UK GDPR — Data Protection Act 2018

What is UK GDPR? — your data rights explained in plain English

UK GDPR (the UK’s version of the General Data Protection Regulation, retained after Brexit) gives every person in the UK fundamental rights over their personal data and a legal right to claim compensation when organisations mishandle it. Here’s everything you need to know.

Your GDPR RightsBack to Hub →
The basics
What is UK GDPR and why does it matter?
UK GDPR is the law that governs how organisations collect, store, use and share your personal data. It applies to any organisation that holds your data — your employer, your bank, the NHS, retailers, and social media platforms. Crucially, Article 82 of UK GDPR gives you the right to claim compensation from any organisation that breaches the regulation and causes you distress or financial harm.
🔒 UK GDPR — Article 82✓ Compensation right✓ 6-year claim window
Your rights

Six key rights UK GDPR gives you

Right to access (Subject Access Request)

You can request all personal data an organisation holds about you. Free of charge. Must be answered within 30 days. This is often the starting point for a data breach compensation claim.

Right to erasure (“right to be forgotten”)

You can request that an organisation deletes your personal data in certain circumstances — for example, if they no longer need it for the purpose for which they collected it.

Right to rectification

You can request that inaccurate personal data held about you is corrected. The organisation must respond within one month.

Right to restrict processing

You can request that an organisation stops actively using your data while a dispute is resolved, without requiring them to delete it.

Right to data portability

You can request your data in a machine-readable format and transfer it to another organisation, where technically feasible.

Right to compensation (Article 82)

If an organisation violates UK GDPR and you suffer distress or financial loss as a result, you have a statutory right to claim compensation — even without financial loss.

Compensation rights

When can you claim compensation under UK GDPR?

Article 82 UK GDPR gives you the right to claim compensation from any organisation (called a “controller” or “processor”) that breaches UK GDPR and causes you harm. You need to show:

1

A UK GDPR violation occurred

For example: your data was shared without consent, accessed without authorisation, stored insecurely, or retained longer than necessary. A data breach notification letter from the organisation is strong evidence of this.

2

You suffered damage

Damage can be material (financial loss — e.g. identity fraud resulting from the breach) or non-material (distress, anxiety, loss of control over your personal data). Non-material damage alone is sufficient following the CJEU ruling in UI v Österreichische Post (2023).

3

A causal link between the violation and the damage

The distress or financial loss must result from the specific UK GDPR breach. For example, anxiety caused by knowing your medical records were accessed without authorisation.

If you can show these three elements, you have the basis for a compensation claim under Article 82 UK GDPR.

How to enforce your rights

What to do if your rights are violated

1

Complain directly to the organisation

All organisations must have a complaints process for data issues. Start here. They must respond within 30 days.

2

Complain to the ICO

The Information Commissioner’s Office (ico.org.uk) is the UK’s data regulator. It investigates GDPR breaches for free. An ICO finding against an organisation strengthens a compensation claim.

3

Claim compensation

If the breach caused you distress or financial loss, consult a data protection solicitor about an Article 82 compensation claim. Most data breach specialists work on a no win, no fee basis.

FAQs

Frequently asked questions

Does UK GDPR apply after Brexit?+
Yes. UK GDPR is the domestic version of the EU’s General Data Protection Regulation, retained in UK law by the Data Protection Act 2018 and the UK GDPR Regulations 2019. It is substantially identical to EU GDPR. The UK also maintains the EU GDPR adequacy decision, allowing data to flow between the UK and EU.
What is the ICO and what can it do?+
The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulator. It can investigate organisations, issue enforcement notices, and impose fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious breaches. ICO complaints are free and the ICO must acknowledge your complaint within 30 days.
Is there a time limit for claiming compensation under UK GDPR?+
In England and Wales, the limitation period for a UK GDPR Article 82 compensation claim is 6 years from when the breach occurred (or when you became aware of it). In Scotland, the period is 5 years. Always seek legal advice promptly if you think you have a claim.
Related guides
Data breach hub
Data Breach Claims Hub & Free Estimator
Read →
NHS breach
NHS Data Breach Compensation Guide
Read →
Employer breach
Employer Data Breach — Claim Against Your Company
Read →
Disclaimer: General information only, not legal or financial advice. Consult a qualified specialist for your situation.