Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What is
A Comprehensive Guide

The United Kingdom introduced its first law protecting electronically processed personal data, the Data Protection Act 1984, 40 years ago – one of the first countries in Europe to do so.  The intervening years have witnessed an exponential growth in computer-held and shared personally identifiable information, to the extent that processing personal data is today one of the world’s biggest businesses, worth over $1 trillion per year to the global economy according to some estimates.  Protecting the vast amounts of personal information processed by all kinds of organisations – public bodies as well as private sector businesses – has also grown proportionately in importance over this time.  By data protection we do not just mean preserving the security or confidentiality of personal data (although that is an important part of it), but also upholding the principles and requirements of data protection legislation and maintaining the set of rights which all data subjects are afforded by it.

What is the UK GDPR?

The UK General Data Protection Regulation (GDPR), together with the Data Protection Act 2018 (DPA 2018), is the United Kingdom’s main data protection law.  The UK GDPR is the UK’s own post-Brexit version of the EU GDPR and was created by the DPA 2018.  It governs the processing of personal data of people who are in the UK, either by organisations with an establishment here, or where the processing activities relate to offering goods and services to data subjects in the UK, or monitoring of their behaviour within the UK.

The Data Protection Act 2018, the EU GDPR and the UK GDPR – What are the Differences?

The DPA 2018 was introduced to apply the EU GDPR (which dates from 2016 but came into effect in 2018) in the UK, including derogations (national variations) to the EU GDPR which the Regulation allowed domestic lawmakers in individual Member States to make.  It has Parts regulating law enforcement and intelligence services, for example, which were not covered in the EU GDPR.  The UK GDPR is the EU GDPR adjusted for Brexit – e.g., changing terms such as ‘Member State law’ to ‘domestic law’ and ‘supervisory authority’ to ‘the Commissioner’, and references to the European Commission to ‘the Secretary of State’ - but essentially it is identical to the EU GDPR at the moment (i.e., unless it is amended by the UK Parliament).  The EU GDPR continues to regulate British organisations’ processing of the data of people who are in the EU.

UK GDPR – Key Features

The UK GDPR contains 6 principles which every person or organisation processing the personal data of people who are in the UK must comply with.

Lawfulness, fairness, and transparency

To lawfully gather data subjects’ information, your organisation would need to justify the processing under one lawful basis of the 6 lawful grounds for processing data which are set out in the GDPR.


All processing you perform should be for a specific and explicit purpose, and data shouldn’t be further processed for a purpose incompatible with the original one.


You should only collect the minimum amount of data necessary for the purposes of the processing.


It is your responsibility to ensure that the information they hold on an individual is accurate and up to date where applicable.


Store personal data for as long as is necessary to achieve the purposes for which it is being processed.

Integrity and Confidentiality

Information must be processed securely, using appropriate technical and organisational measures.

UK GDPR – 6 lawful bases

The Regulation also sets out 6 lawful bases, or legal grounds, for processing of personal data.  All processing must have at least one of these lawful bases.


The individual has given clear consent for you to process their personal data for a specific purpose.


The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal Obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

Vital Interests

The processing is necessary to protect someone’s life.

Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate Interests

The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

If your organisation processes sensitive personal data such as health information or details of an individual’s race, religion or sexual orientation – known as ‘special category personal data’ in the UK GDPR – then it must also meet an additional condition from a list of 10 specified in Article 9 of the Regulation.

Art. 9.2 conditions

The data subject has given their explicit consent to the processing.

Processing is necessary for carrying out obligations or exercising rights of the controller or data subject in the field of employment and social security and social protection law.

Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is incapable of giving consent.

Processing is carried out by a foundation, association or other not-for profit body with a political, philosophical, religious or trade union aim.

Processing relates to data which are manifestly made public by the data subject.

Processing is necessary for the establishment, exercise or defence of legal claims.

Processing is necessary for reasons of substantial public interest.

Processing is necessary for the purposes of preventive or occupational medicine.

Processing is necessary for reasons of public interest in the area of public health.

Processing is necessary for archiving purposes.

The UK GDPR also grants to all data subjects (living individuals) 8 data subject rights, including: the right of subject access; the right to erasure (sometimes called the ‘right to be forgotten’); the right to rectification of incorrect or inaccurate data; the right object to certain types of processing; the right to data portability; and right not to be subject to automated decision-making.

The Benefits of Complying with the UK GDPR

The main reasons to comply with the UK GDPR are:

  • It is the law and the UK’s data protection authority or regulator, the Information Commissioner’s Office (ICO), has wide powers of enforcement, including the ability to issue orders or public reprimands and to impose administrative fines of up to £17 million pounds or 4% of annual global turnover on organisations which it finds to be in contravention of the Regulation.
  • Breaches of the Regulation, such as data security breaches, can also cause significant reputational damage to the organisation which is in breach.
  • Individual data subjects, or groups of them, can bring court actions for material (i.e., financial) and/or non-material (e.g., distress) damages which they suffer as a result of infringements of the UK GDPR, which can add up to very substantial claims against the non-compliant organisation.
  • Compliance with the Regulation’s principles and other provisions such as the requirement for controllers to put in place appropriate technical and organisational measures (TOMs) to demonstrate compliance, and to practise ‘data protection by design and by default’, can deliver administrative efficiency savings– e.g., applying data minimisation reduces data storage costs and makes it easier for you to respond to data subject rights requests such as requests for access to data (data subject access requests or ‘DSARs’).

Contact the UK GDPR Experts Today

With a 19-year track record of assisting organisations to comply with data protection legislation, we at URM are the ideal experts and partners to help you achieve and maintain compliance.  Leveraging our fully flexible and tailored approach, our highly qualified and experienced data protection and GDPR consultants will help ensure your organisation is fully compliant with the relevant regulations and legislation, regardless of where you currently are in your compliance journey.  

Contact our data protection experts today to find out more.

Contact Us

Certification Under the UK GDPR

There is currently no single approved certification scheme for the whole of the UK GDPR.  There are 5 existing certifications approved by the UK regulator available for certain sectors and activities, namely: legal services and training and qualifications services providers; secure re-use and disposal of IT assets; age assurance; and children’s online privacy.  There is, however, an approved certification or ‘seal’ under the EU GDPR called Europrivacy, which may be of interest to UK organsiations that process the data of people who are in the EU, and are therefore covered by the EU GDPR.

Initial Steps Towards Becoming UK GDPR Compliant

  • Compile and maintain a comprehensive specification of all your organisation’s processing activities – a record of processing activities or ‘ROPA’ – this is a statutory requirement for the vast majority of organisations.
  • Use your ROPA to identify any high-risk processing which requires a data protection impact assessment (DPIA) – a risk assessment document which focuses on personal data risk - to be carried out.
  • Ensure that all processes disclosed on the ROPA are communicated effectively to the data subjects by way of privacy notices accessible at the point of data collection.
  • Embed data protection by design and by default within your organisation’s everyday practices and procedures, such as supplier due diligence, new project initiation and team meetings.
  • Establish your data holding mechanisms in such a way to make it easy for individuals to exercise their data subject rights – e.g., practise data minimisation so you can be sure to turn around DSARs within the one-month statutory timeframe.
  • Institute and implement a personal data retention policy, so you know exactly how long different categories of data can be stored for and who within your organisation has the responsibility to delete data after its retention period has expired.

UK GDPR Consultancy

URM’s GDPR consultants can assist you with conducting UK GDPR gap analyses, ROPAs, and DPIAs, and preparing privacy notices.  Additionally, once these documents have been completed, our experts can support your organisation’s ongoing privacy compliance programme by keeping them up to date to reflect any changes to your processing as your business evolves.  URM also offers a DSAR disclosure service to help your organisation respond to subject access requests.  URM is fully equipped to accompany you on all stages of your organisation’s UK GDPR journey.

UK GDPR Gap Analysis

A gap analysis is an exercise carried out on site at your organisation, or remotely, to gather information direct from the process owners on your processing of personal data, to ascertain your organisation’s general level of compliance with the UK GDPR, and to identify  any compliance shortfalls and prioritise these for remediation.  A gap analysis typically takes between 3 and 5 days on site, depending on the extent and complexity of the organisation’s processing, with a further couple of days to produce a comprehensive report and remediation schedule.  Instructing a gap analysis is often an organisation’s first step towards building its ROPA.

UK GDPR ROPAs, DPIAs and Privacy Notices

If you have already undertaken a gap analysis, or if your processing is more straightforward, you can move directly on to your ROPA.  URM can assist in creating and afterwards, over time, developing this.  The length of time needed to produce a ROPA again depends on the nature of the processing being engaged in, but can usually be completed within 7 days.  URM consultants are also skilled in performing DPIAs.  Most DPIAs can be drafted and finalised within one day.

Privacy notices are mandatory statements which help organisations to meet the fairness and transparency requirements of the UK GDPR’s first principle and are the main means for controllers to fulfil the data subjects’ right to be informed.  Where a process is detailed on a ROPA, the privacy notice for that process can usually be drafted in half a day.

GDPR and Data Protection Training Courses

URM’s DP training courses can help you enhance your understanding of the UK’s data protection landscape and diversify your professional skillset.  Attending our BCS Foundation Certificate in Data Protection (CDP) Training Course will enable you to gain a comprehensive understanding of data protection law in the UK and an industry-recognised DP qualification, fully preparing you to sit the BCS administered exam.  Meanwhile, our 2 half-day courses on conducting DPIAs and data transfer impact assessments (DTIAs), and our 1-day Training Course on managing DSARs, will provide you with the knowledge and practical skills necessary to complete these key compliance activities when you return to your workplace.

View Training Courses

Why URM for UK GDPR Consultancy?

Track record

URM’s data protection and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice.  With a 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.

Flexible service offerings

A key differentiator between URM and other data protection service providers is our flexible service offerings.  Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of site days (remote or on site) etc. Equally, with our remediation support, URM can assist you address any gaps identified and achieve full GDPR compliance. We can also help you maintain that compliance with GDPR auditing services.

Knowledge transfer

URM prides itself on its knowledge transfer philosophy and training expertise which helps to ensure that you not only understand what the principles and requirements of the GDPR are but how to best meet them.

GDPR Consultancy Services

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

WebinarData Protection in the UK: What Next?

URM provides an update on all of the DP-related issues, impending legislation, ICO’s enforcement actions, and the impact of artificial intelligence (AI).

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarDPIAs and DTIAs – Reducing The Fear

URM will be sharing its experiences and practical tips drawn from helping organisations successfully conduct DPIAs and DTIAs.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarGDPR Webinar – Back to Basics

URM is holding a webinar designed to guide organisations on their journey to compliance with both the UK and EU GDPR.

Read more
Listen to recording
USB stick, Padlock, Keys


Does the UK GDPR only cover data processed by automated (electronic) means?  

No – hard copy information, such as paper files, containing personal data are included if the data is part of a structured, searchable dataset, which the Regulation calls a ‘filing system’.

When do you need to comply with the EU GDPR instead of, or in addition to, the UK GDPR?  

If you are processing the data of people who are in the EU, either in relation to the activities of a physical base or person (‘establishment’) your organisation has in the EU, or your processing relates to offering goods and services to data subjects in the EU, or monitoring their behaviour in the EU, then you have to comply with the EU GDPR (as well as the UK GDPR in respect of any UK people’s data you are processing). The EU GDPR and UK GDPR are currently essentially the same.

Must an organisation have an establishment in the UK to be subject to the UK GDPR?  

No – all organisations around the world that process the personal data of people who are in the UK are affected by the UK GDPR, if the processing is in relation to offering goods and services to data subjects in the UK, or monitoring their behaviour in the UK.

Does the UK GDPR contain rules about sending UK people’s data abroad?  

Yes – in Chapter V.  The rules are basically the same as those in the EU GDPR, except that it is the Secretary of State, not the European Commission, who decides if a third country data importer has adequate data protection laws (i.e., makes an ‘adequacy decision’); and the EU Standard Contractual Clauses (SCCs) method of legitimising such international transfers are replaced by a document issued by the ICO – the International Data Transfer Agreement or IDTA.

Read more
Data Protection FAQGDPR FAQ

Speak to GDPR Specialist

URM has 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR and local country-specific legislation.

Speak to one of our experts for more information on how we can help you comply. Simply call 0118 206 5410 or request a call back using the form below.

Data Protection Considerations for Data Analytics

Published on

URM’s blog explores the data protection considerations for data analytics tools, and how to reap their many benefits while still maintaining GDPR compliance.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
First official European response to the Data Protection and Digital Information Bill

URM’s blog explores the first formal European response to the DPDI Bill, and how the Bill may jeopardise the UK’s adequacy status when it reforms the UK GDPR.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Data Protection Considerations for Artificial Intelligence (AI)

URM’s blog discusses the data protection considerations for utilising AI technologies, and how organisations can stay GDPR compliant in their use of AI.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
The Data Protection and Digital Information Bill No.2

URM’s blog discusses the Data Protection and Digital Information (DPDI) Bill, how it will diverge from the current GDPR, and the impact it may have when passed.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.