Jurisdiction: United Kingdom

UK Data
Protection.

Post-Brexit data protection framework. UK GDPR retained with domestic adaptations under the Data Protection Act 2018.

£17.5M

Maximum Fine

or 4% Global Turnover

72hrs

Breach Window

ICO Notification

Art. 22

Automated Decisions

Human Review Rights

Retained

EU Adequacy

Until June 2025

Legal Framework

UK GDPR

Following Brexit, the UK retained the GDPR as the "UK GDPR" through the European Union (Withdrawal) Act 2018. The Data Protection Act 2018 provides supplementary provisions and exemptions.

The Information Commissioner's Office (ICO) serves as the independent supervisory authority, with powers to investigate, audit, and issue fines up to £17.5 million or 4% of global turnover.

The EU granted the UK an adequacy decision in June 2021, allowing continued data flows. This decision is subject to review and renewal.

Data Protection Principles

Lawfulness, Fairness & Transparency

Processing must be lawful with clear information provided

Purpose Limitation

Collected for specified, explicit and legitimate purposes

Data Minimisation

Adequate, relevant and limited to what is necessary

Accuracy

Accurate and, where necessary, kept up to date

Storage Limitation

Kept no longer than necessary

Security

Appropriate security against unauthorised processing

Regulatory Landscape

UK Regulators

ICO

Information Commissioner's Office

Primary data protection authority

GDPR enforcement, guidance, and investigations

CMA

Competition & Markets Authority

Competition oversight

Digital markets and data-related competition issues

FCA

Financial Conduct Authority

Financial services regulator

Data protection in banking and financial services

Ofcom

Office of Communications

Communications regulator

Online safety and digital communications

Brexit Impact

Divergence Tracker

The UK government has signaled intentions to diverge from EU GDPR in certain areas, prioritizing a "pro-innovation" approach while maintaining adequacy.

Legitimate Interests

Expanded

Broader scope for business activities

International Transfers

Simplified

New transfer mechanisms proposed

Research Exemptions

Enhanced

Reduced restrictions on scientific research

Cookie Consent

Under Review

Potential opt-out model consideration

UK-India Data Flows

Understand the adequacy landscape for cross border transfers between the UK and India under DPDPA Section 16.

View Adequacy Matrix →

UK Data Protection.