UK GDPR and the Data Protection Act 2018: a compliance guide for businesses
The UK GDPR is the retained version of the EU General Data Protection Regulation that became domestic law after Brexit. Together with the Data Protection Act 2018, it governs how organisations collect, store, process and share personal data. Any company operating in the UK — or processing personal data of UK residents — must comply. The ICO enforces both and can fine up to £17.5 million or 4% of global annual turnover.
UK GDPR and the Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018) provides the domestic scaffolding that supplements the UK GDPR. Together they establish four core obligations for organisations:
Mandatory breach notification. A personal data breach that poses a risk to individuals' rights and freedoms must be reported to the ICO within 72 hours of discovery. If the breach is likely to result in high risk, affected individuals must also be notified without undue delay. Organisations must maintain a breach register even for incidents not reported to the ICO.
Data protection by design and default. Technical and organisational measures must be integrated into systems from the outset, not bolted on afterwards. The default settings for any product or service must be the most privacy-protective option available. This obligation directly shapes how software is architected and how application security reviews are conducted.
Accountability requirements. Organisations must document their processing activities, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, and demonstrate compliance on demand. Appointing a Data Protection Officer (DPO) is mandatory for public authorities and for organisations that carry out large-scale systematic monitoring of individuals.
Lawful basis for processing. Every processing activity must rest on one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Organisations must document the basis chosen and ensure it is appropriate for the specific activity.
Data (Use and Access) Bill (October 2024)
The Data (Use and Access) Bill, introduced to Parliament in October 2024, proposes selective reforms to the UK data protection framework rather than a wholesale replacement. Key areas include:
- Simplifying the rules around automated decision-making and profiling.
- Introducing a new framework for "recognised legitimate interests" that reduces the need for case-by-case balancing tests in certain low-risk scenarios.
- Clarifying rules around scientific research and data reuse.
- Strengthening the ICO's enforcement and information-gathering powers.
The Bill does not remove core rights such as the right of access, rectification or erasure, so organisations' existing compliance programmes remain valid. Companies should monitor Parliamentary progress and update their records of processing activities when the Bill receives Royal Assent.
FCA (Financial Conduct Authority)
The Financial Conduct Authority is the UK's principal financial regulator for conduct and consumer protection. For organisations in financial services, the FCA operates in parallel with data protection law and adds sector-specific requirements:
- AI in fintech. In April 2024 the Bank of England, the Prudential Regulation Authority (PRA) and the FCA confirmed that the existing regulatory framework is sufficient to govern AI in financial services, while committing to develop additional guidance.
- Consumer Duty. In force since July 2023, Consumer Duty requires firms to deliver good outcomes for retail customers — including fair treatment of data used in automated decisions and personalisation.
- Vulnerability management programmes are relevant here: FCA-supervised firms must demonstrate resilience and rapid remediation when vulnerabilities could expose customer data or disrupt services.
FCA and ICO coordination
Financial services organisations face a dual compliance challenge: the FCA governs conduct and systemic risk, while the ICO governs personal data. In practice this means:
- A breach affecting customer financial data triggers both a 72-hour ICO notification and a separate FCA notification under PRIN 11 (regulators must be informed of material developments).
- AI-driven credit scoring or fraud detection must satisfy both the ICO's data protection impact assessment requirements and the FCA's explainability and fairness expectations.
- The FCA and ICO have published a joint statement committing to coherent guidance on AI, but organisations cannot wait: both frameworks apply today.
Using the NIST Cybersecurity Framework as a baseline helps bridge both regulators' expectations around risk identification, protection and detection.
What companies operating in the UK must implement
To meet the combined requirements of UK GDPR, DPA 2018 and FCA expectations, organisations should have the following controls in place:
- Records of Processing Activities (RoPA): A documented inventory of all personal data processing, with lawful bases, retention periods and security measures.
- Breach response plan: A tested procedure to detect, contain, assess and notify breaches within 72 hours.
- Data Protection Impact Assessments: A formal DPIA process triggered by high-risk processing activities, particularly those involving new technologies or large-scale profiling.
- Privacy by design integration: Security requirements embedded in the software development lifecycle, with cybersecurity controls validated before production deployment.
- Vendor and third-party management: Data processing agreements (DPAs) in place with all processors, including cloud providers and SaaS vendors.
- Staff training: Regular awareness training on data handling obligations, phishing and social engineering — the most common triggers for reportable breaches.
For organisations handling financial data, these controls also satisfy the FCA's operational resilience expectations under PS21/3 and the Consumer Duty framework. Companies subject to the PSTI Regulations should also review the requirements for PSTI Regulations UK: product cybersecurity requirements.
Need to assess your UK GDPR readiness? Contact WhiteJaguars and our team will help you identify gaps and build a compliant programme.