The UK General Data Protection Regulation (UK GDPR) is a UK law that took effect on 01 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679), which was applied in the UK before that date, with some changes to make it work more effectively in a UK context.
The DPA 2018 sets out the framework for data protection law in the UK. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.
It sits alongside and supplements the UK GDPR - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers
The UK GDPR tells data controllers (organisations such as the council) how to use, collect and share personal data in a legal and fair way.
The Principles of the UK GDPR tell the council that they must process (use) your personal data in the following ways:
- In a fair and transparent way which keeps you informed about how your data is used
- In a legal way that complies with the UK GDPR and all other laws
- For the specific purposes that we have told you about
- In a way that means we only use the correct amount of data and don’t use data about you that we don’t need
- Kept accurately and up-to-date
- Kept for no longer than is necessary, as advised by law and best practice
- Stored securely and protected from loss and unauthorised access
The Information Commissioner’s Office is the regulator of data protection law in the UK. They have produced a guide to the UK GDPR which provides individuals and organisations with advice regarding the legislation.
Your rights
The UK General Data Protection Regulation gives individuals a wide range of rights that they can use with any organisation that holds their personal data. Whilst the rights themselves are a crucial part of the legislation, please be aware that they are not absolute and exemptions may be applied by the Council where appropriate.