top of page

UK GDPR

The UK General Data Protection Regulation (UK GDPR) is the UK’s post-Brexit version of the EU GDPR. It governs how organisations collect, use, store, and share personal data of individuals in the UK.

It works together with the Data Protection Act 2018, and is enforced by the Information Commissioner's Office (ICO).

 

1️⃣ Who Must Comply

UK GDPR applies to:

  • UK-based organisations processing personal data

  • Non-UK organisations offering goods/services to UK individuals

  • Non-UK organisations monitoring behaviour of people in the UK

Applies to controllers (decide why/how data is processed) and processors (process data on behalf of controllers).

 

2️⃣ What Data Is Covered

  • Personal data: Any information identifying a person (name, email, IP, device ID)

  • Special category data: Health, biometrics, ethnicity, religion, sexual orientation

  • Criminal offence data: Convictions, allegations (strict controls)

 

3️⃣ Core Principles (Article 5)

All processing must follow these 7 principles:

  1. Lawfulness, fairness & transparency

  2. Purpose limitation

  3. Data minimisation

  4. Accuracy

  5. Storage limitation

  6. Integrity & confidentiality (security)

  7. Accountability (you must prove compliance)

 

4️⃣ Lawful Bases for Processing (Article 6)

You must document one lawful basis per processing activity:

  • Consent

  • Contract

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

Special category data requires Article 9 conditions (e.g. explicit consent, employment law).

 

5️⃣ Rights of Individuals (Articles 12–23)

Individuals have enforceable rights, including:

  • Right to be informed

  • Right of access (DSAR)

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights related to automated decision-making

⏱️ Deadline: Usually 30 days to respond.

 

6️⃣ Controller & Processor Obligations

Organisations must:

  • Maintain Records of Processing Activities (RoPA)

  • Implement Data Protection by Design & Default

  • Conduct DPIAs for high-risk processing

  • Apply appropriate technical & organisational security measures

  • Have incident & breach response procedures

  • Use UK-compliant Data Processing Agreements (DPAs)

 

7️⃣ Breach Management

  • Personal data breaches must be reported to the ICO within 72 hours

  • Affected individuals must be notified if there is high risk to their rights

  • Breach logs must be maintained even if not reported

 

8️⃣ International Transfers

Transfers outside the UK require safeguards such as:

  • UK IDTA

  • UK Addendum to EU SCCs

  • Transfer Risk Assessments (TRAs)

Two tiers of fines:

  • Up to £8.7m or 2% of global turnover (lower-tier violations)

  • Up to £17.5m or 4% of global turnover (serious violations)

Additional consequences:

  • ICO audits

  • Enforcement notices

  • Civil claims by individuals

  • Reputational damage

bottom of page