UK General Data Protection Regulation (UK GDPR) — Assimilated EU Law
The UK GDPR is the British version of the EU GDPR, governing data protection in the United Kingdom as retained EU law since Brexit.
Summary
The UK GDPR (UK General Data Protection Regulation) is the version of Regulation (EU) 2016/679 (General Data Protection Regulation) retained in United Kingdom law. It was incorporated into UK law on 1 January 2021 — the end of the Brexit transition period — through the European Union (Withdrawal) Act 2018 as retained EU law and has since formed the cornerstone of data protection law in the United Kingdom. Under the Retained EU Law (Revocation and Reform) Act 2023 (REULA 2023), the category retained EU law was renamed assimilated law with effect from 1 January 2024; the working term “UK GDPR” remains unchanged.
The text of the UK GDPR is largely identical to the EU GDPR but was adapted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) to function in a purely UK context. References to EU Member States, EU institutions, and the European Data Protection Board were replaced with references to the United Kingdom, the Secretary of State, and the Information Commissioner's Office (ICO).
The UK GDPR operates alongside the Data Protection Act 2018 as a unified data protection framework. Organisations processing personal data of individuals in the United Kingdom must comply with both instruments. The Data (Use and Access) Act 2025 introduced targeted amendments, including a clarification of legitimate interest and new provisions on automated decision-making.
History
The UK GDPR came into being as a direct consequence of Brexit. While the United Kingdom was an EU Member State, the EU GDPR applied directly. To ensure a seamless level of data protection after withdrawal, Regulation (EU) 2016/679 was retained in domestic law through the European Union (Withdrawal) Act 2018.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), made in February 2019 and taking effect on 31 December 2020, adapted the text to the UK legal context. On 1 January 2021, the UK GDPR became effective as a standalone statute. On 28 June 2021, the EU adopted an adequacy decision ensuring the free flow of data between the EU and the United Kingdom; this decision contained, for the first time, a sunset clause causing it to expire after four years on 27 June 2025.
Under the Retained EU Law (Revocation and Reform) Act 2023 (REULA 2023), the category retained EU law was renamed assimilated law with effect from 1 January 2024; the UK GDPR has since been classified as assimilated EU law.
On 24 June 2025, the EU extended the adequacy decision by six months through Implementing Decision (EU) 2025/1226 (a technical bridging extension) until 27 December 2025 in order to complete its ongoing review. On 19 December 2025, the decision was renewed through Implementing Decision (EU) 2025/2574 and, subject to a six-year sunset clause, runs until 27 December 2031. The Data (Use and Access) Act 2025 introduced the first substantive amendments to the UK GDPR.
Scope
The UK GDPR has the same material and territorial scope as the EU GDPR, adapted to the UK context:
- Controllers and processors: All organisations that process personal data in the context of an establishment in the United Kingdom, regardless of whether the processing takes place in the United Kingdom.
- Extraterritorial reach: Organisations outside the United Kingdom that offer goods or services to individuals in the United Kingdom or monitor their behaviour are subject to the UK GDPR and may need to appoint a representative in the United Kingdom.
- Personal data: Any information relating to an identified or identifiable natural person, including online identifiers, location data, and pseudonymised data.
- Special categories of data: Enhanced protection for health data, biometric data, genetic data, racial/ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life.
- Exemptions: Purely personal or household activities are exempt. Separate regimes apply to law enforcement (DPA 2018 Part 3) and intelligence services (DPA 2018 Part 4).
Key Requirements
- Lawfulness of processing (Article 6): Every processing of personal data must be based on one of six legal bases: consent, contract performance, legal obligation, vital interests, public interest, or legitimate interest. The DUAA 2025 introduced a non-exhaustive list of recognised legitimate interests.
- Data subject rights (Articles 12-22): Right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights in relation to automated decision-making including profiling.
- Data protection impact assessment (Article 35): Controllers must carry out an impact assessment for processing operations that pose a high risk to the rights and freedoms of natural persons.
- Breach notification (Articles 33-34): Personal data breaches must be reported to the ICO within 72 hours. Where there is a high risk to data subjects, they must also be notified.
- Data protection officer (Articles 37-39): Public authorities and organisations whose core activities involve large-scale monitoring or processing of special categories of data must appoint a data protection officer.
- International data transfers (Articles 44-49): Transfers of personal data to third countries are only permitted where there is an adequacy decision by the Secretary of State or appropriate safeguards (standard contractual clauses, binding corporate rules) are in place.
- Accountability and demonstrability (Articles 5(2), 24, 30): Controllers must be able to demonstrate compliance with data protection principles and maintain a record of processing activities.
Predecessors
Related Frameworks
Corrections & Errata
The chronology jumps from the adequacy decision (28 June 2021) to the 19 December 2025 renewal. Missing: the four-year sunset clause (expiry 27 June 2025) and the six-month bridging extension in June 2025 (Implementing Decision (EU) 2025/1226) to 27 December 2025.
Full details on the errata page →In the 28 June 2021 key-date entry, event_de contains the typo 'erlaaesst' instead of 'erlaesst'.
Full details on the errata page →key_dates: 2018-06-25 corrected to 2018-06-26
Full details on the errata page →