What is GDPR? A UK guide to the General Data Protection Regulation

A plain-English guide to UK GDPR: what it is, who it applies to, the principles and rights it protects, and what changed under the 2025 Data (Use and Access) Act.

GDPR is the most significant data protection law to affect UK organisations in a generation. Most of what you read about it was written before 2023, and a great deal of it is now wrong. This guide explains the regulation as it stands today, including the changes brought in by the Data (Use and Access) Act 2025, which began taking effect in February 2026.

If you process information about people — staff, customers, suppliers, anyone — GDPR applies to you. The question is rarely whether you have to comply, but how the rules play out in practice. This page covers the essentials and links out to deeper explainers on each subtopic.

GDPR in one sentence

GDPR is a regulation that sets out how organisations must handle the personal information of identifiable people. Its purpose is to give individuals meaningful control over how their data is collected, used, shared, and stored, and to hold the organisations using that data to a documented standard of care.

The law applies to nearly every UK business, charity, public body, and sole trader that handles personal data. It is enforced by the Information Commissioner's Office (ICO), which can impose fines, issue reprimands, audit organisations, and require specific corrective action.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It was originally an EU regulation, adopted in April 2016 and enforceable across the European Union — including the United Kingdom — from 25 May 2018.

After Brexit, the UK adopted its own version, known formally as the UK GDPR, which sits alongside the Data Protection Act 2018. The two are sometimes described as a single regime: the UK GDPR provides the main rules, the Data Protection Act 2018 fills in UK-specific detail.

When did GDPR come into force?

The EU GDPR was adopted by the European Parliament on 14 April 2016. It then went through a two-year transition period before becoming directly enforceable on 25 May 2018. On the same day, the UK's Data Protection Act 2018 came into effect, replacing the older Data Protection Act 1998.

When the Brexit transition period ended on 31 December 2020, the EU GDPR stopped applying directly to the UK. From 1 January 2021, the UK has had its own version: the UK GDPR. It is substantively similar to the EU regulation, but the two have begun to diverge — particularly since the Data (Use and Access) Act 2025 introduced UK-specific reforms.

The DUAA received Royal Assent on 19 June 2025. Most of its substantive changes came into force on 5 February 2026, with further provisions following through to June 2026.

For a fuller breakdown of dates and what each one means, see our GDPR history and timeline guide.

Who does GDPR apply to?

UK GDPR applies to organisations established in the UK that process personal data, regardless of where the processing itself happens. It also applies to organisations outside the UK that offer goods or services to people in the UK, or that monitor the behaviour of people in the UK (for example, by tracking visitors to a UK-targeted website).

There is no general exemption for small businesses, charities, or sole traders. If you collect customer emails, run a payroll, manage a membership list, or operate a CCTV camera that captures the street outside your premises, GDPR is in scope. The small-business friendly bits of the regulation are mostly about proportionality — what the rules require of you can scale with the risk you create — not about exemptions from the rules themselves.

A narrow "household exemption" carves out purely personal or domestic activity from the regulation. A homeowner's CCTV system that records only their own driveway sits within the exemption. The moment that camera captures the neighbour's garden or a public footpath, the exemption falls away — as the Oxford County Court confirmed in Fairhurst v Woodard in 2021.

Our scope guide covers the territorial reach, the household exemption, and what GDPR means for charities, sole traders, and small businesses specifically.

UK GDPR vs EU GDPR

For most of the period from 2021 to 2024, the UK GDPR and the EU GDPR were practically identical. That has changed.

The Data (Use and Access) Act 2025 introduced a new lawful basis ("recognised legitimate interests") that does not exist in the EU regulation. It replaced Article 22 of the UK GDPR (the automated decision-making rule) with new Articles 22A to 22D, which give organisations more flexibility. It expanded the list of cookies and similar technologies that no longer require consent under PECR. And it changed the test that applies to international data transfers from the EU's "essential equivalence" standard to a UK-specific "not materially lower" test.

None of this means UK and EU GDPR have become wholly different regimes. They share the same principles, the same definitions of personal data, the same controller/processor framework, and most of the same individual rights. But the divergence is real, and on a path that is likely to continue.

The European Commission renewed the UK's adequacy decision on 19 December 2025, extending it until 27 December 2031. That means, for now, personal data can continue to flow freely from the EU to the UK without additional safeguards.

For the full comparison see our UK GDPR vs EU GDPR guide.

The 7 principles of GDPR

Article 5 of the UK GDPR sets out seven principles that underpin everything else in the regulation. Six of them are listed in Article 5(1); the seventh — accountability — sits in Article 5(2) and applies on top of the others.

The principles are:

1. Lawfulness, fairness and transparency. You need a lawful basis for processing, you must treat people fairly, and you must be open about what you are doing.
2. Purpose limitation. You can only use personal data for the purposes you originally collected it for, unless the new purpose is compatible or you have a fresh lawful basis. (The DUAA clarified the compatibility test.)
3. Data minimisation. Collect what you need for the stated purpose. Nothing more.
4. Accuracy. Keep personal data accurate and up to date. Correct or delete inaccurate data without delay.
5. Storage limitation. Don't keep personal data for longer than you need it.
6. Integrity and confidentiality (security). Protect personal data against loss, theft, and unauthorised access.
7. Accountability. Be able to demonstrate that you comply with all of the above.

These are not aspirations or best practices. They are legal obligations, and the burden of proving compliance sits with the organisation. The accountability principle in particular is what makes GDPR a documented compliance regime rather than a trust-based one.

For per-principle detail see our seven principles of GDPR guide.

Rights of individuals

GDPR gives individuals (called "data subjects" in the regulation) eight specific rights over their personal data:

• The right to be informed — to know what data is being collected, by whom, for what purpose, and for how long.
• The right of access — to obtain a copy of the personal data an organisation holds about them. Requests are known as Subject Access Requests, or SARs.
• The right to rectification — to have inaccurate data corrected.
• The right to erasure (often called the "right to be forgotten") — to have data deleted in certain circumstances.
• The right to restrict processing — to limit how their data is used.
• The right to data portability — to receive their data in a portable format and to send it to another provider.
• The right to object — including an absolute right to opt out of direct marketing.
• Rights related to automated decision-making and profiling — including the right to human intervention in significant automated decisions. These rules were substantially rewritten by the DUAA.

Individuals can exercise these rights for free in most cases. Organisations must respond within one month, with a possible two-month extension for complex requests. The DUAA also gave data subjects a new right to complain directly to a controller (in addition to their right to complain to the ICO), with controllers required to acknowledge complaints within 30 days.

Our data subject rights guide covers each right in detail, including how to handle a Subject Access Request.

Key roles: controller and processor

GDPR distinguishes between two main roles. A controller is the organisation that decides why and how personal data is processed. A processor is an organisation that processes personal data on the controller's instructions.

If you run a customer database, you are the controller. If you use an email marketing platform to send messages to that database, the platform is acting as your processor. If a school records its pupils' attendance using a third-party software supplier, the school is the controller and the supplier is the processor.

The two roles carry different obligations. Controllers must identify a lawful basis for processing, respond to subject access requests, conduct impact assessments where appropriate, and maintain records of their processing activities. Processors must follow the controller's instructions, keep their own records, implement appropriate security, and notify the controller of any breach.

The relationship must be governed by a written contract that meets the requirements of Article 28. Without one, both parties are in breach.

Some organisations are controllers for some processing and processors for other processing. The classification depends on the specific activity, not the organisation as a whole. Our controller vs processor guide walks through how to determine which role you are in each case.

What counts as personal data?

Personal data is any information that relates to an identified or identifiable living person. A name, address, or phone number is obviously personal data. So is an email address, an IP address logged in a server, a customer reference number, a CCTV image, a voice recording, and in many contexts a vehicle registration plate.

The test is whether the person can be identified — directly, or indirectly when the data is combined with other information. An anonymous customer ID on its own may not be personal data, but the same ID held alongside a separate file that links it to a name becomes personal data in both files.

A subset of personal data, called special category data, gets extra protection under Article 9. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for identification, health information, and information about sex life or sexual orientation. Processing special category data requires both a lawful basis and a separate Article 9 condition.

Information about deceased people is not personal data under UK GDPR. Nor is information about companies or other legal entities. Truly anonymised data — data from which a person cannot be identified, even with effort — is also outside the regulation. Pseudonymised data, where identifiers have been replaced with codes that can be reversed, is still personal data.

For the full definition and edge cases, see our personal data guide.

Penalties for non-compliance

UK GDPR fines come in two tiers. The standard maximum is £8.7 million or 2% of total worldwide turnover, whichever is higher. The higher maximum is £17.5 million or 4% of turnover. Which tier applies depends on the type of infringement — failures to follow the principles, ignore data subject rights, or transfer data unlawfully sit in the higher tier; missed paperwork sits in the standard tier.

The ICO has shifted its approach in recent years. In 2024 it issued 18 fines totalling £2.7 million, with the largest being a £750,000 penalty against the Ministry of Defence. In the first half of 2025 alone it issued six fines worth £5.6 million — already double the previous year's total. Four of the largest UK GDPR fines ever imposed all landed in 2025: £14 million on Capita group companies, £3.07 million on Advanced Computer Software, £2.31 million on the genealogy company 23andMe, and £1.23 million on LastPass. Every one of those was for a security failure following a cyber attack.

The pattern is clear: fewer enforcement actions, but bigger fines targeting systemic failures. The largest UK GDPR fine on record remains the £20 million issued to British Airways in 2020 — though the ICO had originally proposed £183 million before it was reduced on appeal.

Fines are not the only enforcement tool. The ICO can issue enforcement notices requiring specific action, public reprimands, and audits. Individuals can also bring civil compensation claims under Article 82.

The DUAA aligned penalties under the Privacy and Electronic Communications Regulations (PECR) with UK GDPR. Previously, PECR fines were capped at £500,000. From 5 February 2026, they can reach the full £17.5 million or 4% — a 35-fold increase that matters particularly for direct marketing and cookie compliance.

For the full enforcement picture, including how the ICO calculates fines, see our GDPR fines guide.

What's changed under the DUAA 2025

The Data (Use and Access) Act 2025 is the most significant change to UK data protection law since 2018. It does not replace UK GDPR, the Data Protection Act 2018, or PECR — but it amends all three. The key reforms that affect day-to-day compliance:

• A seventh lawful basis for processing, called recognised legitimate interests, covering activities like crime prevention, safeguarding, emergency response, and national security. It removes the need for a legitimate interests assessment in these specific cases, though most commercial processing will still rely on standard legitimate interests with a balancing test.
• Automated decision-making, previously restricted by Article 22, is now permitted under any lawful basis where special category data is not involved (subject to safeguards). Articles 22A to 22D replace the old Article 22.
• A new direct right to complain — data subjects can now lodge complaints directly with controllers, who must acknowledge them within 30 days. This is in addition to the existing right to complain to the ICO.
• Cookie exemptions — five new categories of cookies and similar technologies no longer require consent under PECR, including some statistical and functional cookies. The ICO's updated Storage and Access Technologies guidance, finalised on 29 April 2026, sets out the detail.
• Scientific research — new flexibilities, including a clearer definition of "broad consent" and an exemption from the privacy notice obligation where providing one would require disproportionate effort.
• Children's online services — explicit requirements for online services likely to be used by children to take account of "children's higher protection matters" when designing those services.
• The Information Commissioner's Office is being renamed to the Information Commission. Its powers and structure are also being modernised.

Implementation has been phased. Some changes were already in force during 2025; the largest batch came in on 5 February 2026; the remainder is following through to mid-2026.

Where to go next

This guide covers the essentials. For depth on each subtopic, follow the links below:

Foundations

• When did GDPR become law?
• Who does GDPR apply to in the UK?
• UK GDPR vs EU GDPR
• What is personal data under GDPR?
• Data controller vs data processor

Mechanics

• The 7 principles of GDPR
• Individual rights under GDPR
• GDPR lawful basis and consent
• GDPR data retention periods
• GDPR ROPA and Article 30

In practice

• GDPR data breach: what to do
• GDPR fines and penalties
• GDPR privacy notices explained
• GDPR cookie consent in the UK
• GDPR and CCTV in the UK

Reading is a good start. If your team needs to actually do GDPR compliance — set up the right processes, handle requests properly, train staff to spot the issues that lead to fines — that's a different problem from understanding what the law says. Our GDPR & Data Protection Course covers both: the regulation as it stands today, and the practical compliance habits that keep organisations out of trouble.

Frequently asked questions

Is GDPR still in force after Brexit?

Yes. The UK adopted its own version of the regulation, known as UK GDPR, which has applied since 1 January 2021. It sits alongside the Data Protection Act 2018.

What's the difference between UK GDPR and the Data Protection Act 2018?

UK GDPR provides the core rules; the Data Protection Act 2018 supplements it with UK-specific detail (for example, around law enforcement processing, children's data, and exemptions). They are two separate pieces of legislation that work together. UK GDPR is not a different name for the Data Protection Act, despite what some online guides suggest.

Does GDPR apply to small businesses?

Yes. There is no size-based exemption from UK GDPR. Some specific obligations — like keeping a record of processing activities — have a narrow carve-out for organisations under 250 employees, but the carve-out almost never applies in practice.

What's changing under the DUAA in 2026?

A new lawful basis (recognised legitimate interests), substantial changes to automated decision-making rules, new cookie exemptions, a direct right to complain to controllers, and a rename of the ICO to the Information Commission. Most provisions came into force on 5 February 2026.

Who enforces GDPR in the UK?

The Information Commissioner's Office (ICO). Under the DUAA, the regulator is being renamed the Information Commission. It investigates complaints, issues fines, audits organisations, and publishes guidance.

When did GDPR become law?

GDPR was adopted by the EU on 14 April 2016 and became enforceable on 25 May 2018. UK GDPR has applied since 1 January 2021.

What is personal data?

Any information that relates to an identifiable living person — including names, contact details, IP addresses, photos, online identifiers, and more.

What happens if you breach GDPR?

The ICO can issue fines of up to £17.5 million or 4% of global turnover, alongside other enforcement actions like reprimands, audits, and enforcement notices. Affected individuals can also bring civil compensation claims.