Industry type - all

Available with - All


The UK General Data Protection Regulation (UK GDPR) is a law that governs how UK organisations and some non-UK organisations process personal data. It applies to:

  • UK-based businesses and organisations
  • Non-UK organisations that offer good or services to UK residents
  • Non-UK organisations that monitor the behaviour of UK residents

The UK GDPR gives individuals a range of rights when it comes to how their personal data is handled by organisations. The law also provides stronger legal protections for sensitive information such as race, ethnicity, political opinions and health.


The UK GDPR is the UK's version of the EU GDPR, but it was revised after Brexit to remove references to the EU and to align with UK requirements. It sits alongside an amended version of the Data Protection Act 2018 (DPA 2018), which sets out how personal data must be collected, handled and stored.


You should know what rules the Act enforces regarding how you obtain, store, share, and use personal data. By following these rules, you’ll ensure your business handles data securely and protects the privacy of your customers and employees.

The Data Protection Act 2018 aims to:

  • Facilitate the secure transfer of information within the European Union.
  • Prevent people or organisations from holding and using inaccurate information on individuals. This applies to information regarding both private lives or business.
  • Give the public confidence about how business’s can use their personal information.
  • Provide data subjects with the legal right to check the information businesses hold about them. They can also request for the data controller to destroy it.
  • Give data subjects greater control over how data controllers handle their data.
  • Place emphasis on accountability. This requires businesses to have processes in place that demonstrate how they’re securely handling data.
  • Require firms to keep people’s personal data safe and secure. Data controllers must ensure that it is not misused.
  • Require the data user or holder to register with the Information Commissioner.