Who must comply with UK GDPR?

UK-based organizations processing personal data, and overseas organizations that offer goods or services to, or monitor, individuals in the UK.

How is UK GDPR different from EU GDPR?

The UK GDPR mirrors the EU GDPR's core rules but applies under UK law, is enforced by the ICO, and uses pound-denominated fine caps following Brexit.

How quickly must a breach be reported under UK GDPR?

Controllers must report eligible personal data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware.

🇬🇧 United Kingdom · Data privacy

UK GDPR

UK General Data Protection Regulation

The UK GDPR is the UK's post-Brexit version of the EU GDPR, applying since 1 January 2021 and read alongside the Data Protection Act 2018. It keeps the same core principles, individual rights, and accountability duties under UK supervision.

Jurisdiction:🇬🇧 United Kingdom

Type:Data privacy

In effect:2021

Authority:Information Commissioner's Office (ICO)

Who it applies to

Organizations established in the UK that process personal data, and non-UK organizations that offer goods or services to, or monitor, individuals in the UK.

Identity requirements

Establish a valid lawful basis for processing identity data
Obtain valid consent where consent is the chosen lawful basis
Apply data minimization and purpose limitation to identity attributes
Implement appropriate technical and organizational security, including strong authentication where appropriate
Uphold individual rights including access, rectification, erasure, and portability
Maintain accountability records and assess high-risk identity processing

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Requires lawful basis and valid consent management for handling customer identity data.
Authentication & MFA	Drives strong authentication and encryption as appropriate technical security measures.
Breach notification	Requires reporting eligible personal data breaches to the ICO within 72 hours.
Audit, logging & accountability	Mandates records of processing and demonstrable accountability for identity data handling.
Data residency & cross-border transfer	Restricts international transfers of personal data without adequacy or appropriate safeguards.

Penalties

Fines of up to 17.5 million pounds or 4 percent of total worldwide annual turnover, whichever is higher.

Official source

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

UK GDPR: frequently asked questions

Who must comply with UK GDPR?: UK-based organizations processing personal data, and overseas organizations that offer goods or services to, or monitor, individuals in the UK.
How is UK GDPR different from EU GDPR?: The UK GDPR mirrors the EU GDPR's core rules but applies under UK law, is enforced by the ICO, and uses pound-denominated fine caps following Brexit.
How quickly must a breach be reported under UK GDPR?: Controllers must report eligible personal data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all United Kingdom regulations or the full country index.