The UK General Data Protection Regulation (UK GDPR) is the UK’s version of the EU GDPR, retained post-Brexit and enforced by the Information Commissioner's Office (ICO).

It governs how personal data is collected, used, stored, shared, and protected in the UK.

 

Below is a complete, structured breakdown you can use for policy writing, audits, product design, or a compliance assistant.

 

1️⃣ Scope — Who Must Comply

UK GDPR applies to:

• UK-based organisations processing personal data

• Non-UK organisations offering goods/services to UK residents or monitoring their behaviour

• Controllers (decide why/how data is processed)

• Processors (process data on behalf of controllers)

Applies to employees, customers, users, vendors, and website visitors.

 

2️⃣ Core Data Protection Principles (Article 5)

All processing must comply with these 7 principles:

1. Lawfulness, fairness & transparency

2. Purpose limitation (no reuse beyond stated purpose)

3. Data minimisation (only what’s necessary)

4. Accuracy (kept up to date)

5. Storage limitation (retain only as long as needed)

6. Integrity & confidentiality (security)

7. Accountability (you must prove compliance)

Accountability is the enforcement backbone — documentation matters.

 

3️⃣ Lawful Bases for Processing (Article 6)

You must document at least one lawful basis per processing activity:

• Consent

• Contract

• Legal obligation

• Vital interests

• Public task

• Legitimate interests (with balancing test)

Lawful basis cannot be swapped later without justification.

 

4️⃣ Special Categories & Criminal Data (Articles 9–10)

Extra protections apply to:

• Health data

• Biometric data

• Genetic data

• Racial or ethnic origin

• Political opinions

• Religious beliefs

• Sexual orientation

• Criminal convictions

Requires:

• Explicit consent or

• A specific legal exemption and

• Strong safeguards (DPIA + security controls)

 

5️⃣ Data Subject Rights (Articles 12–23)

Individuals have enforceable rights:

Right                                            Description                                  Deadline

Access                                       See their data                              30 days

Rectification                          Fix inaccurate data                    30 days

Erasure                                     “Right to be forgotten”            30 days

Restriction                              Pause processing                       30 days

Portability                                Machine-readable copy          30 days

Objection                                 Stop certain processing           Immediate review

Automated decisions            Human review                          On request

 

DSAR logs + workflows are mandatory evidence.

 

6️⃣ Controller & Processor Obligations (Chapter IV)

Controllers must:

• Maintain Records of Processing Activities (RoPA) (Art. 30)

• Implement privacy by design & default (Art. 25)

• Perform DPIAs for high-risk processing

• Ensure processors are compliant (Art. 28)

• Maintain policies, training, and evidence

Processors must:

• Act only on documented instructions

• Maintain security controls

• Support audits

• Notify controllers of breaches

 

7️⃣ Security Requirements (Article 32)

You must implement appropriate technical & organisational measures, including:

• Access controls (least privilege)

• Encryption & pseudonymisation

• Logging & monitoring

• Vulnerability management

• Backup & recovery testing

• Incident response plan

“Appropriate” is judged based on risk, scale, and data sensitivity.

 

8️⃣ Breach Notification Rules (Articles 33–34)

• Notify ICO within 72 hours of becoming aware

• Notify individuals without undue delay if high risk

• Maintain a breach register (even for non-reportable incidents)

Late reporting = automatic enforcement risk.

 

9️⃣ International Data Transfers

Transfers outside the UK require safeguards:

• UK IDTA

• UK Addendum to EU SCCs

• Transfer Risk Assessment (TRA)

US transfers always require a TRA.

 

🔟 Documentation You Must Have (Audit-Critical)

Minimum defensible set:

• Privacy Policy

• Data Protection Policy

• RoPA

• DPIAs

• Legitimate Interest Assessments (LIAs)

• DSAR logs

• Breach logs

• Vendor DPAs

• Security policies

• Training records

No documents = automatic accountability failure.

 

1️⃣1️⃣ Penalties & Enforcement

Violation Type

Maximum Penalty

Lower-tier (records, security)

£8.7M or 2% global turnover

Higher-tier (principles, rights, transfers)

£17.5M or 4% global turnover

Criminal offences (DPA 2018)

Fines + personal liability

 

1️⃣2️⃣ UK GDPR vs EU GDPR (Quick Note)

• Substantively almost identical

• Separate regulator (ICO vs EU DPAs)

• Separate transfer mechanism (IDTA vs SCCs)

• UK enforcement is evidence-driven

​