United Kingdom General Data Protection Regulation
The UK GDPR is the United Kingdom's core data protection law, mirroring the EU GDPR but enforced by the ICO and paired with the Data Protection Act 2018. It governs how organizations process personal data of people in the UK and grants individuals strong rights over their data.
The United Kingdom General Data Protection Regulation (UK GDPR) is the UK's data protection law that took effect at the end of the Brexit transition period. It is the EU GDPR as retained in UK domestic law and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. It works alongside the Data Protection Act 2018 (DPA 2018). Together they form the core of the UK data protection regime.
The UK GDPR preserves the substance of the EU GDPR. It keeps the same principles, the same individual rights, and the same accountability obligations. The main differences are institutional: the UK Information Commissioner's Office (ICO) is the supervisory authority instead of EU bodies, and references to EU institutions are replaced with UK equivalents. The Secretary of State holds adequacy and rule-making powers that the European Commission holds under the EU regime.
Who It Applies To
The UK GDPR applies to controllers and processors established in the UK that process personal data. It also applies to organizations outside the UK that offer goods or services to individuals in the UK, or that monitor the behavior of individuals in the UK. It covers personal data processed by automated means and personal data held in structured filing systems. Purely personal or household activity is out of scope.
Key Requirements
Processing must satisfy the seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Each processing activity needs a lawful basis, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests. Special category data needs an additional condition.
Individuals have rights to be informed, of access, to rectification, to erasure, to restriction, to data portability, to object, and rights related to automated decision-making. Organizations must respond to most requests within one month. Controllers must keep records of processing activities, run data protection impact assessments for high-risk processing, apply data protection by design and by default, and appoint a Data Protection Officer where required. Personal data breaches that pose a risk must be reported to the ICO within 72 hours.
Transfers of personal data outside the UK require an adequacy decision, appropriate safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or a specific exception.
Penalties for Non-Compliance
The ICO can impose two tiers of fines. The standard maximum is GBP 8.7 million or 2 percent of worldwide annual turnover, whichever is higher. The higher maximum is GBP 17.5 million or 4 percent of worldwide annual turnover. The ICO can also issue enforcement notices, assessment notices, and reprimands, and can order organizations to stop processing.
How to Comply
Maintain a data inventory and records of processing. Document a lawful basis for each activity and write clear privacy notices. Build processes to handle data subject requests within statutory deadlines. Run DPIAs for high-risk processing and apply privacy by design. Put a breach response plan in place to meet the 72-hour deadline. Review international transfer mechanisms and use the IDTA or SCC Addendum where needed. Train staff and assign clear accountability, including a DPO where mandated.