Website Rules in the United Kingdom

The UK has three active instruments that govern personal data on websites. Knowing which applies saves time when something goes wrong.

The UK GDPR. This is the retained EU GDPR as it stood at the end of the Brexit transition, amended since. The substance is identical to the EU version for most website operations. If you're compliant with EU GDPR, you're 95% of the way there.

The Data Protection Act 2018. Fills in the national bits: age of consent for online services, law enforcement processing, immigration exemptions. Most of it doesn't touch a typical Irish business selling into Britain.

The Data (Use and Access) Act 2025. Passed after the Data Protection and Digital Information Bill collapsed in 2024. It relaxes some record-keeping duties and clarifies lawful bases for research and public interest processing. Critically for website operators, it did not remove the cookie consent requirement. UK cookie rules still live in PECR.

The UK supervisory authority is the Information Commissioner's Office (ICO). John Edwards has been Commissioner since January 2022. The ICO website at ico.org.uk publishes every monetary penalty notice, every enforcement notice, every reprimand.

Privacy and Electronic Communications Regulations 2003, usually just PECR, is where UK cookie law lives. Regulation 6 is the one to bookmark. It requires clear and comprehensive information about any cookie placed on a user's device and consent for non-essential cookies.

The ICO guidance from 2019, reconfirmed in 2023, mirrors the EDPB line. No pre-ticked boxes. Reject must be as prominent as accept. No cookie walls unless the site has a genuine paid alternative. Analytics cookies need consent.

The ICO has been publicly sharper than some EU regulators on cookie banners. In November 2023 the ICO warned the top 100 UK websites that their banners were non-compliant. In 2024 it followed up with commitments from most of those sites to redesign. The ICO publishes the list of companies that refused to comply.

For an Irish business with UK customers, the practical rule is simple. If your cookie banner complies with Irish DPC guidance, it complies with ICO PECR. The inverse isn't always true because the ICO has accepted some formulations on analytics cookies that the DPC treats more cautiously.

The European Commission granted the UK adequacy status on 28 June 2021, under GDPR Article 45. That means personal data can flow from Ireland to the UK without Standard Contractual Clauses, Binding Corporate Rules, or any other Article 46 safeguard.

The 2021 decision had a four-year sunset. It was renewed in late 2025 for a further period, conditional on the UK maintaining broadly equivalent standards. The Data (Use and Access) Act 2025 survived this review without triggering a loss of adequacy.

For Irish businesses this means three things. You can use UK-based hosting, CRM, analytics or payment processors without extra transfer paperwork. Your UK customers' data still counts as personal data protected by the UK GDPR on the UK side, the EU GDPR on the Irish side. Contracts still need to name the right controller and processor under each regime.

If adequacy is ever lost, the fallback is Standard Contractual Clauses approved by the Commission. You'd need to renegotiate contracts with every UK processor. It's a real risk but not immediate.

For a full UK compliance check use our free scanner. For country-specific guidance on France see our France page.