Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GOV.UK Frontend (formerly GOV.UK Toolkit) is the official open-source design system and component library published by the UK Government Digital Service. It provides accessible, standards-compliant UI components for building government digital services. As an open-source framework, it is not itself a data processor. GDPR and UK GDPR obligations arise from the service built with it and the data it processes.
GOV.UK Frontend (formerly GOV.UK Toolkit) is the official open-source design system, component library, and front-end framework published by the UK Government Digital Service (GDS). It provides accessible, standards-compliant UI components, CSS, JavaScript, and Nunjucks templates for building consistent government digital services. It is used across UK government departments and agencies to build services on GOV.UK and other government platforms. As an open-source framework, it is not itself a data processor.
Government digital services built with GOV.UK Frontend are subject to UK GDPR and the Data Protection Act 2018. UK GDPR is the retained version of EU GDPR that applies in the UK post-Brexit. Government services processing personal data must comply with the same core principles as GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
GOV.UK Frontend itself does not set cookies. However, government services built with it commonly integrate analytics (Google Analytics), session management, and authentication systems that do set cookies. The UK PECR (Privacy and Electronic Communications Regulations) requires consent for non-essential cookies, equivalent to the EU ePrivacy Directive. GDS provides cookie consent guidance and the GOV.UK Consent cookie component for implementing compliant cookie notices.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most government digital services built with GOV.UK Frontend process significant personal data and require DPIAs. UK government DPIAs are conducted under ICO guidance and follow the same framework as GDPR Article 35. Services processing health data, benefits data, or criminal records data have mandatory DPIA requirements.
Implement the GOV.UK cookie consent pattern. Publish a service-specific privacy notice. Conduct a DPIA for services processing personal data at scale. Register processing with the ICO. Self-host GOV.UK Frontend assets rather than using public CDNs. Apply GDS accessibility and security standards.
Websites using GOV.UK Frontend must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for GOV.UK Frontend itself. DPIAs are commonly required for government digital services built with it, given that many government services process sensitive personal data at large scale.
Sample consent text
This service is built using GOV.UK Frontend components. Cookies and data collection on this service are described in our privacy notice.
Third-party domains contacted
design-system.service.gov.ukfrontend.design-system.service.gov.ukCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| govuk_session | session | Session | Strictly necessary session cookie for authenticated government service users — set by service, not framework |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No, the framework itself is not. GDPR and UK GDPR apply to the government services built with GOV.UK Frontend and the personal data they process.
No. GOV.UK Frontend does not set any cookies. Analytics, session management, and other cookie-setting functionality in government services is added by the service developers, not by the framework.
UK GDPR and the Data Protection Act 2018 apply to UK government services. The Privacy and Electronic Communications Regulations (PECR) apply to cookies. Services may also be subject to sector-specific regulations depending on the type of government service.
Not for the framework itself, but almost certainly yes for the service. Most government digital services process personal data at scale, with many processing sensitive data (health, benefits, immigration) that mandates a DPIA under UK GDPR Article 35.
Use the GOV.UK Cookie Consent component provided by GDS. Follow GDS cookie guidance for categorising and managing cookies. Implement the GOV.UK cookie banner pattern. Self-host all analytics scripts to control data flows.
Yes. GOV.UK Frontend is open-source and can be used by any organisation. However, it is primarily designed for UK government accessibility and design standards. Non-UK organisations using it must comply with their applicable data protection regulations (EU GDPR for EU services, not just UK GDPR).
Self-host GOV.UK Frontend assets on your own infrastructure rather than loading from public CDNs. The UK government's own CDN infrastructure is available for departments. Loading from public CDNs causes third-party IP logging that creates unnecessary data processing.
No, the framework does not need to be mentioned. Your service's privacy notice should describe the personal data the service processes, the legal basis (typically public task for government services), retention periods, data subject rights, and any third-party processors such as analytics providers.