Who does GDPR apply to? Scope and enforcement in the UK

A clear guide to who must comply with UK GDPR — including UK and overseas organisations, charities, sole traders, the household exemption, and how the ICO enforces the rules.

GDPR applies to almost every UK organisation that handles information about people. The exceptions are narrow, the territorial reach is wide, and the size of the organisation is mostly irrelevant. If you have employees, customers, or website visitors, the regulation is in scope.

This guide covers who must comply, the territorial rules that pull in overseas organisations, the household exemption that protects strictly personal use, and the regulator's role in enforcing the rules.

The short answer

UK GDPR applies to any organisation that processes the personal data of identifiable people, with two main exceptions: purely personal or domestic activity, and processing that falls outside UK jurisdiction.

In practice, that captures:

• All UK businesses, charities, partnerships, sole traders, and public bodies that handle personal data — which is nearly all of them.
• Overseas organisations that offer goods or services to people in the UK, or that monitor the behaviour of people in the UK.

The Information Commissioner's Office is the UK regulator, and under the Data (Use and Access) Act 2025 the regulator is being renamed the Information Commission.

Organisations established in the UK

Article 3(1) of the UK GDPR is the primary scope rule for domestic organisations. It applies to processing carried out in the context of the activities of an establishment in the UK, regardless of where the processing itself takes place.

"Establishment" is interpreted broadly. It includes registered companies, partnerships, LLPs, charities, sole traders trading under a business name, public bodies, and unincorporated associations. The processing might be carried out by a server in Ireland or a cloud provider in the United States — what matters is whether the processing is connected to the activities of a UK establishment.

There is no minimum threshold. A sole trader running a one-person consultancy has the same obligations under UK GDPR as a multinational, even if the specific requirements scale with the risk and scope of the processing.

Organisations outside the UK selling into the UK

Article 3(2) extends UK GDPR to overseas organisations in two situations: when they offer goods or services to people in the UK, and when they monitor the behaviour of people in the UK.

Offering goods or services is a question of intent rather than technical reach. A website that happens to be accessible from the UK isn't necessarily within scope. Indicators of targeting include accepting payment in sterling, offering UK delivery, using the UK domain (.co.uk), providing English-language content focused on UK customers, or running marketing aimed at UK audiences. Recital 23 of the regulation sets out these signals.

Monitoring behaviour typically captures tracking, profiling, or analytics directed at UK users. A US company that tracks UK visitors' browsing behaviour through cookies, builds profiles for targeted advertising, or uses fingerprinting to understand visitor behaviour is monitoring within the meaning of Article 3(2), even if it never accepts a payment from a UK customer.

Overseas organisations within scope of UK GDPR must comply with the full regulation. That includes the requirement to appoint a UK representative under Article 27 if they have no establishment in the UK. The representative acts as the local point of contact for individuals and the ICO. It is a personal liability role and must be in writing.

The household exemption

UK GDPR does not apply to processing carried out "by a natural person in the course of a purely personal or household activity". The exemption sits in Article 2(2)(c) and is sometimes shorthanded as the "household exemption".

The exemption covers genuinely personal use: a private address book, family photos, a personal diary, a list of birthdays. It also covers domestic CCTV that records only the homeowner's own property.

The exemption is narrow and fact-specific. It falls away as soon as the processing has a professional or commercial purpose, or as soon as it goes beyond the strictly domestic context. A few examples that don't qualify:

• A homeowner's CCTV that captures the neighbour's garden or the public street, as confirmed in Fairhurst v Woodard (Oxford County Court, 2021).
• A personal social media account that publishes other people's photos or information to a wide audience.
• A community group's membership list — even a small, informal one — once it goes beyond a single person's notebook.
• Any processing connected to a side business, even if small or unincorporated.

For homeowners with cameras, see our CCTV guide for the detailed application of the household exemption.

Small businesses, charities, and sole traders

There is no GDPR exemption for small businesses, charities, or sole traders. All three are within scope as soon as they process personal data, which is essentially as soon as they have a customer list, employees, donors, or a website that collects information.

What does scale with size is how the regulation applies. Several specific obligations carry narrow exemptions or proportionality:

• Record of Processing Activities (ROPA) — organisations with fewer than 250 employees have a narrow exemption under Article 30(5), but the exemption rarely applies in practice because it requires processing to be occasional, low-risk, and free of special category data.
• Data Protection Officer — only specific kinds of organisation are required to appoint a DPO under Article 37, mostly public authorities and those carrying out large-scale or systematic monitoring or special category data processing.
• Data protection impact assessments — only required for high-risk processing.

But the core obligations — having a lawful basis, being transparent, responding to subject access requests within a month, reporting notifiable breaches within 72 hours, applying the principles — apply equally to a five-person business and to a five-thousand-person enterprise.

Charities are within scope. Fundraising activity, donor management, beneficiary records, and supporter communications all involve personal data and all attract GDPR obligations. The ICO has issued guidance specifically for the charity sector and has taken enforcement action against charities — most recently the £750,000 fine against the YMCA in 2024 over a fundraising data breach.

Sole traders are within scope. A self-employed plumber holding customer contact details on a phone is a controller of personal data. They need a lawful basis, they need to be transparent, and they need to be able to respond to subject access requests. The data protection fee — paid to the ICO — applies unless an exemption is available.

The ICO and its enforcement role

The Information Commissioner's Office is the UK supervisory authority responsible for regulating data protection law, including UK GDPR, the Data Protection Act 2018, and PECR. It investigates complaints from individuals, audits organisations, issues enforcement notices and reprimands, takes prosecutions, and imposes fines.

The Data (Use and Access) Act 2025 reforms the regulator. The Information Commissioner's Office is being renamed the Information Commission, with a new corporate structure: a board, a chair, and a chief executive, replacing the single Commissioner model. The substantive enforcement powers carry over.

The regulator's recent enforcement pattern is worth flagging. In 2024 the ICO issued 18 fines totalling £2.7 million across the full year. In the first half of 2025 alone it issued six fines worth £5.6 million — already double the 2024 total. The four largest UK GDPR fines ever imposed all landed in 2025, each against a private-sector organisation following a cyber attack. Public-sector organisations more often receive reprimands rather than fines, reflecting a policy the ICO announced in 2022 of using lower financial penalties against public bodies.

For the full picture of enforcement trends and fine sizes, see our GDPR fines guide.

How to check if GDPR applies to you

A practical sequence:

1. Do you handle personal data? Personal data is any information that relates to an identified or identifiable living person. Names, emails, phone numbers, online identifiers, CCTV images, IP addresses — all personal data. If your answer is no, you're outside scope. For nearly every organisation, the answer is yes. See our personal data guide for the detail.

1. Are you established in the UK, or do you target people in the UK? UK establishment brings you in under Article 3(1). Targeting UK residents — through goods, services, or behavioural monitoring — brings you in under Article 3(2) even from overseas.

1. Is the processing purely personal or household? If yes, the household exemption applies. If the processing has any commercial, professional, or wider-than-household purpose, the exemption is lost.

1. If GDPR applies, what role are you in for each activity? Most organisations are controllers for most things, processors for some. The two roles carry different obligations under Article 24 and Article 28 respectively. See our controller vs processor guide for how to determine your role.

1. Have you paid the ICO's data protection fee? Most UK controllers must pay an annual fee to the ICO unless an exemption applies. The amount depends on the size of the organisation. Failure to pay is itself an enforcement risk separate from GDPR compliance.

If you're in scope, the next step is understanding what UK GDPR actually requires of you. Our hub guide and seven principles guide are the starting points.

Frequently asked questions

Does GDPR apply to small businesses?

Yes. UK GDPR applies regardless of size. Some specific obligations — like keeping a ROPA — have a narrow carve-out for organisations with fewer than 250 employees, but the carve-out rarely applies in practice.

Does GDPR apply to charities?

Yes. Charities process personal data (donors, beneficiaries, supporters, volunteers) and are within scope. The ICO has taken enforcement action against charities, including a £750,000 fine in 2024.

Does GDPR apply to sole traders?

Yes. A self-employed individual handling customer or client information is a controller of personal data and must comply with UK GDPR. They usually also need to pay the ICO's data protection fee.

Does GDPR apply to US companies with UK customers?

Yes, if the US company offers goods or services to people in the UK, or monitors their behaviour. The company is within UK GDPR scope under Article 3(2) and must usually appoint a UK representative under Article 27.

Who enforces GDPR in the UK?

The Information Commissioner's Office (ICO). Under the Data (Use and Access) Act 2025, the regulator is being renamed the Information Commission.

Is GDPR the same as the Data Protection Act?

No, but the two work together. UK GDPR provides the core rules; the Data Protection Act 2018 supplements them with UK-specific provisions and exemptions. They are separate pieces of legislation.