General Data Protection Regulation
(GDPR)
The UK GDPR (retained in domestic law following Brexit) is the principal data protection law governing how organisations collect, use, store, and share personal data. It requires organisations to have a lawful basis for processing personal data, to be transparent with individuals about how their data is used, and to uphold individuals' data rights. Breaches can result in significant fines from the Information Commissioner's Office (ICO).
The UK GDPR (retained in UK law post-Brexit, alongside the Data Protection Act 2018) regulates how organisations collect, use, store, and share personal data. Organisations must have a lawful basis for processing (consent, legitimate interests, contract, legal obligation, vital interests, or public task) and must tell individuals how their data is used via a privacy notice. Data subjects have rights including access (subject access request — SAR), erasure ('right to be forgotten'), rectification, restriction, and portability. The Information Commissioner's Office (ICO) enforces UK GDPR and can impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious breaches. Personal data breaches that risk individuals' rights must be reported to the ICO within 72 hours of becoming aware of them. Organisations with more than 250 employees or that carry out high-risk processing must appoint a Data Protection Officer (DPO).
Related terms
Related guides
UK GDPR Rights for Individuals
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.
6 min
Data Subject Access Requests
A Subject Access Request (SAR) is a formal request you can make to any organisation asking them to provide a copy of all personal data they hold about you and information about how it is used. It is one of your most powerful rights under UK GDPR and is entirely free in most cases.
6 min
When a Company Has a Data Breach
A personal data breach occurs when an organisation accidentally or unlawfully destroys, loses, alters, discloses, or gives access to your personal data without authorisation. When this happens, UK GDPR places obligations on the organisation — including notifying you if the breach is likely to cause you harm — and gives you rights to complain and potentially claim compensation.
6 min