The UK General Data Protection Regulation (UK GDPR) works with the Data Protection Act 2018 to form the UK's data protection framework. It determines how people’s personal data is processed and kept safe, and the legal rights individuals have over their own data.
‘Personal data’ means information that can identify a living individual.
Changes after Brexit
Since withdrawing from the EU, the UK has used its own version of the GDPR, known as the UK GDPR. The key principles, rights and obligations remain the same as before, but there are some amendments, mainly around international data transfers – see our summary article for more details.
Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was