General Data Protection Regulation

The UK GDPR (retained in domestic law following Brexit) is the principal data protection law governing how organisations collect, use, store, and share personal data. It requires organisations to have a lawful basis for processing personal data, to be transparent with individuals about how their data is used, and to uphold individuals' data rights. Breaches can result in significant fines from the Information Commissioner's Office (ICO).