Loading…
Since 1 January 2021, the UK operates the UK GDPR alongside the Data Protection Act 2018. The framework largely mirrors EU GDPR but diverges on transfers, children's data, and PECR. The Data (Use and Access) Act 2025 codifies further targeted reforms.
Enforcement sits with the Information Commissioner's Office (ICO) — one of the world's most active data protection authorities, with statutory powers including monetary penalties, audit, and enforcement notices.
Principle 1 — processing must have a lawful basis under Art. 6 UK GDPR and be transparent to data subjects.
Principle 2 — collected for specified, explicit, and legitimate purposes only.
Principle 3 — adequate, relevant, and limited to what is necessary.
Principle 4 — accurate and, where necessary, kept up to date.
Principle 5 — kept no longer than necessary for the purpose.
Principle 6 — appropriate technical and organisational security measures.
Offering goods or services to people in the UK — Art. 3 extraterritorial scope, must appoint a UK Representative.
PECR overlays UK GDPR on cookies and electronic marketing — ICO is actively enforcing.
Age Appropriate Design Code applies — 15 standards including DPIA and high-privacy defaults.
FCA supervision overlays UK GDPR — operational resilience and consumer duty considerations.
In-UK Representative for non-UK controllers and processors offering goods or services to people in the UK.
Data Protection Officer service per Art. 37 UK GDPR — including ICO registration and contact publication.
Investigation, Section 142 information notice, and undertaking response with the Information Commissioner's Office.
ROPA maintained in line with ICO accountability framework — produced on request.
UK IDTA, UK Addendum to EU SCCs, and Transfer Risk Assessments under ICO guidance.
ICO Age Appropriate Design Code conformance for any service likely to be accessed by under-18s.
We act as your Article 27 UK Representative — single point of contact for the ICO and UK data subjects.