SponsoredBuild your website with Vincony

免责声明:本网站不构成法律建议。法律法规和判例法会发生变化。请务必就您的具体情况咨询合格的律师。

UK Law Reference
所有指南
Data Protection
6 步骤
更新 2026-05-22
UK-wide

UK GDPR explained

What the UK GDPR is, who it applies to, the 7 principles, the 8 individual rights (including DSAR), and what the ICO enforces.

概述

The UK GDPR is the UK's adapted version of EU General Data Protection Regulation 2016/679, retained in UK law after Brexit and modified by the Data Protection Act 2018. The DPA 2018 fleshes out areas where the GDPR allows national rules — particularly law enforcement processing, intelligence services processing, and Article 23 exemptions. The ICO (Information Commissioner's Office) is the regulator. Most organisations that process personal data of UK residents need to comply. This guide is a general overview; specific compliance questions are sensitive and benefit from professional advice.

谁可以使用此程序

  • You are an individual (data subject) whose data is processed in the UK
  • OR you are an organisation that processes personal data in the UK

逐步流程

1

Know what 'personal data' covers

Any information that identifies, or could identify, a living individual. Includes name, email, IP address, location data, online identifiers, photos. 'Special category data' (health, race, religion, sexual orientation, biometrics, etc.) has stricter rules.

2

Understand the 7 principles

Lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity/confidentiality (security); accountability. Every processing operation must respect each.

3

Establish a lawful basis

Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. You must identify the lawful basis BEFORE processing — switching afterwards is not allowed for most purposes.

4

Know the 8 individual rights

Right to be informed, right of access (DSAR), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, rights regarding automated decision-making.

5

If you are a data subject — make a DSAR

A Data Subject Access Request requires the organisation to provide a copy of your personal data within 1 calendar month, free (with exceptions). Use our DSAR template. If refused or partially refused, complain to the ICO or pursue in court.

6

If you process data — register and comply

Most organisations must register with the ICO (data protection fee £52–£3,763 depending on size). Have a privacy notice, lawful-basis register, data security measures, breach response plan, and DPIA process for high-risk processing.

费用

DSARFree (with exceptions for repeat/excessive requests)
ICO complaintFree
ICO registration fee (organisations)£52–£3,763 depending on size

重要警告

The UK GDPR is being amended by the Data (Use and Access) Bill 2025 — check the current version of the law if you are taking compliance action.

Sensitive personal data processing (health, biometrics, etc.) needs an Article 9 exception — most lawful bases alone are not enough.

Cross-border data transfers (to/from the UK) require an adequacy decision or appropriate safeguards (SCCs, BCRs).

有用链接