+44 345 1255400
UK Compliance & Regulation

UK GDPR (UK GDPR)

Also known as: General Data Protection Regulation, UK Data Protection, Data Protection Act 2018, DPA 2018

UK GDPR is the data protection law that applies in the United Kingdom following Brexit. It sits alongside the Data Protection Act 2018 and, together, they set out how organisations may collect, use, store, and share personal data about individuals.

UK GDPR is enforced by the Information Commissioner’s Office (ICO). Penalties for serious breaches can reach 4% of global annual turnover or £17.5 million, whichever is higher.

How UK GDPR differs from EU GDPR

In practice, the two are still very similar. UK GDPR is essentially a domestic version of EU GDPR, with minor divergences. The biggest differences:

  • Separate regulator, the ICO, not the European Data Protection Board
  • Adequacy, the EU currently recognises the UK as providing adequate protection, so data can flow freely between the UK and EU (this is reviewed periodically)
  • Minor domestic tweaks around criminal-offence data, immigration enforcement, and national security

Most businesses that were compliant with EU GDPR before Brexit are compliant with UK GDPR after Brexit, with only minor adjustments to documentation.

The six lawful bases for processing personal data

You can only process personal data if you have a lawful basis. The six options are:

  1. Consent, the person has said yes
  2. Contract, processing is necessary to deliver a contract
  3. Legal obligation, processing is required by UK law
  4. Vital interests, processing is needed to protect someone’s life
  5. Public task, processing is part of a task in the public interest
  6. Legitimate interests, your interests (or a third party’s), balanced against the person’s rights

The eight individual rights

People have specific rights under UK GDPR, and businesses must respond to valid requests within one calendar month:

  1. The right to be informed
  2. The right of access (Subject Access Request)
  3. The right to rectification
  4. The right to erasure (“right to be forgotten”)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making

Breach notification

If you experience a personal data breach that’s likely to result in a risk to individuals, you must notify the ICO within 72 hours. If the risk to individuals is high, you must also notify the affected individuals without undue delay.

How we help

Our cyber security service puts in place the technical and organisational measures UK GDPR requires, access control, encryption, audit logging, backup, incident response. For sector-specific work, see the compliance notes on our law firms, accountants, and healthcare pages.