UK GDPR explained
What the UK GDPR is, who it applies to, the 7 principles, the 8 individual rights (including DSAR), and what the ICO enforces.
Przegląd
The UK GDPR is the UK's adapted version of EU General Data Protection Regulation 2016/679, retained in UK law after Brexit and modified by the Data Protection Act 2018. The DPA 2018 fleshes out areas where the GDPR allows national rules — particularly law enforcement processing, intelligence services processing, and Article 23 exemptions. The ICO (Information Commissioner's Office) is the regulator. Most organisations that process personal data of UK residents need to comply. This guide is a general overview; specific compliance questions are sensitive and benefit from professional advice.
Kto może skorzystać z tego procesu
- You are an individual (data subject) whose data is processed in the UK
- OR you are an organisation that processes personal data in the UK
Proces krok po kroku
Know what 'personal data' covers
Any information that identifies, or could identify, a living individual. Includes name, email, IP address, location data, online identifiers, photos. 'Special category data' (health, race, religion, sexual orientation, biometrics, etc.) has stricter rules.
Understand the 7 principles
Lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity/confidentiality (security); accountability. Every processing operation must respect each.
Establish a lawful basis
Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. You must identify the lawful basis BEFORE processing — switching afterwards is not allowed for most purposes.
Know the 8 individual rights
Right to be informed, right of access (DSAR), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, rights regarding automated decision-making.
If you are a data subject — make a DSAR
A Data Subject Access Request requires the organisation to provide a copy of your personal data within 1 calendar month, free (with exceptions). Use our DSAR template. If refused or partially refused, complain to the ICO or pursue in court.
If you process data — register and comply
Most organisations must register with the ICO (data protection fee £52–£3,763 depending on size). Have a privacy notice, lawful-basis register, data security measures, breach response plan, and DPIA process for high-risk processing.
Koszty
Ważne ostrzeżenia
The UK GDPR is being amended by the Data (Use and Access) Bill 2025 — check the current version of the law if you are taking compliance action.
Sensitive personal data processing (health, biometrics, etc.) needs an Article 9 exception — most lawful bases alone are not enough.
Cross-border data transfers (to/from the UK) require an adequacy decision or appropriate safeguards (SCCs, BCRs).