europe
United Kingdom
The UK GDPR and Data Protection Act 2018 largely mirror EU concepts with domestic oversight.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
Breach
- Breach deadline (hours)
- 72
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- PECR generally requires consent for non-essential cookies.
Transfers
- Cross-border transfer restricted
- Yes
- Data localization required
- No
Governance
- DPO required
- Yes
- Impact assessment required
- Yes
- Records of processing required
- Yes
Identity
- Effective date
- 2021-01-01
- Effective status
- in-force
- Last amended
- 2024-10-24
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Yes
- Public sector coverage
- Yes
- Territorial scope
- Applies in the UK and extraterritorially to certain overseas processing targeting UK individuals.
Legal Basis
- Legal bases
- consent, contract, legal obligation, vital interests, public task, legitimate interests
- Requires legal basis
- Yes
Enforcement
- Maximum fine
- Up to £17.5 million or 4% of worldwide annual turnover.
- Private right of action
- Yes
Definitions
- Personal data definition
- Information relating to an identified or identifiable living individual.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- Yes
- Right to deletion
- Yes
- Right to object
- Yes
- Right to portability
- Yes
Official sources
- ICO guide to data protectionofficial-regulator • en • html
- UK legislation textofficial-law • en • html
Recent change workflow
- PECR consent plus stronger refusal UX emphasispending • extractor openclaw