The UK General Data Protection Regulation (UK GDPR)
The UK General Data Protection Regulation (UK GDPR)

The following Practice Compliance guidance note provides comprehensive and up to date legal information covering:

  • The UK General Data Protection Regulation (UK GDPR)
  • Summary of key legislation
  • Material scope
  • Territorial scope
  • Key concepts
  • Data protection principles
  • Lawful basis for processing
  • Processing special categories of personal data
  • Processing of criminal conviction and offence data
  • Data subject rights
  • more

Important note: The Retained Regulation (EU) 2016/679 (UK GDPR) regime described in this Practice Note is the regime which the UK government envisages will apply once the UK has exited the EU and EEA and once any transitional arrangements (during which the UK remains subject to EU laws or the EU/EEA data protection regime) have ended. The UK GDPR regime is not yet applicable nor in force. The date on which the UK GDPR regime applies will depend upon developments in the Brexit process. This Practice Note will be updated as matters progress. For further background, see Practice Note: Brexit—implications for data protection.

The UK is due to exit the EU and EEA at 11 pm UK time on exit day as defined in section 20 of the European Union (Withdrawal) Act 2018 (EU(W)A 2018) (Exit Day). The exact nature of the changes to data protection laws in the UK post-Brexit will depend on the terms of the UK’s future relations with the EU and subsequent laws. For more information on the mechanics of Brexit, see Practice Notes: Brexit timeline, Brexit legislation tracker and The status of EU law in the UK after Brexit.

As further explained in Practice Note: Brexit—implications for data protection, the creation of a UK data protection regime in relation to the general processing of personal data that