The UK GDPR is the centrepiece of the UK’s data protection framework. When the Brexit transition period ended, the EU General Data Protection Regulation was incorporated into domestic law as the “UK GDPR” and amended to work in a UK context. It operates alongside the Data Protection Act 2018 (DPA 2018), which supplements it with UK-specific provisions, exemptions and the rules governing law-enforcement and intelligence-services processing. Together they regulate almost all processing of personal data by organisations in the UK.
Core requirements
The UK GDPR is built on data protection principles in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every processing activity needs a lawful basis from the six listed in Article 6, with additional conditions required for special category data under Article 9. Individuals have a suite of enforceable rights, including access, rectification, erasure, restriction, portability and objection. Controllers must report qualifying personal data breaches to the ICO, generally within 72 hours.
Why it matters
The ICO can impose civil monetary penalties of up to the higher of £17.5 million or 4% of global annual turnover for the most serious infringements. Beyond fines, breaches damage trust, a particular risk for financial services firms handling sensitive client data. Strong governance, records of processing, and Data Protection Impact Assessments where required are central to demonstrating accountability.
Who it applies to
Any organisation that determines the purposes of, or carries out, the processing of personal data in the UK, including all regulated financial firms.