Skip to content
CityLearning
Data & operational

UK GDPR (UK General Data Protection Regulation)

The UK GDPR is the UK's primary data protection law, formed by retaining the EU GDPR in domestic law after Brexit and reading it alongside the Data Protection Act 2018. It governs the processing of personal data, sets out six lawful bases and data subject rights, and is enforced by the Information Commissioner's Office (ICO).

The UK GDPR is the centrepiece of the UK’s data protection framework. When the Brexit transition period ended, the EU General Data Protection Regulation was incorporated into domestic law as the “UK GDPR” and amended to work in a UK context. It operates alongside the Data Protection Act 2018 (DPA 2018), which supplements it with UK-specific provisions, exemptions and the rules governing law-enforcement and intelligence-services processing. Together they regulate almost all processing of personal data by organisations in the UK.

Core requirements

The UK GDPR is built on data protection principles in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every processing activity needs a lawful basis from the six listed in Article 6, with additional conditions required for special category data under Article 9. Individuals have a suite of enforceable rights, including access, rectification, erasure, restriction, portability and objection. Controllers must report qualifying personal data breaches to the ICO, generally within 72 hours.

Why it matters

The ICO can impose civil monetary penalties of up to the higher of £17.5 million or 4% of global annual turnover for the most serious infringements. Beyond fines, breaches damage trust, a particular risk for financial services firms handling sensitive client data. Strong governance, records of processing, and Data Protection Impact Assessments where required are central to demonstrating accountability.

Who it applies to

Any organisation that determines the purposes of, or carries out, the processing of personal data in the UK, including all regulated financial firms.

DPIA, operational resilience and financial crime.

Frequently asked questions

What is the UK GDPR?
The UK GDPR is the retained version of the EU General Data Protection Regulation, brought into UK law after Brexit and applied together with the Data Protection Act 2018. It regulates how organisations process personal data, requires a lawful basis for processing, grants individuals enforceable rights, and is overseen and enforced by the Information Commissioner's Office (ICO).
What are the six lawful bases for processing under the UK GDPR?
Article 6 of the UK GDPR sets out six lawful bases for processing personal data: consent; performance of a contract; compliance with a legal obligation; protection of someone's vital interests; performance of a task in the public interest or official authority; and legitimate interests. At least one basis must apply to every processing activity.

Reviewed by Margaret Hassett

← Back to the compliance glossary

Turn definitions into training

See how CityLearning's UK compliance courses help your team understand terms like this in practice.