has consulted on changes to “reduce burdens” while maintaining high standards. If and when reforms land, the fundamentals (transparency, security, rights, and accountability) will still matter - and most small business best practices won’t change.
What Legal Documents Should You Have In Place?
Getting your documents right is one of the easiest ways to build strong compliance foundations. As a baseline, most small businesses should consider:
Privacy Policy
This is your frontline transparency notice. It explains what you collect, why, your lawful bases, who you share data with (including any overseas transfers), retention periods, and the rights individuals have. A clear, tailored Privacy Policy builds trust and sets the right expectations.
Data Processing Agreement (DPA)
If you engage a supplier who processes personal data for you (for example a cloud CRM, marketing platform or payroll provider), the UK GDPR requires a written contract containing specific clauses. Put proper terms in place with a Data Processing Agreement so each party knows their responsibilities.
Data Breach Response Plan
Time is critical when incidents happen. A well‑designed Data Breach Response Plan sets out who does what, when to involve the ICO, and how to notify affected individuals if required.
Cookie Policy And Consent Tools
Your website or app should have an accurate Cookie Policy and consent mechanism that meets PECR rules. Avoid “implied consent” banners - users must be able to accept or reject non‑essential cookies easily.
Internal Policies And Training
Staff are your first line of defence. Clear internal playbooks (for example, access controls, BYOD, acceptable use, and incident handling) and regular training help prevent human error. Packaging these core items together can be efficient - many businesses opt for a Data Protection Pack to cover the essentials.
Key Compliance Tasks You Should Prioritise
Let’s turn this into a practical checklist you can act on straight away.
1) Map Your Data
List what personal data you collect (customers, staff, suppliers), where it comes from, where it’s stored, who can access it, and who you share it with. This “data map” is the backbone for everything else - from your Privacy Policy to security controls.
2) Choose A Lawful Basis For Each Use
For each processing activity, decide whether you rely on consent, contract, legitimate interests, legal obligation, vital interests, or public task. Document your reasoning. If you rely on legitimate interests, carry out the balancing test.
3) Update Your Transparency Notices
Make sure your Privacy Policy and any just‑in‑time notices (like sign‑up forms) are accurate, easy to read and actually reflect what happens in your systems.
4) Set Up Vendor Contracts
Review key suppliers that process personal data and put a compliant Data Processing Agreement in place. Don’t forget to consider international transfers - if personal data leaves the UK, you may need the UK IDTA or appropriate transfer safeguards.
5) Get Marketing And Cookies Right
Audit your email/SMS marketing lists for consent or soft opt‑in, and ensure every message contains a working unsubscribe. Check your website’s cookie banner and settings against PECR and UK GDPR. If unsure, align with a solid Cookie Policy and the practical steps in cookie banner guidance.
6) Prepare For Data Rights Requests
Create a simple procedure for handling SARs, corrections and deletions, assign responsibility, and use standard wording to acknowledge and respond within the statutory timeframe. These tips on responding to subject access requests are a good starting point.
7) Strengthen Security And Incident Readiness
Implement access controls, multi‑factor authentication, encryption at rest and in transit where possible, and vendor risk assessments. Practice your incident drill using your Data Breach Response Plan.
8) Check Your Tools For Compliance
Cloud storage and collaboration tools are great for small businesses - just make sure they’re configured properly and meet your obligations. If you use common platforms, verify how they handle data and transfers; for example, whether Google Drive is GDPR compliant depends on your settings and use case.
9) Budget For The ICO Fee
Most businesses need to register and pay a small fee to the ICO unless exempt. Double‑check whether you fit within available ICO fee exemptions, and if not, register promptly to avoid penalties.
Common FAQs From UK SMEs
Is The UK GDPR Different From The EU GDPR?
They’re very similar - the UK GDPR is essentially the EU GDPR adapted for the UK legal context. The biggest day‑to‑day differences for SMEs usually involve international transfers and which regulator you deal with.
Do I Need Consent For All Marketing?
No. Under PECR, consent is usually required for email/SMS marketing to individuals unless the “soft opt‑in” applies (existing customer, similar goods/services, and a clear opt‑out at collection and in every message). You still need a lawful basis under the UK GDPR.
What Counts As Personal Data?
Anything that can identify a living person - directly or indirectly. Names, emails, phone numbers, delivery addresses, IP addresses, cookie IDs, device IDs, and even some pseudonymous identifiers can be personal data depending on context.
Do I Need A Data Protection Officer (DPO)?
Only in specific scenarios (e.g. large‑scale systematic monitoring or large‑scale processing of special category data). Many SMEs don’t need a formal DPO, but you should still nominate someone to own data protection internally.
What If I Use AI Tools?
If you paste customer data into generative AI or other external tools, you’re still responsible for privacy compliance. Set usage rules and check vendor terms carefully. These ChatGPT GDPR privacy steps are helpful when assessing AI tools in your workflow.
Key Takeaways
- The EU GDPR was implemented into UK law through the Data Protection Act 2018 and, post‑Brexit, retained and adapted as the UK GDPR via the EU Exit Regulations.
- Today, the UK GDPR, DPA 2018 and PECR form the core privacy framework for UK small businesses.
- Focus on practical compliance: map your data, set lawful bases, publish a clear Privacy Policy, secure your systems, and prepare to handle data rights requests on time.
- Put the right contracts and tools in place: a Data Processing Agreement with processors, a robust Data Breach Response Plan, and a compliant Cookie Policy with proper consent controls.
- Marketing and cookies are governed by PECR - get consent right, enable easy opt‑outs, and make sure your cookie banner isn’t silently dropping non‑essential cookies.
- Plan for reality: train your team, document your decisions, and keep policies updated as your business grows. If you’re unsure, get tailored advice before problems arise.
If you’d like help getting your privacy compliance sorted - from drafting documents to clarifying your obligations - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
