Which Law Transposes the GDPR Into UK Law?

If you run a small business in the UK, you’ve probably heard some version of: “We need to be GDPR compliant.”

But once you start digging into it, a very common question comes up (and it’s a good one): which law “transposes” the GDPR into UK law?

The short version is that GDPR didn’t just “disappear” after Brexit. It was largely retained (“saved”) into UK law and now sits alongside UK-specific legislation that fills in the gaps and sets out how data protection works here day-to-day.

In this guide, we’ll break down:

• exactly which law brings GDPR into UK law (and what people usually mean by “transposes”);
• how “UK GDPR” fits together with the Data Protection Act 2018;
• what extra rules apply in the UK (including marketing rules); and
• practical compliance steps you can take, without drowning in legal jargon.

Which Law Transposes The GDPR Into UK Law (And What “Transposes” Means)?

Let’s start with the wording, because it matters.

In EU law, “transposition” usually refers to when an EU directive is implemented into the national law of each member state. The GDPR, however, was an EU regulation, which originally applied directly across the EU without needing transposition.

So when UK business owners ask which law “transposes” the GDPR into UK law, what they typically mean is:

• What legal rules make GDPR apply in the UK?
• What changed after Brexit?
• What legislation should we actually look at when building compliance?

In UK terms, GDPR was retained into domestic law by the European Union (Withdrawal) Act 2018 and then amended to work in a UK-only context by UK “exit” regulations. The result is what businesses now refer to as the UK GDPR.

The key legal instruments most UK businesses need to look at are:

• the UK GDPR (the GDPR as retained in UK law after Brexit and tailored for the UK); and
• the Data Protection Act 2018 (DPA 2018) (which sits alongside UK GDPR and provides important detail and additional rules).

In practical terms, the “GDPR” rules you need to follow as a UK business are mainly found in UK GDPR, supported by DPA 2018. If you want to be confident you’re compliant, you generally need to consider both.

What Is The UK GDPR (And How Did It Get Into UK Law)?

After Brexit, the UK needed a way to avoid a sudden legal vacuum where privacy rules used to be.

To do that, the GDPR was essentially retained (“saved”) into UK domestic law and became known as the UK GDPR. You’ll sometimes hear this described as the “retained” or “saved” version of GDPR.

What this means for your business is:

• The core GDPR principles and obligations are still there (lawful bases, transparency, accountability, security, individual rights, etc.).
• The UK has its own regulator (the ICO) enforcing these rules.
• Some concepts have been “UK-ified” (for example, references to EU institutions are replaced with UK equivalents).

So while the label has changed, the compliance reality for most small businesses is familiar: if you process personal data, you need to follow UK GDPR.

And if what you’re really trying to pin down is which law makes GDPR apply in the UK, the day-to-day answer is: UK GDPR is the GDPR framework now operating in the UK, with additional details in the Data Protection Act 2018.

How The Data Protection Act 2018 Works Alongside UK GDPR

UK GDPR doesn’t operate in isolation. The Data Protection Act 2018 is a major piece of UK legislation that:

• supplements and sits alongside UK GDPR;
• provides UK-specific rules in areas where GDPR allowed national flexibility; and
• covers certain types of processing not fully dealt with by UK GDPR alone (for example, some law enforcement processing).

For a small business, the most important takeaway is: you usually need to think about both UK GDPR and DPA 2018 when setting up compliant processes.

Examples Of What The DPA 2018 Adds Or Clarifies

Depending on what your business does, DPA 2018 may affect things like:

• Children’s data and age-related consent issues (especially relevant to apps, platforms, and online services aimed at younger users).
• Special category data (like health data) and the conditions you must meet to process it lawfully.
• Employment context details (for example, how you handle staff data, monitoring, and disclosures).
• Exemptions that apply in specific situations (which can matter if you receive certain requests or need to keep records for legal reasons).

Because the DPA 2018 can get technical quickly, many businesses focus on building strong UK GDPR foundations first, then checking whether the DPA introduces anything extra for their particular activities.

That’s also why having a properly drafted Privacy Policy and internal privacy procedures matters - it forces you to map what you do with data in real operational terms, not just theoretical compliance.

Don’t Forget PECR: The UK Rules That Often Catch Small Businesses Out

Even once you’ve clarified how GDPR applies in the UK, many UK businesses still get tripped up by a different set of rules: PECR.

PECR stands for the Privacy and Electronic Communications (EC Directive) Regulations 2003. These rules sit alongside UK GDPR and are especially relevant if your business does any of the following:

• email marketing (newsletters, promotions, “new product” emails);
• SMS marketing;
• cold calling / live marketing calls;
• use of cookies and similar tracking technologies on your website; or
• direct marketing to individuals (and, in some cases, sole traders and partnerships).

UK GDPR tells you how to lawfully process personal data. PECR adds extra requirements for electronic marketing and privacy in communications.

In practice, compliance often looks like:

• ensuring your marketing consent and opt-outs are handled properly;
• setting up cookie consent tools that match what your website actually does; and
• making sure your email lists are built in a compliant way.

It’s also worth building staff training and internal controls around marketing and IT use - for many small businesses, an Acceptable Use Policy is one of the simplest ways to set clear rules around devices, systems, and customer data access.

What Does UK GDPR Compliance Actually Mean For Small Businesses?

The legal framework can sound abstract, but UK GDPR compliance becomes much clearer when you translate it into business actions.

Most UK small businesses should assume UK GDPR applies if they:

• collect customer enquiries (online forms, email, chat);
• sell online (customer names, delivery addresses, payment details);
• run a mailing list;
• have staff (payroll records, performance notes, sickness records);
• use CCTV; or
• use cloud tools (CRMs, booking systems, accounting platforms).

1) Know What Personal Data You Hold (And Why)

A very practical first step is to map your data:

• What personal data do you collect?
• Where does it come from (customers, suppliers, staff)?
• What do you use it for?
• Who do you share it with?
• How long do you keep it?

This helps you identify your lawful bases (for example, contract, legal obligation, legitimate interests, consent) and spot risk areas early.

2) Be Clear And Transparent With People

Transparency is a core GDPR concept, and it’s one of the most visible things customers notice.

This usually involves having a clear Privacy Policy and making sure it matches what your business actually does (not what a generic template says you do).

If you’re collecting data through your website, booking system, or newsletter signup, your privacy information should be easy to find and written in plain English.

3) Put The Right Contracts In Place With Suppliers

If you use third-party providers to process personal data on your behalf (think email marketing platforms, cloud storage, payroll providers, CRMs), you may need a contract that includes specific UK GDPR terms.

Many businesses deal with this through a Data Processing Agreement (or data processing clauses inside a broader service contract).

This is important because UK GDPR expects you to have clear terms about:

• what the processor can do with the data;
• security standards;
• sub-processors;
• assistance with data subject rights requests; and
• breach reporting.

4) Take Security Seriously (Even If You’re Small)

“Appropriate technical and organisational measures” can sound like enterprise-level jargon, but for small businesses it often means basics done well:

• strong passwords and multi-factor authentication;
• access controls (not everyone needs access to everything);
• device security (encryption, screen locks);
• safe storage and deletion processes; and
• staff training on phishing and data handling.

You’ll also want a clear plan for what happens if something goes wrong. A Data Breach Response Plan can save you a lot of time and stress when you’re under pressure and the clock is ticking.

5) Be Ready To Handle Subject Access Requests (SARs)

One of the most common “real world” GDPR events for small businesses is receiving an access request - often from a customer, sometimes from a staff member.

You need a process for:

• confirming identity;
• finding the data across systems;
• applying exemptions correctly; and
• responding within the required timeframe.

Having an Access request form can help you handle these requests consistently and avoid missed steps.

6) Watch Out For CCTV, Audio, And Monitoring

If your business uses CCTV (for security, safety, theft prevention), UK GDPR will still apply because you’re capturing personal data.

You’ll normally need to think about:

• having a lawful basis;
• appropriate signage and privacy information;
• retention periods;
• who can access footage; and
• how requests for footage are handled.

It gets even more sensitive if audio recording is involved. If you’re considering workplace recording or monitoring, it’s worth reading up on CCTV with audio risks before you install anything.

UK GDPR Vs EU GDPR: Does It Matter If You Sell Into Europe?

For many UK-only businesses, UK GDPR is the main focus.

But if you:

• sell goods or services to customers in the EU,
• market to people in the EU, or
• monitor the behaviour of individuals in the EU (for example, through targeted tracking/analytics),

…you may need to consider whether EU GDPR also applies to you.

This can mean additional compliance steps, and in some cases, extra requirements like appointing an EU representative.

It’s not something to guess on - it depends on how your business is set up and who you’re targeting. Getting tailored advice early can be a smart move, especially if your growth plan involves expanding into European markets.

Key Takeaways

• If you’re asking which law “transposes” the GDPR into UK law, the practical answer is that GDPR now applies in the UK mainly through the UK GDPR (GDPR as retained and amended for the UK), supported and supplemented by the Data Protection Act 2018.
• UK GDPR sets out the core data protection rules for UK businesses, including lawful bases, transparency, security, accountability, and individual rights.
• The Data Protection Act 2018 adds important UK-specific detail (including special category data rules and certain exemptions) that can affect how you handle compliance in practice.
• Many small businesses also need to comply with PECR for email marketing, SMS, cookies, and other electronic communications activities.
• Practical compliance usually means mapping your data, having a clear Privacy Policy, using proper supplier contracts (like DPAs), improving security, and preparing for access requests and breaches.
• If you sell into Europe or target EU customers, you may need to consider whether EU GDPR applies as well as UK GDPR.

If you’d like help getting your business GDPR-ready - whether that’s your Privacy Policy, data processing terms, or putting the right internal documents in place - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.