UK General Data Protection Regulation
The UK's retained version of the EU General Data Protection Regulation. Establishes principles for data processing (lawfulness, fairness, transparency,…
Authority catalogue v1.12.27 data current as of
Read the source at legislation.gov.uk ↗
- Citation
- Retained EU Regulation 2016/679
- Jurisdiction
- England, Wales, Scotland & Northern Ireland
- Year
- 2018
- Status
- Primary
- Certainty
- Settled
In brief
The UK's retained version of the EU General Data Protection Regulation. Establishes principles for data processing (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability). Article 9 defines special categories of personal data including data concerning health and sex life/sexual orientation.
Key provisions
- Article 5 — Principles relating to processing of personal data: Sets out the core data protection principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability.
- Article 6 — Lawfulness of processing: Sets out the six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
- Article 9 — Processing of special categories of personal data: Prohibits processing of special categories of personal data (including data concerning health, sex life, and sexual orientation) except where a specific condition in Article 9(2) is met.
- Article 13–14 — Information to be provided to data subjects: Requires data controllers to provide data subjects with information about how their personal data is processed, including the purposes, lawful basis, retention periods, and their rights.
- Article 15 — Right of access: The right of access: data subjects can request a copy of their personal data and information about how it is processed.
- Article 17 — Right to erasure: The right to erasure ("right to be forgotten"): data subjects can request deletion of personal data where there is no compelling reason for continued processing.
- Article 35 — Data protection impact assessment (DPIA): Requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of individuals, particularly when using new technologies or processing special category data at scale.
When relevant
DPIA requirements when processing gender identity data, lawful basis for holding transition-related records, data subject rights regarding gender markers in HR and IT systems.
Take this further
Assess your organisation
See how your policies and practice measure up against this authority — and the other 121 in the catalogue — with the toolkit's free diagnostic.
Related reading
Browse the full authority catalogue or the toolkit's resources hub for more context.
Contains public sector information licensed under the Open Government Licence v3.0 .