United Kingdom

The ICO is an independent authority with powers to investigate, audit, fine, and issue enforcement notices. One of the most active DPAs globally with extensive guidance.

Same as GDPR — six lawful bases including consent and legitimate interests. Consent must be freely given, specific, informed, and unambiguous.

Full suite of GDPR rights: access, rectification, erasure, restriction, portability, objection, and automated decision-making rights.

UK maintains its own adequacy decisions. EU adequacy for UK in place. International Data Transfer Agreement (IDTA) replaces EU SCCs. UK extension to EU-US DPF in place.

72-hour notification to ICO for breaches posing risk to individuals. Communication to affected individuals if high risk.

Mandatory for public authorities, large-scale systematic monitoring, and large-scale special category data processing. Same criteria as GDPR.

Age of consent set at 13 (lower than GDPR default of 16). ICO Age Appropriate Design Code imposes obligations on online services likely to be accessed by children.

Two-tier fines mirroring GDPR. ICO has issued significant fines including GBP 20M to British Airways and GBP 18.4M to Marriott (later reduced).

PECR governs electronic marketing and cookies. Financial Conduct Authority, NHS, and education sectors have additional data requirements.

PECR requires consent for non-essential cookies. ICO actively enforces. Similar framework to EU ePrivacy Directive.

UK GDPR Article 22 applies. UK AI governance framework takes a sector-specific, principles-based approach rather than horizontal regulation.

No data localisation requirements. UK promotes free flow of data with appropriate safeguards for international transfers.

No direct equivalent. DPO and DPIA requirements based on processing scale and risk serve a similar function.

National security exemption in DPA 2018. Law enforcement processing under Part 3. Intelligence services under Part 4 with separate regime.