UK GDPR explained
What the UK GDPR is, who it applies to, the 7 principles, the 8 individual rights (including DSAR), and what the ICO enforces.
Quick answer
The UK GDPR (the UK version of the EU GDPR, retained in UK law and amended by the Data Protection Act 2018) governs how organisations process personal data. It applies to almost all UK businesses and public bodies. It sets out 7 data-protection principles, 8 individual rights (including the right of access — DSAR), and a lawful-basis requirement for every processing operation. The ICO can fine organisations up to £17.5m or 4% of global turnover. Individuals can complain to the ICO or claim compensation in court.
Overview
The UK GDPR is the UK's adapted version of EU General Data Protection Regulation 2016/679, retained in UK law after Brexit and modified by the Data Protection Act 2018. The DPA 2018 fleshes out areas where the GDPR allows national rules — particularly law enforcement processing, intelligence services processing, and Article 23 exemptions. The ICO (Information Commissioner's Office) is the regulator. Most organisations that process personal data of UK residents need to comply. This guide is a general overview; specific compliance questions are sensitive and benefit from professional advice.
Who Can Use This Process
- You are an individual (data subject) whose data is processed in the UK
- OR you are an organisation that processes personal data in the UK
Step-by-Step Process
Know what 'personal data' covers
Any information that identifies, or could identify, a living individual. Includes name, email, IP address, location data, online identifiers, photos. 'Special category data' (health, race, religion, sexual orientation, biometrics, etc.) has stricter rules.
Understand the 7 principles
Lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity/confidentiality (security); accountability. Every processing operation must respect each.
Establish a lawful basis
Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. You must identify the lawful basis BEFORE processing — switching afterwards is not allowed for most purposes.
Know the 8 individual rights
Right to be informed, right of access (DSAR), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, rights regarding automated decision-making.
If you are a data subject — make a DSAR
A Data Subject Access Request requires the organisation to provide a copy of your personal data within 1 calendar month, free (with exceptions). Use our DSAR template. If refused or partially refused, complain to the ICO or pursue in court.
If you process data — register and comply
Most organisations must register with the ICO (data protection fee £52–£3,763 depending on size). Have a privacy notice, lawful-basis register, data security measures, breach response plan, and DPIA process for high-risk processing.
Costs
Important Warnings
The UK GDPR is being amended by the Data (Use and Access) Bill 2025 — check the current version of the law if you are taking compliance action.
Sensitive personal data processing (health, biometrics, etc.) needs an Article 9 exception — most lawful bases alone are not enough.
Cross-border data transfers (to/from the UK) require an adequacy decision or appropriate safeguards (SCCs, BCRs).
Useful Links
Frequently asked questions
- How much does it cost?
- Main outlays are: DSAR — Free (with exceptions for repeat/excessive requests); ICO complaint — Free; ICO registration fee (organisations) — £52–£3,763 depending on size. Court fees often qualify for Help with Fees remission if you're on a low income. Solicitor fees are extra and vary widely — many matters can be done as a litigant in person.
- What are the most common mistakes to avoid?
- Watch out for: The UK GDPR is being amended by the Data (Use and Access) Bill 2025 — check the current version of the law if you are taking compliance action.; Sensitive personal data processing (health, biometrics, etc.) needs an Article 9 exception — most lawful bases alone are not enough.; Cross-border data transfers (to/from the UK) require an adequacy decision or appropriate safeguards (SCCs, BCRs).. If you're unsure on any of these, get advice from a regulated solicitor or a free service like Citizens Advice before acting.
- Where can I find the official forms and guidance?
- The official sources are: ICO — for the public; ICO — guide to the UK GDPR; Make a complaint to the ICO; Data Protection Act 2018. Always use the forms / guidance from the issuing authority's own site — third-party copies can be out of date.
- Can I do this myself without a solicitor?
- Yes — many people complete this kind of matter as a litigant in person. The site walks through each step in plain English. A solicitor is recommended if: large sums are at stake, the other side has legal representation, the matter involves criminal liability, children, immigration, or you're unsure on any procedural deadline. Free advice is available from Citizens Advice, Law Centres, and (for some matters) LawWorks pro bono clinics.
Part of our Online Harm, Privacy and Reputation hub
Defamation, harassment, data protection, Online Safety Act, and intimate image abuse — civil and criminal routes.