UK GDPR Compliance
Configure your forms for the UK General Data Protection Regulation.
What is UK GDPR?
When the UK left the European Union on 31 January 2020, the EU GDPR was retained in UK domestic law through the European Union (Withdrawal) Act 2018. This retained version, read together with the Data Protection Act 2018 (DPA 2018), is referred to as "UK GDPR."
UK GDPR is enforced by the Information Commissioner's Office (ICO), the UK's independent data protection authority. It applies to any organisation that processes the personal data of individuals in the UK, regardless of where that organisation is based.
The substantive requirements — lawful basis for processing, data subject rights, breach notification, data protection impact assessments — are nearly identical to the EU GDPR. The differences are in governance, enforcement, and international transfer mechanisms.
Key differences from EU GDPR
If you already comply with EU GDPR, most of the work is done. These are the areas where UK GDPR diverges:
Regulator
EU GDPR is enforced by national data protection authorities (DPAs) across EU member states. UK GDPR is enforced solely by the ICO. There is no "one-stop shop" mechanism — the ICO is your only point of contact for UK data protection matters, and you cannot rely on a lead supervisory authority in another country.
International data transfers
Under EU GDPR, data transfers outside the EEA require adequacy decisions or safeguards like Standard Contractual Clauses (SCCs). UK GDPR has its own parallel system:
- The UK maintains its own adequacy decisions, separate from the EU's. The UK has recognised the EEA as adequate, and the EU has granted the UK an adequacy decision (reviewed periodically).
- For transfers to countries without UK adequacy, you must use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs — not the EU SCCs alone.
FormBlade processes data on servers in the EU. Because the UK recognises the EEA as adequate for data transfers, no additional transfer mechanism is required for UK form data processed by FormBlade.
UK representative
If your organisation is based outside the UK but targets UK residents (e.g., your forms are aimed at UK customers), UK GDPR requires you to appoint a UK representative. This mirrors the EU GDPR's requirement for an EU representative, but is a separate appointment. If you are based in the EU and serve both UK and EU users, you may need both an EU and a UK representative.
Fines
Maximum fines are denominated in GBP, not EUR:
- Higher tier: up to £17.5 million or 4% of annual worldwide turnover, whichever is greater.
- Lower tier: up to £8.7 million or 2% of annual worldwide turnover, whichever is greater.
In practice, the fine thresholds are economically equivalent to the EU GDPR's €20 million / €10 million tiers.
No one-stop shop
Under EU GDPR, if your business operates across multiple EU countries, you deal primarily with one lead supervisory authority. UK GDPR has no equivalent. The ICO handles all UK matters directly, and complaints from UK data subjects go exclusively to the ICO regardless of where else you operate.
What the UK GDPR preset configures
The UK GDPR preset applies the same technical safeguards as the EU GDPR preset, since the substantive data protection requirements are identical:
| Setting | Value | Why |
|---|---|---|
| Consent checkbox | Required | UK GDPR requires a lawful basis for processing. For web form submissions, consent is the most straightforward basis. The checkbox records proof of consent. |
| IP anonymization | Enabled | IP addresses are personal data under UK GDPR. Anonymizing them (zeroing the last octet) reduces the data you store and limits your exposure. |
| User-agent storage | Disabled | Browser fingerprint data is not necessary for processing form submissions. Not storing it aligns with the data minimization principle. |
| Data retention | 365 days | UK GDPR requires that personal data is not kept longer than necessary. One year is a reasonable retention period for form submissions. |
Set up the UK GDPR preset
Account level
- Go to Account Settings in the sidebar.
- Scroll to Compliance.
- Select UK GDPR from the dropdown.
- Click Save.
This sets the default compliance configuration for all new forms you create.
Per form
- Open the form in your dashboard.
- Go to the Compliance tab.
- Select UK GDPR from the preset buttons or region dropdown.
- Click Save.
When to use UK GDPR vs EU GDPR
The presets are technically identical, so this decision is about clarity and documentation rather than different behaviour:
- UK-only audience — use the UK GDPR preset. Your compliance documentation and privacy policy can reference UK GDPR and the ICO specifically.
- EU-only audience — use the EU GDPR preset.
- Both UK and EU audiences — use the EU GDPR preset. The EU GDPR and UK GDPR are substantively the same, and a single configuration satisfies both. Your privacy policy should reference both regulations and both the relevant EU DPA and the ICO.
- Unsure — use the EU GDPR preset. It covers the broadest scope.
ICO enforcement
The ICO is an active regulator. It can investigate complaints, conduct audits, and issue enforcement notices and fines. Key points:
- Fines can reach £17.5 million or 4% of global annual turnover, whichever is greater.
- The ICO must be notified of personal data breaches within 72 hours if the breach is likely to result in a risk to individuals' rights.
- Individuals can lodge complaints directly with the ICO at no cost.
- The ICO publishes detailed guidance on all aspects of UK GDPR at ico.org.uk.
FormBlade's built-in IP anonymization, consent recording, data retention limits, and submission export tools help you meet your obligations. The legal analysis — determining your lawful basis, drafting your privacy policy, and appointing representatives — is your responsibility.