What is UK GDPR

Full definition

UK GDPR is the United Kingdom's primary data protection regulation. It is a retained version of EU Regulation 2016/679 (the original GDPR), incorporated into UK domestic law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. It came into force on 1 January 2021 at the end of the Brexit transition period.

UK GDPR operates together with the Data Protection Act 2018 (DPA 2018). The DPA 2018 supplements UK GDPR by addressing areas where the regulation permits national derogations, covering law enforcement processing, intelligence services processing, and specific exemptions — for example, for journalism and academic research.

The Information Commissioner's Office (ICO) is the independent supervisory authority responsible for upholding information rights in the UK, including oversight of compliance with UK GDPR and the DPA 2018.

The legislation applies to any organisation — regardless of size or sector — that processes personal data relating to individuals in the UK, or that monitors the behaviour of individuals in the UK from overseas.

UK GDPR sets out six data protection principles. Personal data must be:

1. Processed lawfully, fairly, and transparently.
2. Collected for specified, explicit, and legitimate purposes (purpose limitation).
3. Adequate, relevant, and limited to what is necessary (data minimisation).
4. Accurate and, where necessary, kept up to date.
5. Kept for no longer than is necessary (storage limitation).
6. Processed with appropriate security (integrity and confidentiality).

The organisation responsible for processing is also required to demonstrate compliance with these principles — a requirement known as the accountability principle.

Why it matters (legal requirement and trust)

UK GDPR compliance is a legal obligation for any organisation that processes personal data. Failing to comply can result in enforcement action by the ICO, including fines of up to 17.5 million pounds or 4% of annual global turnover (whichever is higher) for the most serious infringements, and up to 8.7 million pounds or 2% of annual global turnover for other violations.

For trades businesses that collect customer contact details, process payment data, or retain job records and photographs, UK GDPR imposes direct obligations: a lawful basis must exist for each processing activity, privacy information must be provided to customers at the point of data collection, and data must be held securely and not longer than necessary.

The trust dimension is equally significant. Consumers are increasingly aware of their data rights, including the right to access their data, the right to erasure, and the right to object to certain processing. Businesses that handle data responsibly and communicate their practices clearly gain a reputational advantage over those that do not.

How compliance works

An organisation processing personal data under UK GDPR must:

1. Identify a lawful basis: The six available lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. The appropriate basis must be identified before processing begins.
2. Provide a privacy notice: Individuals must be informed, at the time their data is collected, about who is processing it, why, and what rights they have.
3. Maintain records of processing activities: Most organisations must keep internal records documenting what data they hold, why, where it is stored, and how long it is retained.
4. Implement appropriate security measures: Technical and organisational measures must be proportionate to the risk.
5. Respond to individual rights requests: Subject access requests, erasure requests, and objections must be handled within statutory timeframes (generally one calendar month).
6. Register with the ICO: Most organisations that process personal data must pay the data protection fee to the ICO annually, which serves as the funding mechanism for the supervisory authority.

Difference from EU GDPR

Dimension	UK GDPR	EU GDPR
Territory	United Kingdom	European Union member states
In force from	1 January 2021	25 May 2018
Supervisory authority	Information Commissioner's Office (ICO)	Lead supervisory authority in each EU member state
Maximum fine (upper tier)	17.5 million pounds or 4% global turnover	20 million euros or 4% global turnover
Legal instrument	Retained EU law, amended by UK statutory instruments	EU Regulation directly applicable in member states
Cross-border transfers	UK adequacy decisions govern transfers to third countries	EU Commission adequacy decisions govern transfers

Related terms

Companies House, TrustMark, NICEIC.