United Kingdom Data Privacy Regulations
Overview
Following Brexit, the UK retained the EU GDPR in domestic law as the "UK GDPR," sitting alongside the Data Protection Act 2018. It outlines the standard for data protection for individuals residing in the UK.
Controllers and processors based in the UK, or outside the UK if they offer goods/services or monitor behavior of UK residents.
Key Rules & Obligations
Breach Notification
Within 72 hours of becoming aware of the breach to the ICO.
Maximum Penalties
Up to £17.5 million or 4% of global annual turnover, whichever is higher.
Data Transfers
Transfers outside the UK require adequacy regulations, UK-approved Addendums (IDTA), or binding corporate rules.
Individual Rights
- •Right to be informed
- •Right of access
- •Right to rectification
- •Right to erasure
- •Right to restrict processing
- •Right to data portability
- •Right to object
Enforcement Authority
Information Commissioner's Office(ICO)
Contact: 0303 123 1113
Notable Breaches in United Kingdom
| Company | Year | Records Exposed | Regulation Violated |
|---|---|---|---|
| British Airways | 2018 | 400,000+ | UK GDPR |
| Marriott | 2018 | 339,000,000 | UK GDPR |
| Electoral Commission | 2023 | 40,000,000 | UK GDPR |
Official Sources
- ICO Action taken overviewVerified: 2024-03-01
- gov.uk Data protectionVerified: 2024-03-01
Frequently Asked Questions
Is UK GDPR the same as EU GDPR?
Largely yes, but they are separate legal regimes following Brexit. Companies operating in both markets may need to comply with both laws and appoint dual representatives.
What happens if a company breaches UK GDPR?
The ICO investigates and can issue enforcement notices or sweeping fines up to £17.5 million or 4% of turnover.
How do I report a data breach in the UK?
Organizations must report to the ICO via their online portal or helpline within 72 hours of discovery.
Last updated: March 5, 2026
Notice an error? Report a correction