Skip to content
Last reviewed: 2026-05-04 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — UKStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.UK
UK GDPR Information Commissioner's Office

REGULATION · NATIONAL · IN FORCE SINCE 2021

United Kingdom General Data Protection Regulation + Data Protection Act 2018

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Where it applies — 1 jurisdictions

🇬🇧United Kingdom
UK

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Lawfulness, fairness, transparency Art 5(1)(a)

    Process data on a clear legal basis, fairly, and tell users what you do.

  2. 02
    Purpose limitation Art 5(1)(b)

    Collect data for specified, explicit purposes — don't repurpose later.

  3. 03
    Data minimisation Art 5(1)(c)

    Only collect what's adequate, relevant, and necessary for the purpose.

  4. 04
    Accuracy Art 5(1)(d)

    Keep data accurate and up to date; correct or erase inaccurate data without delay.

  5. 05
    Storage limitation Art 5(1)(e)

    Keep data only as long as necessary; define and document retention periods.

  6. 06
    Integrity & confidentiality Art 5(1)(f)

    Protect data against unauthorized access, loss, or destruction (security).

  7. 07
    Accountability Art 5(2)

    Demonstrate compliance — document everything (ROPA, DPIA, policies). ICO Accountability Framework gives a UK-specific checklist.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 6(1)(a)

Consent

User explicitly opts in (free, specific, informed, unambiguous).

Common for: Analytics, marketing cookies, newsletters
Art 6(1)(b)

Contract

Necessary to perform a contract with the user.

Common for: Account creation, order processing
Art 6(1)(c)

Legal obligation

Required by UK law (HMRC retention, AML, UK GDPR itself).

Common for: Invoice retention, KYC
Art 6(1)(d)

Vital interests

Necessary to protect someone's life.

Common for: Medical emergencies (rare for web)
Art 6(1)(e)

Public task

Performing a task in the public interest / official authority — most relevant for UK public bodies.

Common for: Government services, NHS, public health
Art 6(1)(f)

Legitimate interest

Your interest doesn't override user rights — needs an LIA. ICO publishes a 3-part-test template (purpose / necessity / balancing).

Common for: Fraud prevention, basic security logging, B2B marketing under PECR
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to be informed Art 13–14 At collection At collection — privacy notice must be transparent.
Right of access Art 15 30 days User can request copy of all their data (DSAR). ICO has a dedicated DSAR guidance suite.
Right to rectification Art 16 30 days Correct inaccurate or incomplete data.
Right to erasure Art 17 30 days "Right to be forgotten" — deletion under specific conditions.
Right to restrict processing Art 18 30 days Pause processing while disputes are resolved.
Right to data portability Art 20 30 days Receive data in machine-readable format, transfer to another controller.
Right to object Art 21 30 days Object to processing (esp. direct marketing — absolute right; PECR also applies to electronic marketing).
Rights re: automated decisions Art 22 30 days Not subject to solely-automated decisions with legal effect (DPA 2018 s.14 supplements safeguards).
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.3M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2020-10 €23.0M
    British Airways ICO · UK · Art 5(1)(f), Art 32

    2018 Magecart-style breach exposing card data of ~400k customers. Originally proposed at £183M, reduced to £20M reflecting Covid-19 impact and remediation. Pre-existing breach but settled under UK GDPR era.

  2. 2020-10 €21.1M
    Marriott International ICO · UK · Art 5(1)(f), Art 32

    Starwood reservation database breach (2014–2018) exposing 339M records. Originally proposed at £99M, reduced reflecting Covid-19 impact and Starwood-era inheritance.

  3. 2023-04 €14.5M
    TikTok Information Technologies UK ICO · UK · Art 5(1)(a), 8, 12, 13

    Children under 13 used the platform without parental consent (~1M UK minors). Failure to provide age-appropriate transparency. Largest ICO-issued UK GDPR fine to date for children's data.

  4. 2022-05 €8.8M
    Clearview AI ICO · UK · Art 5(1)(a), 6, 9, 14, 15, 17

    Scraping of 20bn+ facial images from public web for biometric database, no lawful basis for UK residents. Order to delete UK data. Clearview successfully appealed jurisdiction at First-tier Tribunal Oct 2023; ICO won partial reversal at Upper Tribunal 2024 — case ongoing.

  5. 2022-11 €5.0M
    Interserve Group ICO · UK · Art 5(1)(f), 32

    May 2020 phishing-led breach exposing HR data of 113k employees. Outdated systems, weak access controls, insufficient training.

  6. 2024-12 €3.7M
    Advanced Computer Software Group ICO · UK · Art 5(1)(f), 32

    2022 LockBit ransomware attack on NHS 111 supplier disrupting services; failure of MFA on key health-data systems. Provisionally £6M, reduced after voluntary cooperation.

  7. 2025-06 €2.7M
    23andMe Inc. ICO · UK · Art 5(1)(f), 32

    October 2023 credential-stuffing breach exposing genetic and ancestry data of ~155k UK users. ICO joint investigation with Office of the Privacy Commissioner of Canada. Penalty issued post-Chapter 11 filing.

  8. 2024-06 €880k
    Police Service of Northern Ireland ICO · UK · Art 5(1)(f), 32

    August 2023 spreadsheet data leak exposing surnames, ranks, locations of all 9,483 PSNI officers and staff in NI's volatile security context. Reduced from provisional £5.6M reflecting public-sector posture.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇬🇧 Data Protection Act 2018 UK-DPA DPA 2018 (c.12) Stricter Implementing statute. Schedule 1 sets conditions for special-category processing; Part 3 covers law-enforcement processing; Part 4 covers intelligence services. Adds UK-specific exemptions (e.g. immigration exemption, partly struck down by Court of Appeal R (Open Rights Group) v SSHD 2023).
🇬🇧 PECR 2003 UK-PECR Privacy and Electronic Communications (EC Directive) Regulations 2003 Stricter UK's ePrivacy implementation. Reg 6 — strict opt-in for cookies/local-storage that aren't strictly necessary. Reg 22 — opt-in for electronic marketing. ICO's most active enforcement vector — most £-fines in last 5y are PECR, not UK GDPR.
🇬🇧 Age-Appropriate Design Code UK-AADC Children's Code (statutory under DPA 2018 s.123) Stricter 15 standards for online services likely to be accessed by children. In force 2 Sep 2021. Drove the TikTok £12.7M fine and prompted Instagram, YouTube, Google to redesign minor-facing flows globally.
🇬🇧 ICO statutory codes UK-CODES DPA 2018 ss.121–125 Aligned Direct Marketing Code, Data Sharing Code, Employment Practices guidance. Statutory codes must be considered by courts/tribunals — non-binding but heavily persuasive.
🇬🇧 Data (Use and Access) Act 2025 UK-DUAA DUA Act 2025 Aligned Royal Assent 19 Jun 2025. Successor to the abandoned DPDI Bill. Reforms ICO governance (becomes Information Commission), narrows DSAR thresholds, adds 'recognised legitimate interests' list, eases cookie rules for low-risk analytics, broadens automated-decision permissions. Most provisions phasing in 2025–2026 via commencement regulations.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Is UK GDPR the same as EU GDPR?
Substantially yes — UK GDPR is retained EU law (SI 2019/419) with technical amendments to make references work in UK law (e.g. 'Member State' → 'United Kingdom', 'Commission' → 'Secretary of State'). Substantive obligations on businesses are nearly identical. Real differences sit in: regulator (ICO only, not 30 DPAs), max fine in £ (£17.5M vs €20M), national supplements (DPA 2018, PECR), transfer mechanism (UK IDTA / UK Addendum), and post-2025 reform via the Data (Use and Access) Act.
Do I still need to comply with EU GDPR after Brexit?
If you offer goods/services to EU/EEA residents or monitor their behaviour, yes — EU GDPR Art 3(2) extraterritorial scope still binds you. Most UK businesses with EU customers must comply with both regimes simultaneously and may need to appoint an EU representative under EU GDPR Art 27. Likewise, EU businesses targeting UK residents need a UK representative.
What does the UK Extension to DPF do?
The UK Extension to the EU-US Data Privacy Framework (effective 12 October 2023, via the UK adequacy regulations 2023) lets UK organisations transfer personal data to US recipients certified under the DPF without needing a UK IDTA, UK Addendum, BCRs, or a Transfer Risk Assessment. Coverage is identical to the EU DPF: only DPF-certified entities benefit; non-certified US recipients still need IDTA + TRA.
Do I need a UK representative?
Required under UK GDPR Art 27 if you're a non-UK controller/processor whose processing relates to (a) offering goods/services to people in the UK, or (b) monitoring UK residents' behaviour. Exceptions: occasional processing, no large-scale special-category data, low risk to rights. The representative must be UK-established and act as a contact for data subjects and the ICO.
What's the UK adequacy decision status?
The European Commission adopted UK adequacy in June 2021 with a 4-year sunset clause. Originally due to expire 27 June 2025, the Commission proposed and adopted an extension through 27 December 2025, then a renewed adequacy decision on 19 December 2025 valid for a further 6 years (subject to ongoing monitoring). EU→UK transfers therefore continue to flow without SCCs or supplementary measures. Watch for any 'no material change' triggers tied to DUA Act commencement.
What happened to the DPDI Bill — and what is the DUA Act 2025?
The Data Protection and Digital Information Bill (DPDI) was dropped at the July 2024 dissolution of Parliament. The Labour government replaced it with the Data (Use and Access) Bill, which received Royal Assent on 19 June 2025 as the Data (Use and Access) Act 2025 ('DUA Act'). It reforms — but does not replace — UK GDPR: rebrands ICO as the Information Commission with a board structure, creates a 'recognised legitimate interests' list, narrows DSAR scope (vexatious-or-excessive threshold lowered), eases cookie rules for low-risk first-party analytics, expands automated-decision permissions, and enables 'smart data' schemes. Most provisions phase in via commencement regulations through 2025–2026.
Do ICO and EDPB take different positions?
Increasingly, yes. ICO is generally more pragmatic and risk-based: faster to issue reprimands instead of fines (especially public sector), more permissive on legitimate interest for online advertising context (subject to PECR cookie rules), softer post-Schrems II posture pre-DPF. The ICO and EDPB are not bound to align — UK law diverges incrementally. For multinationals, plan to the stricter regulator on each issue.
Are ICO codes of practice binding?
Statutory codes (Direct Marketing Code, Data Sharing Code, Age-Appropriate Design Code) are issued under DPA 2018 ss.121–125. They are not strictly binding on businesses, but courts and tribunals must take them into account, and the ICO must consider its own code when investigating. In practice: treat statutory codes as binding. Other ICO guidance is persuasive but not statutory.
How does UK GDPR interact with PECR for cookies?
UK GDPR governs the personal-data layer; PECR Reg 6 governs the device-access layer (cookies, local storage, fingerprinting). Both apply to most analytics: PECR demands prior consent for non-essential storage; UK GDPR demands a lawful basis for any resulting personal-data processing. ICO's most active enforcement is via PECR — easier to prove and faster to issue. The DUA Act 2025 narrows PECR consent for low-risk first-party analytics — confirm commencement before relying.
How fast must I respond to a Subject Access Request?
One month from receipt under UK GDPR Art 12(3), extendable by two further months for complex or numerous requests with notice to the data subject. Identification verification can pause the clock. The DUA Act 2025 introduces a clearer 'stop-the-clock' regime and a tightened 'vexatious or excessive' refusal threshold.