UK GDPR FAQs

uk gdpr faq

The General Data Protection Regulation (GDPR) transformed how organisations handle personal data across Europe, and the ripple effects continue. Since Brexit, the United Kingdom now operates under its own framework known as the UK GDPR, tailored to national laws while retaining the core architecture of the original EU regulation.

But for many businesses, especially SMEs and charities, GDPR still feels like a maze of legalese and paperwork. In this FAQ, we cut through the confusion with practical insights, real-world considerations, and updated guidance to help UK-based organisations stay compliant — and confidently so.

Is There a Difference Between the UK and EU GDPR?

Yes, but think “siblings”, not strangers.

The UK GDPR is essentially the EU GDPR copy-pasted into UK law, with modifications to reflect local jurisdiction. The key differences include:

  • Jurisdiction: UK GDPR applies to UK organisations or any company targeting UK residents. If you handle both UK and EU customer data, you may need to comply with both sets of rules.
  • Supervisory Authority: The Information Commissioner’s Office (ICO) replaces EU bodies like the CNIL or DPC.
  • Legal References: UK GDPR aligns with the Data Protection Act 2018 and other domestic legislation instead of EU law.

Expert note: Dual compliance is one of the most overlooked areas for UK businesses selling internationally. If your website has an EU language version or ships abroad, you may already fall under EU GDPR too.

uk gdpr faq - personal data

What Are the Individual Rights Under UK GDPR?

These aren’t just theoretical protections — they’re enforceable rights. And in an age where data misuse headlines are all too common, many individuals are now aware of them.

Here’s a breakdown:

  1. Right to be informed – Individuals must know why and how their data is used.
  2. Right of access – A simple email can trigger a Subject Access Request (SAR).
  3. Right to rectification – Fix inaccurate or incomplete information without delay.
  4. Right to erasure – Known as the “right to be forgotten”, though exceptions apply.
  5. Right to restrict processing – Useful during disputes or investigations.
  6. Right to data portability – Enables data migration between platforms (e.g. switching banks).
  7. Right to object – Individuals can opt out of profiling, marketing, and more.
  8. Rights related to automated decision-making – Ensures a human check is in place.

Tip: These rights must be reflected in your privacy notices and workflows, not just your policy folder.

It’s important to note: these rights apply to individuals, not businesses or organisations. While businesses have responsibilities under the UK GDPR (such as lawful processing, security, and transparency), the rights themselves — like access, erasure, and portability — are exclusively for individuals whose data is being collected or used.

GDPR Policy Template UK: What Should Your Policy Include?

Yes. Even if you’re a small business or non-profit, a clear GDPR policy isn’t optional — it’s your internal map for handling data lawfully.

A strong UK GDPR policy should outline:

  • Purpose: Why you collect data (e.g. order fulfilment, analytics, CRM).
  • Scope: Who it affects (staff, customers, suppliers).
  • Lawful Basis: Consent, legitimate interests, contract fulfilment — choose carefully.
  • How Rights Are Handled: What’s your process when someone requests data deletion?
  • Data Retention Schedule: How long do you keep records, emails, CCTV?
  • Security Measures: Technical and procedural safeguards you use.

Pro insight: Use your policy as a training tool, not just a compliance checkbox. Keep it readable and relevant.

Is There GDPR Certification in the UK?

Not officially, but certification schemes can demonstrate credibility.

  • ICO-Approved Schemes: These are sector-specific codes of conduct you can voluntarily sign up for.
  • ISO 27701: An international standard for Privacy Information Management — ideal if you’re working with partners or clients who demand formal recognition.

Reality check: Clients care more about your actual practices than your paperwork. A consistent culture of compliance often trumps a framed certificate.

GDPR Photo Consent in the UK

Using identifiable images of individuals — whether on a website, social media, or marketing collateral — counts as personal data processing under UK GDPR. That means you need proper, recorded consent unless another lawful basis applies (which is rare for marketing).

What does valid photo consent look like?

  • Freely given – No pressure or pre-ticked boxes. A person should genuinely have a choice.
  • Specific – You must state how, where, and why the photo will be used.
  • Unambiguous – Use plain English, not buried legalese.
  • Documented – Always keep a record of the consent given (who, when, how, what it covered).

If you’re taking event photos, consider clear signage at the entrance, and offer a way to opt out — either via wristbands, sticker badges, or post-event removal requests.

Tip: Avoid lumping photo consent into general T&Cs. It should stand alone, be prominent, and easy to revoke.

uk gdpr faq - consent

GDPR Phone Call Recording in the UK

Recording a phone call? That’s personal data processing too, and subject to all the same GDPR principles, including transparency, lawful basis, and data minimisation.

Key GDPR Requirements for Call Recording

  • Inform the caller before recording starts. This is often done with a brief automated message.
  • State the purpose clearly — e.g., training, quality assurance, legal documentation.
  • Choose a lawful basis — commonly:
    • Legitimate interest (with balancing test)
    • Contractual necessity
    • Legal obligation
  • Limit storage time. Set a clear retention policy and don’t keep recordings “just in case”.

Expert tip: Avoid relying on “consent” unless the user can meaningfully refuse. In most cases, legitimate interest (with a clear assessment) is more practical and defensible.

GDPR Video Recording in the UK

From office CCTV systems to Zoom recordings, video footage involving identifiable people is considered personal data under UK GDPR. As such, it requires clear policies and safeguards.

In-Person Recording (e.g. CCTV)

  • Display clear signage near entry points or cameras.
  • State the purpose (e.g., crime prevention, safety).
  • Restrict access to footage to authorised personnel only.
  • Provide a way for individuals to request access to footage they appear in (within one calendar month).

Online Video Recording (e.g. Zoom, Teams)

  • Inform participants in advance if a meeting will be recorded.
  • Explain the purpose and who will access the recording.
  • Avoid including unnecessary sensitive personal data in recorded calls unless absolutely required.

Caution: If you’re recording staff remotely or in hybrid settings, this can quickly become a privacy concern. Always keep proportionality and transparency front and centre.

GDPR Video Recording Without Consent in the UK: Is It Legal?

In short: It depends.

While GDPR doesn’t require explicit consent in all cases, you must have a valid legal basis for recording and meet other transparency obligations.

  • For CCTV, consent is not required if the purpose is legitimate (e.g., security), and individuals are clearly informed via signage.
  • For workplace or customer interactions, legitimate interest is often the chosen basis, but it requires a documented Legitimate Interest Assessment (LIA) to ensure it doesn’t override individuals’ rights.
  • For online meetings, recording without informing participants is a GDPR breach — even if your intention is harmless.

Bottom line: Consent isn’t always required, but stealth recording rarely passes the legal or ethical test. If people don’t know they’re being recorded, it’s almost certainly unlawful under UK GDPR.

Is UK GDPR Changing in the Future?

Yes. The UK is moving toward a more “business-friendly” framework.

The Data Protection and Digital Information Bill (introduced in 2022, still evolving) includes:

  • Relaxed rules for low-risk data processing by SMEs.
  • Fewer cookie banners.
  • Streamlined data-sharing frameworks.

Hot take: While simplification is good, many experts caution against “watering down” GDPR principles too far. Transparency and trust remain your best currency in the digital economy.

Build Trust, Not Just Compliance

GDPR is about earning the trust of the people whose data you use. And that trust, once lost, is hard to win back.

Investing in compliance means fewer complaints, happier customers, and smoother operations. It’s good ethics — and smart business.

Related Posts

Shopping Basket