UK GDPR—the basics

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • UK GDPR—the basics
  • The data protection regime
  • The EU GDPR
  • UK data protection regulator
  • Types of data covered by the UK GDPR
  • Personal data
  • Special category personal data
  • Data controller and processors
  • Processing personal data
  • Lawful grounds of processing
  • More...

UK GDPR—the basics

This Practice Note explains, in simple terms, the key features of the UK General Data Protection Regulation (UK GDPR). See also Precedent: Data protection quick reference guide.

This Practice Note is intended for non-privacy specialists and there are separate, more detailed, Practice Notes on the UK GDPR, eg:

  1. Introduction to the EU GDPR and UK GDPR

  2. Data protection compliance planning

  3. Data protection officer

  4. Data mapping

  5. Data protection compliance—data subjects rights

  6. Processing personal data—lawful processing

The data protection regime

The UK GDPR is the main source of data protection law in the UK—see Practice Note: The UK General Data Protection Regulation (UK GDPR). It is supplemented by the Data Protection Act 2018 (DPA 2018).


Before the end of the Brexit implementation period, the UK was subject to the EU GDPR. The EU GDPR sets out the rules on processing personal data across the EU, and also applies in Iceland, Norway and Liechtenstein—this wider group is known as the EEA. See Practice Note: The EU’s General Data Protection Regulation (EU GDPR).

Essentially the EU GDPR has been replicated in UK law, as the ‘UK GDPR’. For more information on data protection post-Brexit, see Practice Note: Brexit—implications for data protection.

UK data protection regulator

The Information Commissioner’s Office (ICO) is responsible for ensuring data protection laws are followed in the UK.

Types of data covered by the UK GDPR

The UK

Related documents:

Popular documents