UK GDPR
The UK's retained version of the EU General Data Protection Regulation, which continues to govern personal data processing in the UK after Brexit. Sits alongside the Data Protection Act 2018. Eight individual rights including the right to access (SAR), rectification, erasure ('right to be forgotten'), restriction, portability, object, and rights related to automated decision-making.
UK GDPR (formally the retained Regulation (EU) 2016/679) imposes obligations on data controllers and processors: lawful, fair, transparent processing; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. Six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). Special category data requires additional protection. Individuals can exercise rights without charge; the controller has 1 month to respond. Breaches notifiable to ICO within 72 hours where high risk. The retained Regulation is amended by the Data Protection Act 2018 and the upcoming Data (Use and Access) Bill.
Related guides
UK GDPR Rights for Individuals
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.
6 min
Data Subject Access Requests
A Subject Access Request (SAR) is a formal request you can make to any organisation asking them to provide a copy of all personal data they hold about you and information about how it is used. It is one of your most powerful rights under UK GDPR and is entirely free in most cases.
6 min
Right to Erasure (Right to be Forgotten)
The right to erasure — sometimes called the "right to be forgotten" — allows you to request that an organisation delete your personal data in certain circumstances. It is one of eight rights under UK GDPR and can be a powerful tool for removing outdated, irrelevant, or unlawfully held data about you from online platforms and databases.
6 min