Category: Compliance & AML · Reviewed by Chrissie Anderson, Client Executive · Last reviewed June 2026
The UK’s principal data protection statute — derived from the EU General Data Protection Regulation as retained and adapted in UK law — governing the processing of personal data by controllers and processors.
The UK GDPR is the operative version of the General Data Protection Regulation (Regulation (EU) 2016/679) in UK law. It governs the processing of personal data — the principles of processing, the lawful bases, the rights of data subjects, the obligations of controllers and processors, international transfers, and the powers of the Information Commissioner’s Office (ICO).
The UK GDPR is the retained EU law version of Regulation (EU) 2016/679, with modifications made under the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419). It must be read together with the Data Protection Act 2018, which supplements and qualifies it in UK law. The Data Protection and Digital Information Bill / Act activity in 2024–2025 introduced further modifications.
The UK GDPR Article 5 sets the seven data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability. Article 6 sets the lawful bases for processing. Article 9 sets the special category data prohibition and exemptions. Chapter III (Articles 12–23) sets the data subject rights. Chapter IV (Articles 24–43) sets controller and processor obligations. Chapter V (Articles 44–49) sets the international transfer rules. Chapter VIII (Articles 77–84) sets remedies and penalties — including administrative fines of up to £17.5m or 4% of worldwide annual turnover, whichever is higher.
The UK GDPR operates alongside (and in places is modified by) the Data Protection Act 2018. For electronic marketing the Privacy and Electronic Communications Regulations (PECR) provide additional consent and transparency rules. International transfers to non-adequate jurisdictions require an Article 46 transfer mechanism (typically the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses).
An insurance broker processes policyholder personal data on the lawful basis of contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) for prospect / marketing activity, with the appropriate balancing test documented. Special category health data captured for underwriting purposes is processed under Article 9(2)(h) (provision of insurance) with Data Protection Act 2018 Schedule 1 Part 2 supplementary conditions met.
UK GDPR (retained Regulation (EU) 2016/679, as amended). Data Protection Act 2018. European Union (Withdrawal) Act 2018. Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419).
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote