SponsoredBuild your website with Vincony

Aviso legal: Esto no constituye asesoramiento jurídico. La legislación y la jurisprudencia cambian. Consulte siempre con un abogado cualificado para su situación específica.

UK Law Reference
Todas las guías
Data Protection
6 pasos
Actualizado 2026-05-22
UK-wide

UK GDPR explained

What the UK GDPR is, who it applies to, the 7 principles, the 8 individual rights (including DSAR), and what the ICO enforces.

Visión general

The UK GDPR is the UK's adapted version of EU General Data Protection Regulation 2016/679, retained in UK law after Brexit and modified by the Data Protection Act 2018. The DPA 2018 fleshes out areas where the GDPR allows national rules — particularly law enforcement processing, intelligence services processing, and Article 23 exemptions. The ICO (Information Commissioner's Office) is the regulator. Most organisations that process personal data of UK residents need to comply. This guide is a general overview; specific compliance questions are sensitive and benefit from professional advice.

Quién puede usar este proceso

  • You are an individual (data subject) whose data is processed in the UK
  • OR you are an organisation that processes personal data in the UK

Proceso paso a paso

1

Know what 'personal data' covers

Any information that identifies, or could identify, a living individual. Includes name, email, IP address, location data, online identifiers, photos. 'Special category data' (health, race, religion, sexual orientation, biometrics, etc.) has stricter rules.

2

Understand the 7 principles

Lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity/confidentiality (security); accountability. Every processing operation must respect each.

3

Establish a lawful basis

Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. You must identify the lawful basis BEFORE processing — switching afterwards is not allowed for most purposes.

4

Know the 8 individual rights

Right to be informed, right of access (DSAR), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, rights regarding automated decision-making.

5

If you are a data subject — make a DSAR

A Data Subject Access Request requires the organisation to provide a copy of your personal data within 1 calendar month, free (with exceptions). Use our DSAR template. If refused or partially refused, complain to the ICO or pursue in court.

6

If you process data — register and comply

Most organisations must register with the ICO (data protection fee £52–£3,763 depending on size). Have a privacy notice, lawful-basis register, data security measures, breach response plan, and DPIA process for high-risk processing.

Costes

DSARFree (with exceptions for repeat/excessive requests)
ICO complaintFree
ICO registration fee (organisations)£52–£3,763 depending on size

Advertencias importantes

The UK GDPR is being amended by the Data (Use and Access) Bill 2025 — check the current version of the law if you are taking compliance action.

Sensitive personal data processing (health, biometrics, etc.) needs an Article 9 exception — most lawful bases alone are not enough.

Cross-border data transfers (to/from the UK) require an adequacy decision or appropriate safeguards (SCCs, BCRs).

Enlaces útiles