Changeflow GovPing Government & Legislation UK GDPR and Data Protection Act 2018 Overview
Routine Notice Added Final

UK GDPR and Data Protection Act 2018 Overview

Favicon for www.gov.uk UK Information Commissioner S Office
Detected
Email

Summary

The Information Commissioner's Office published a guide explaining the UK's data protection framework under the UK General Data Protection Regulation and the Data Protection Act 2018. The guide covers the seven data protection principles that organisations must follow when handling personal data, including requirements for fairness, lawfulness, transparency, data minimisation, accuracy, storage limitation, and security. It also outlines individual rights under the legislation and provides contact details for the ICO.

Published by ICO on gov.uk . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

The Information Commissioner's Office published this overview page explaining the UK's data protection legislation framework. The guide restates the seven data protection principles: data must be used fairly, lawfully, and transparently; for specified explicit purposes; in an adequate, relevant, and limited manner; accurately and kept up to date; kept only as long as necessary; and handled with appropriate security. It also notes stronger protections for sensitive information categories including race, ethnic background, political opinions, religious beliefs, genetics, biometrics, health, and sex life or orientation.

Organisations and government departments that process personal data should use this guide as a reference for understanding their baseline obligations under UK GDPR and the Data Protection Act 2018. The ICO notes it enforces these rules and can be contacted for advice or to make a complaint about an organisation's data handling practices.

Archived snapshot

Apr 20, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Data protection

The UK's data protection legislation

Data protection legislation controls how your personal information is used by organisations, including businesses and government departments.

In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ unless an exemption applies. There is a guide to the data protection exemptions on the Information Commissioner’s Office (ICO) website.

Anyone responsible for using personal data must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary

  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
    There is stronger legal protection for more sensitive information, such as:

  • race

  • ethnic background

  • political opinions

  • religious beliefs

  • trade union membership

  • genetics

  • biometrics (where used for identification)

  • health

  • sex life or orientation
    There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the legislation, you have rights in relation to your personal data, with some exceptions. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)

  • object to how your data is processed in certain circumstances
    You also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)

  • profiling, for example to predict your behaviour or interests

If you’re concerned about how an organisation is handling your personal data

Contact the ICO for advice or to make a complaint.

ICO
Telephone: 0303 123 1113
Textphone: 18001 0303 123 1113
Monday to Friday, 9am to 5pm
Find out about call charges

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You can find more contact details on the ICO website.

View a printable version of the whole guide

Related content

Related changes

Favicon for www.officeforstudents.org.uk Consultation on New Condition C6 for Student Consumer Protection in Higher Education
Priority review Apr 20, 2026 UK Office for Students Education
Favicon for www.gov.scot Scotland Child Protection Statistics 2024-25 Published
Routine Apr 20, 2026 Scottish Government News Government & Legislation
Favicon for www.gov.uk Government Announces £8.9M Funding for 16 Regulatory Innovation Projects Including Drone Medicines Delivery and AI Fire Risk Assessment
Routine Apr 20, 2026 UK Information Commissioner S Office Government & Legislation

Get daily alerts for UK Information Commissioner S Office

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.gov.uk
UK Information Commissioner S Office gov.uk/government/organisations/information-commissioner-s-office.atom
Government & Legislation

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ICO.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ICO
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Minor

Who this affects

Applies to
Businesses Government agencies
Industry sector
5112 Software & Technology
Activity scope
Data protection compliance Personal data processing
Geographic scope
United Kingdom GB

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR
Topics
Consumer Protection Healthcare

Browse Categories

Agriculture & Food Safety 73 Banking & Finance 402 Consumer Protection 87 Courts & Legal 408 Data Privacy & Cybersecurity 84 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 428 Healthcare 15 Healthcare & Life Sciences 372 Immigration 10 Insurance 74 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 7 Real Estate & Housing 76 Securities & Markets 149 Tax 76 Telecom & Technology 50 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when UK Information Commissioner S Office publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!