What Is UK General Data Protection Regulation + Data Protection Act 2018?
The UK's data protection framework has two interlocking parts: the UK GDPR (the retained-EU-law version of GDPR that has applied since 1 January 2021) and the Data Protection Act 2018 (DPA 2018), which supplements it with UK-specific provisions on immigration, national security, law enforcement processing (Part 3), and intelligence services (Part 4). In substance, UK GDPR mirrors EU GDPR: same lawful bases for processing, same data subject rights, same controller/processor framework, same breach notification regime (72 hours). The UK's Information Commissioner's Office (ICO) is the supervisory authority, with enforcement powers up to £17.5 million or 4% of annual global turnover, whichever is higher. The Data (Use and Access) Act 2025 introduced targeted reforms — streamlining certain data access provisions, updating cookie consent rules, and creating a new framework for scientific research — while keeping the core UK GDPR structure intact. The UK currently holds an EU adequacy decision (renewed through December 2025, extended review in progress), allowing data to flow freely between the UK and EU.
At a glance
- Full name
- UK General Data Protection Regulation + Data Protection Act 2018
- Short code
- UK GDPR
- Jurisdiction
- United Kingdom
- Enacted
- 2018
- Last major update
- UK GDPR in force Jan 2021 post-Brexit; Data (Use and Access) Act 2025 amendments
- Regulator
- Information Commissioner's Office (ICO)
- Private right of action
- Yes
- Statutory citation
- Data Protection Act 2018 + UK GDPR
Scope — who UK GDPR covers
Protected data
Data subject rights
Right of access (Article 15) — obtain confirmation of processing and a copy of personal data
Right to rectification (Article 16) — correct inaccurate or incomplete data
Right to erasure / "right to be forgotten" (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20) — receive data in structured, machine-readable format
Right to object (Article 21) — including to direct marketing and profiling
Rights relating to automated decision-making and profiling (Article 22)
Right to lodge a complaint with the ICO
Right to compensation for damage (Article 82)
Notable features
The UK GDPR uniquely permits certain UK-specific derogations (immigration exemption in DPA 2018 Schedule 2 paragraph 4 — ruled partially unlawful by the Court of Appeal in 2023 but retained with modifications). The UK also retained its own adequacy decisions framework — the ICO has issued adequacy findings for Jersey, Isle of Man, and other jurisdictions independently of the EU.
Enforcement & penalties
Regulator: Information Commissioner's Office (ICO)
Penalties: Two-tier administrative fines: standard tier up to £8.7 million or 2% of annual worldwide turnover; higher tier up to £17.5 million or 4% of annual worldwide turnover, whichever is higher. The ICO has levied notable fines including BA £20M (2020), Marriott £18.4M (2020), TikTok £12.7M (2023), and Clearview AI £7.55M (2022, overturned on appeal 2023).
Private right of action: Article 82 UK GDPR grants a right to compensation for material or non-material damage from a GDPR infringement. Representative actions by consumer groups are also possible under Section 187 DPA 2018. The Supreme Court's 2021 Lloyd v Google judgment narrowed opt-out class actions but direct individual claims remain viable.
Relevance to data brokers
UK GDPR applies to any data broker that offers services to UK data subjects or monitors their behaviour — regardless of where the broker is headquartered. UK residents have strong legal standing to demand deletion under Article 17, and the ICO has been increasingly active on data broker enforcement (Experian 2020 enforcement notice, reviewing Clearview's practices). The 'legitimate interests' basis that many US brokers rely on is narrower under UK GDPR, requiring a documented Legitimate Interests Assessment (LIA).
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing UK GDPR and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
What is the difference between EU GDPR and UK GDPR?+
The UK GDPR is the UK-retained version of EU GDPR that has applied since 1 January 2021, following Brexit. Substantively, the two laws are nearly identical — same rights, same legal bases, same fine structure. The UK supplements UK GDPR with the Data Protection Act 2018, which adds UK-specific provisions for national security, law enforcement, and immigration.
How do I file a complaint with the ICO?+
Submit a complaint at ico.org.uk/make-a-complaint. The ICO can investigate, require corrective action, and levy fines. The ICO typically requires you to first raise the issue with the controller and wait 30 days for a response before escalating, though this is not strictly required.
Can a data broker outside the UK be subject to UK GDPR?+
Yes. Article 3 UK GDPR has extraterritorial scope: it applies to any controller or processor — regardless of establishment — that offers goods or services to data subjects in the UK or monitors their behaviour in the UK. A data broker selling profiles on UK residents is subject to UK GDPR and must designate a UK representative under Article 27.
What is a Subject Access Request (SAR)?+
A SAR is a request under Article 15 UK GDPR asking a controller to confirm whether they process your personal data and provide a copy. Controllers must respond within one calendar month (extendable to three months for complex requests) and must provide the data free of charge in the first instance.
Official sources & citations
Other international privacy regimes
UK GDPR sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: