The Guide to the UK GDPR is part of our Guide to Data Protection. It is for DPOs and others who have day-to-day responsibility for data protection.

It explains the general data protection regime that applies to most UK businesses and organisations. It covers the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.

It explains each of the data protection principles, rights and obligations. It summarises the key points you need to know, answers frequently asked questions, and contains practical checklists to help you comply.

Where relevant, this guide also links to more detailed guidance and other resources, including ICO guidance and statutory ICO codes of practice. Links to relevant guidance published by the European Data Protection Board (EDPB) are also included for reference purposes.

You may also find other sections of the Guide to Data Protection useful:

• Introduction to data protection – for more on how the DPA 2018 works
• Guide to law enforcement processing – for more on the separate regime for law enforcement
• Guide to intelligence services processing – for more on the separate regime for the intelligence services
• Key data protection themes – for specific guidance on key themes and topics, including children’s data

What is the Information Commissioner’s Office (ICO)?

Who is the Information Commissioner, what powers do they have, and how will the ICO enforce GDPR?

The Information Commissioner’s Office (ICO) is the UK’s data protection watchdog charged with enforcing a host of laws that regulate communications, networking and data protection, although the organisation is most renowned for its role in enforcing the EU’s General Data Protection Regulation (GDPR). The ICO is tasked with making sure that businesses within the UK are compliant with strict data protection principles.

The regulator has a number of roles and responsibilities, including investigating organisations that have suffered data breaches, imposing penalties where appropriate, and generally auditing companies for their data collection and storage practices. The ICO also regularly publishes reports on the state of data protection in the UK, emerging threats to the landscape and updates to how it operates.

Before GDPR came into force, the ICO had the power to issue maximum fines of up to 500,000 to businesses that failed to comply with data protection principles under the Data Protection Act (DPA) 1998. This included any potential negligence when suffering a data breach. Now, however, the regulator has the power to issue organisations with fines of up to 20 million or 4% of the company’s global annual turnover for failing to comply with GDPR. Fines of 10 million or 2% of the turnover can also be issued for failing to notify the ICO about a data breach.