UK GDPR: What SaaS Founders Need to Know After Brexit (2026 Guide)
If you serve UK users, UK GDPR applies to you. And UK GDPR is not the same as EU GDPR — it's a UK domestic law that diverges in important ways, sits under a different regulator (the ICO), and is now subject to the Data (Use and Access) Act 2025, which makes further changes to the UK data protection framework.
This guide covers everything a SaaS founder needs to know about UK data protection in 2026.
UK GDPR vs EU GDPR: The Key Differences
| Area | EU GDPR | UK GDPR |
|---|---|---|
| Legal basis | Regulation (EU) 2016/679 | UK GDPR (retained EU law) + Data Protection Act 2018 (DPA 2018) |
| Supervisory authority | Lead DPA in member state of establishment | ICO (Information Commissioner's Office) |
| Maximum fines | €20M or 4% global turnover (higher) | £17.5M or 4% global turnover (higher) |
| ICO registration | Not required (no equivalent) | Required for most data controllers (unless exempt) — fee £40-£268/year |
| Adequacy for EU transfers | UK has EU adequacy decision (granted 2021, reviewed 2025) | EU has UK adequacy decision — EU data can flow to UK |
| International transfers | SCCs, BCRs, DPF, adequacy decisions (Chapter V) | UK SCCs (IDTA), UK Addendum to EU SCCs, adequacy regulations, BCRs |
| PECR (cookies) | ePrivacy Directive (national implementations) | PECR 2003 — UK-specific rule, same functional requirement |
| DPO | Mandatory for certain organisations | Same conditions (UK GDPR Art. 37) |
| Data (Use and Access) Act 2025 | Does not apply | Amends UK GDPR — new "recognised legitimate interests", smart data schemes, digital verification services |
Does UK GDPR Apply to Your SaaS?
UK GDPR has extraterritorial effect. It applies to you if:
- You are established in the UK (incorporated, or have a branch/office), OR
- You are not established in the UK but you offer goods or services to individuals in the UK (even for free), OR
- You monitor the behaviour of individuals in the UK
"Offering services to UK individuals" — the ICO takes a broad view. Having a GBP pricing option, referencing UK-specific content, or having substantial UK user base are all indicators. Simply being accessible in the UK is NOT enough — there needs to be an active targeting element.
ICO Registration
Unlike EU GDPR, UK GDPR (via DPA 2018) requires data controllers to register with the ICO and pay an annual fee:
| Organisation Type | Annual Fee |
|---|---|
| Micro organisation (turnover ≤£632K or ≤10 employees) | £40 |
| Small organisation (turnover ≤£36M or ≤50 employees) | £60 |
| Medium and large organisations | £268 |
| Public authority | £55 |
Exemptions: purely personal or household use, some not-for-profit organisations, elected representatives, judicial purposes. Most SaaS companies are not exempt. Failure to register = fixed penalty of up to £4,000.
Register at: ico.org.uk — takes 15 minutes and is renewed annually.
UK Representative Requirement
If you are not established in the UK but UK GDPR applies to you (i.e., you serve UK users), you must appoint a UK representative (UK GDPR Art. 27). This is a UK-based individual or organisation who can act as a contact point for the ICO and UK data subjects.
This is separate from the EU GDPR Art. 27 representative requirement — you may need both if you serve both EU and UK users.
UK representative services typically cost £500-£1,500/year. This is not optional.
International Data Transfers: UK vs EU
UK GDPR has its own transfer mechanism framework, separate from EU GDPR:
| Transfer Type | EU Mechanism | UK Equivalent |
|---|---|---|
| Transfers to adequate countries | Adequacy decision (Art. 45) | UK adequacy regulations (similar list, with UK-specific additions) |
| Standard contractual clauses | EU SCCs (2021 modules) | IDTA (International Data Transfer Agreement) OR UK Addendum to EU SCCs |
| Binding corporate rules | BCRs approved by lead DPA | UK BCRs approved by ICO |
| EU data to UK | EU adequacy decision for UK — flows freely | Not applicable (UK is recipient) |
Critical point: EU SCCs alone are NOT valid for UK data transfers. If your DPA uses EU SCCs, you need to either: (a) add the UK Addendum (a short document the ICO publishes), or (b) replace with the IDTA. Both are available free from the ICO website.
The IDTA is the UK's standalone alternative to EU SCCs. It's a more complex document but covers the same ground. For most SaaS, attaching the UK Addendum to existing EU SCCs is simpler.
EU Adequacy for the UK (and Risk)
The EU granted the UK an adequacy decision in June 2021. This means EU personal data can flow to the UK without additional safeguards. The decision was reviewed in 2025 and maintained.
However, the UK's Data (Use and Access) Act 2025 introduces changes to the UK data protection framework that may put the EU adequacy decision at risk if the UK diverges too far from EU standards. This is an ongoing policy risk to monitor.
PECR: Cookie Consent in the UK
PECR (Privacy and Electronic Communications Regulations 2003) implements the EU ePrivacy Directive in UK law. Post-Brexit, PECR continues to apply and the ICO enforces it independently.
Key PECR requirements same as EU ePrivacy:
- Consent required before placing non-essential cookies
- Consent must be freely given, specific, informed, unambiguous
- Easy withdrawal required
ICO issued updated cookie guidance in 2024 specifically targeting dark patterns. The ICO has stated it will use its powers under PECR to enforce against non-compliant cookie banners, including fines of up to £17.5M for serious violations.
The Data (Use and Access) Act 2025
The DUA Act 2025 made significant changes to UK data protection, coming into force on a phased basis from late 2025:
- Recognised Legitimate Interests (RLI) — a new "white list" of processing activities that are presumptively legitimate interests, removing the need for a full LIA for listed activities (includes: national security, public health emergencies, safeguarding children, preventing crime, fraud detection, certain network security processing)
- Smart Data Schemes — legal framework for open banking-style data portability in other sectors
- Digital Verification Services (DVS) — register of certified digital identity providers
- PECR Reform — the Act amends PECR around cookies; the ICO will publish updated guidance on what changes
- Senior Responsible Individual (SRI) — for high-risk processing, a designated senior person accountable for data protection (similar to but not identical to DPO requirement)
The RLI list is the most practically significant change for SaaS — it means certain security and fraud-related processing no longer requires a documented LIA. But the list is narrow; most commercial processing still requires a full LIA.
Practical UK GDPR Compliance Checklist for SaaS
- Register with the ICO (£40-£268/year) — check ico.org.uk to see if you qualify for an exemption
- Update your privacy policy to reference UK GDPR (not just EU GDPR), the ICO as supervisory authority, and UK-specific rights
- Appoint a UK representative if you're not established in the UK but serve UK users
- Review international transfer mechanisms — ensure DPAs include IDTA or UK Addendum for UK data exports
- Update cookie consent to comply with PECR (same requirements as ePrivacy but UK-specific)
- PECR registration if you use electronic marketing (separate requirement from data controller registration)
- Breach notification — UK GDPR Art. 33 requires 72-hour notification to ICO (same as EU GDPR but to ICO, not EU DPA)
- Review LIA documentation for any processing relying on legitimate interests under UK GDPR — DUA Act 2025 RLI list may simplify some
If you use our Privacy Policy Generator, select "United Kingdom" as your jurisdiction to get UK GDPR-specific language including ICO contact details, UK data subject rights, and PECR cookie disclosure.
Related guides: GDPR International Data Transfers: SCCs, DPF, BCRs · GDPR Transfer Impact Assessment · Cookie Compliance 2026
Tools: Privacy Policy · GDPR DPA · Transfer Impact Assessment · Cookie Consent Audit
⚠️ This guide is for informational purposes and does not constitute legal advice. UK data protection law is subject to ongoing legislative change. Verify current requirements against ICO guidance and consult a UK-qualified data protection solicitor for specific advice.