GDPR Compliance: A Comprehensive Implementation Guide

UK GDPR after Brexit: what has changed?

Since the UK's departure from the EU, UK GDPR applies to UK organisations rather than the EU's General Data Protection Regulation, though the two frameworks are substantially aligned. The UK GDPR is retained in UK law through the Data Protection Act 2018 and is enforced by the Information Commissioner's Office (ICO). Organisations operating in both the UK and EU must comply with both frameworks where applicable.

For most practical purposes — the rights of data subjects, the lawful bases for processing, the obligations of controllers and processors, and the breach notification requirements — UK GDPR mirrors the EU regulation closely. The key divergence to watch is the UK government's data protection reform agenda, which may introduce changes over time.

Step 1: Data mapping and the Record of Processing Activities

Implementation begins with understanding what personal data your organisation holds, where it came from, how it is used, who it is shared with, and where it is stored. This is called data mapping, and the output — a Record of Processing Activities (RoPA) — is a legal requirement for most organisations under Article 30 of UK GDPR.

A RoPA typically records for each processing activity:

• The purpose of processing and the lawful basis
• Categories of personal data processed
• Categories of data subjects (employees, customers, suppliers, etc.)
• Recipients — internal and external — who have access to the data
• Transfers outside the UK or EU, and the safeguards in place
• Data retention periods
• Technical and organisational security measures

Data mapping is often more complex than organisations expect. Personal data sits in CRM systems, email archives, shared drives, HR platforms, finance software, paper records, and increasingly in cloud services. A systematic exercise — interviewing department heads, reviewing system inventories and data flows — is required to produce a complete picture.

Step 2: Establishing lawful bases for processing

Every processing activity must have a documented lawful basis. The six bases under UK GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The appropriate basis depends on the nature of the processing and the relationship with the data subject.

Many organisations default to consent as their chosen basis, but consent requires freely given, specific, informed and unambiguous agreement — and data subjects must be able to withdraw it as easily as they gave it. Where you are processing data to fulfil a contract with the data subject, or to comply with a legal obligation, those bases are usually more appropriate and more straightforward to rely on. Legitimate interests — where processing is necessary for the legitimate interests of the controller, balanced against the rights of the data subject — is commonly used for business-to-business processing, fraud prevention, and marketing to existing customers.

Step 3: Privacy notices and transparency

UK GDPR requires organisations to inform data subjects about what data is collected, why, how long it will be kept, who it is shared with, and their rights. This information must be provided at the point of data collection, in clear and plain language. A privacy notice buried in a footer does not satisfy the transparency requirement if it is not actually accessible and readable to the individuals whose data you are processing.

Step 4: Technical and organisational security measures

Article 32 of UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data, including:

• Pseudonymisation and encryption where appropriate to the risk
• Ongoing confidentiality, integrity and availability of processing systems
• The ability to restore data in a timely manner following an incident
• Regular testing and evaluation of security measures

In practice, the ICO expects to see: access controls implementing least privilege, encryption of personal data at rest and in transit, MFA on systems holding personal data, regular software patching, and a tested backup and recovery capability. Cyber Essentials certification provides a documented baseline of five technical controls that demonstrates a systematic approach to UK GDPR's security requirements.

Step 5: Data Protection Impact Assessments (DPIAs)

A DPIA is required when processing is likely to result in a high risk to individuals — for example, large-scale processing of special category data, systematic monitoring of employees, or the use of new technologies. The DPIA process involves identifying and assessing risks to data subjects' rights and freedoms, and documenting the measures taken to mitigate them.

Even where not strictly required, DPIAs are good practice when introducing new systems, significantly changing how existing data is processed, or adopting new technologies that involve personal data.

Step 6: Breach notification readiness

Under UK GDPR, personal data breaches that are likely to result in a risk to individuals must be reported to the ICO within 72 hours of discovery. Breaches posing a high risk to individuals must also be communicated directly to those affected. This requires a documented incident response procedure, clear escalation paths, and pre-prepared notification templates.

The 72-hour clock starts when the organisation becomes aware of the breach — not when a detailed investigation is complete. An initial notification can be submitted with limited information, with further details provided as the investigation progresses. Failing to notify within the 72-hour window without good reason is itself an infringement that can attract ICO sanctions.

Step 7: Data subject rights

UK GDPR grants data subjects rights including access (subject access requests), rectification, erasure, restriction of processing, data portability, and the right to object. Organisations must have procedures in place to respond to these requests within one calendar month. A log of all requests received and how they were handled is good practice and supports accountability.