The Guide to the UK GDPR is part of our Guide to Data Protection. It is for DPOs and others who have day-to-day responsibility for data protection.
It explains the general data protection regime that applies to most UK businesses and organisations. It covers the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.
It explains each of the data protection principles, rights and obligations. It summarises the key points you need to know, answers frequently asked questions, and contains practical checklists to help you comply.
Where relevant, this guide also links to more detailed guidance and other resources, including ICO guidance and statutory ICO codes of practice. Links to relevant guidance published by the European Data Protection Board (EDPB) are also included for reference purposes.
You may also find other sections of the Guide to Data Protection useful:
- Introduction to data protection – for more on how the DPA 2018 works
- Guide to law enforcement processing – for more on the separate regime for law enforcement
- Guide to intelligence services processing – for more on the separate regime for the intelligence services
- Key data protection themes – for specific guidance on key themes and topics, including children’s data
Other resources
- Making data protection your business – resources for sole tradersFor organisations
- Data protection self assessment toolkitFor organisations
Does this section apply to us?
This section applies if:
- you are a UK-based business or organisation; and
- the UK GDPR currently applies to your processing of personal data.
How can we prepare?
Now the transition period has ended, you can use our guidance to assess the impact of legal changes in a few key areas:
- international data transfers;
- EU representatives;
- EU regulatory oversight of any cross-border processing; and
- minor updates to documentation and accountability measures.
Does the GDPR still apply?
The GDPR is retained in domestic law now the transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.
The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
This guidance covers the key issues you need to consider regarding international data flows and cross-border processing.