United Kingdom


United Kingdom Topic Page

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in the United Kingdom. The IAPP Resource Center also includes a “Europe” topic page, which can be accessed here.

Featured Resources


UK-US Data Bridge becomes law

U.K. Parliament approved secondary regulations to finalize a U.K.-U.S. adequacy agreement. IAPP Research and Insights Director Joe Jones has details on the agreement, which he helped draft during his prior work with the U.K. government.
Read More


UK digital regulators discuss interagency enforcement, AI governance coordination

This article focuses on U.K. digital regulators’ coordinated enforcement efforts with an eye toward developing common standards for artificial intelligence governance.
Read More


London calling: Digital regulation and AI governance

The U.K. Digital Regulation Cooperation Forum brings together four U.K. regulators — the Competition and Markets Authority,  the Information Commissioner’s Office, the Office of Communications and the Financial Conduct Authority. This LinkedIn Live discusses the work and priorities of the DRCF on AI governance and beyond.
Read More


UK data protection reform: An overview

On 8 March 2023, the U.K. government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament. Its objective is to “update and simplify” the U.K.’s data protection laws and certain other legislation. This article sets out a comprehensive summary of the changes in comparison to the GDPR.
Read More


Top ten takeaways from the draft UK GDPR reform

IAPP Research and Insights Director Joe Jones, who previously worked as the deputy director of international data transfers at the Department for Digital, Culture, Media and Sport, parsed through the 212-page Data Protection and Digital Information Bill and offers his initial thoughts, along with the top takeaways.
Read More


Privacy Around the Globe: United Kingdom

In this session, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, connects with IAPP Research and Insights Director Joe Jones to take a close look at the changing privacy landscape in the United Kingdom.
Read More

Additional News and Resources

Study: UK IT experts worried workplaces not ready for AI

A study of 500 information technology specialists in the U.K. found one-third of professionals have not received any artificial intelligence training and nearly half have no workplace policies for the technology, Infosecurity Magazine reports. Nearly all specialists said they were worried about their organization's ambitions for AI because of inadequate preparation.Full story... Read More

ICO publishes workplace monitoring guidance

The U.K. Information Commissioner's Office released guidelines for lawful employee monitoring in the workplace. ICO-commissioned research showed 70% of the public views employee monitoring as an invasion of privacy. Deputy Commissioner Emily Keaney said the guidance, aimed at public and private-sector employers, will "remind organisations that business interests must never be prioritised over the privacy of their workers" and "transparency and fairness are key to building trust."Full story... Read More

UK government publishes E2E encryption, child safety guidance

The U.K. Home Office released guidelines on the interplay between end-to-end encryption standards and children's safety as it relates to the recently passed U.K. Online Safety Bill. The office explained the overlap between the two topics, Meta's leading example on the matter, and current techniques and technological solutions being used. Notably, the guidance also lays out the application of the Online Safety Bill in the encryption-child safety context.Full story... Read More

UK passes Online Safety Bill

The U.K. Parliament passed the Online Safety Bill. Secretary of State for Science, Innovation and Technology Michelle Donelan called the bill "a game-changing piece of legislation" with a "common-sense approach." Once the bill becomes law, after receiving Royal Assent, the Office of Communications will take a phased approach to bringing it into force. Companies could face fines of up to 18 million GBP or 10% of their global annual revenue for noncompliance. Full story... Read More

ICO issues guidance on protecting workers' health data

The U.K. Information Commissioner's Office published guidance to help employers understand data protection obligations under the U.K. General Data Protection Regulation and Data Protection Act when handling employees' health information. The ICO said the guidance will "provide greater regulatory certainty," "protect workers' data protection rights" and "help employers to build trust with workers."Full story... Read More

ICO publishes guidance on email communications

The U.K. Information Commissioner's Office warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails. "Organisations that use and share large amounts of data, including sensitive personal information, should consider using other secure means to send communications, such as bulk email services, so information is not sh... Read More

UK product security obligations and liability

Beyond security obligations and liabilities for controllers and processors under the EU and U.K. General Data Protection Regulations and the U.S. Federal Trade Commission's reasonable security measures requirements, other security-related laws are being enacted. Privacy professionals must be aware of the overlaps between data protection and other security-related laws, not just because of their relevance to liability for security under privacy laws but because compliance with these laws will lik... Read More

GDPR fine calculation: A look at the EDPB's new guidelines and the UK's approach

The EU General Data Protection Regulation, which came into effect pre-Brexit in May 2018, introduced a consistent framework of fines to enforce compliance with data protection regulations across the EU. Some five years later, the European Data Protection Board released new guidelines on calculating administrative fines under the GDPR 24 May. These new guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states and, in the EDPB's own words, "aim to ha... Read More

UK releases white paper on AI regulatory framework

The U.K. Department for Science, Innovation and Technology published a white paper with its approach to regulating artificial intelligence technologies. The regulatory framework seeks to "build public trust in cutting-edge technologies and make it easier for businesses to innovate, grow and create jobs." The approach consists of five AI principles: safety, transparency, fairness, accountability and governance, and redress. U.K. regulators will roll out guidance within the next 12 months to help ... Read More

ICO releases new UK GDPR certification scheme

The U.K. Information Commissioner’s Office approved the fourth set of U.K. General Data Protection Regulation certification scheme criteria for training and qualifying service providers. The scheme's intention will "enable … candidates to make informed choices when applying for training" programs so they can maintain confidence their personal data is being processed in accordance with the law. Other certification schemes released so far cover secure disposal and reuse of IT equipment, age assura... Read More

DPI: UK dispatch: Enforcement, data flows and UK reforms on the docket

Several significant figures in the privacy landscape shared their thoughts on the keynote stage at the IAPP Data Protection Intensive: U.K. here in London Thursday. The state of play and future of EU enforcement and international data transfers were the focus of a keynote panel moderated by IAPP Research and Insights Director Joe Jones and featuring former U.K. Information Commissioner and current Baker McKenzie International Advisor Elizabeth Denham and NOYB Honorary Chair Max Schrems.  Separa... Read More

Edwards talks data reform, ‘deliberate,’ ‘approachable’ ICO

Amid the introduction of a new data protection reform bill Wednesday, U.K. Information Commissioner John Edwards said the goals within the ICO25 strategic plan "are not predicated or dependent on law reform." "We can still achieve everything we’ve set out to achieve regardless of the direction the law goes in, within certain limits, but I’m very confident of those limits," Edwards said in a keynote address at the IAPP Data Protection Intensive: U.K. in London, reflecting on his first year in of... Read More

UK introduces draft data protection reform

The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.  The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.  "Co-designed with business from the st... Read More

UK PM overhauls government departments, including focus on innovation and tech 

U.K. Prime Minister Rishi Sunak announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology focused on technical innovations. The changes remove digital and data policy responsibility from the Department for Culture, Media and Sport and create the DSIT. The department will “drive the innovation that will deliver improved public services, create new and better-paid jobs and grow the economy,” a press release stated. “Having ... Read More

UK, DIFC commit to updated data partnership

The U.K. government and Dubai International Financial Centre Authority released a joint statement committing to increased facilitation of personal data flows. The two sides called the new agreement "a robust data bridge" that will help realize "the benefits of the important role that the trustworthy use of data across borders play." The U.K. and the DIFC indicated a mutual understanding on "the importance of existing and future regulatory cooperation as a means of enhancing our objectives."Full ... Read More

Japan, UK reach digital partnership

Leaders in the U.K. and Japan have established the U.K.-Japan Digital Partnership, a framework to "jointly deliver concrete digital policy outcomes" for citizens, businesses and economies. The partnership will focus initially on four pillars: digital infrastructure and technologies, data, digital regulation and standards, and digital transformation. The countries noted the work ahead of them includes "championing data flows," exploring joint collaboration on data innovation measures and working ... Read More

DPC 2022: DCMS braces for fresh look at proposed data protection reform

Work on the proposed U.K. Data Protection and Digital Information Bill is about to gain steam once again. U.K. Department for Digital, Culture, Media and Sport Deputy Director for Domestic Data Protection Policy Owen Rowland told privacy professionals at the IAPP Data Protection Congress 2022 in Brussels, Belgium, that the latest consultation on the stalled bill will begin shortly. The bill previously laid dormant since its introduction to the U.K. House of Commons in July prior to the governme... Read More

The value of a UK representative: A response to the DPDI Bill

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

UK unveils data reform bill, proposes AI regulation

The U.K. government Monday introduced a pair of post-Brexit data reform initiatives aimed at guiding responsible use of data while promoting innovation in the economy, according to two government releases.  In the House of Commons, the government released the Data Protection and Digital Information Bill. In a separate statement, Minister for Media, Data and Digital Infrastructure Matt Warman said the data protection reform bill will help "transform the UK's independent data laws."  In parallel... Read More

UK Data Reform: Will the UK become a privacy island paradise?

Original broadcast date: June 27, 2022 In this LinkedIn Live event, IAPP Director of Research and Insight Mark Thompson, CIPP/E, CIPM, CIPT, FIP, Centre for Information Policy Leadership Senior Data Strategy and Privacy Policy Advisor Vivienne Artz, IAPP Europe Managing Director Isabelle Roccia, and IAPP Senior Westin Research Fellow Jetty Tielemans will discuss the proposed changes, similarities with existing regulatory structures, what it could mean for the U.K. data protection regime and mor... Read More

Consent as legal basis for EU and UK employment

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

A conversation with UK Information Commissioner John Edwards

Since becoming U.K. Information Commissioner, John Edwards has been busy. Officially taking the reins Jan. 4, Edwards embarked on a listening tour to learn the ins and outs of the U.K. The former New Zealand Privacy Commissioner gave his first major public speech since heading up the ICO at the IAPP Data Protection Intensive in London last month and joined German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber for a “commissioner’s chat” at the IAPP Global Priva... Read More

The UK data policy and possible divergences with the European Union

In December 2020, the British government presented its national data strategy, outlining its ambition to unlock data value and promote responsible growth by reducing the administrative burden on technology innovators and digital entrepreneurs. The strategy prompted concerns in Brussels that the new U.K. data policy might strive away from the EU General Data Protection Regulation. In early 2020, Prime Minister Boris Johnson announced that the U.K. would establish its own "sovereign" rules in the... Read More

UK, German DPAs talk regulatory priorities, privacy complexities

Addressing a room full of privacy professionals at the IAPP Global Privacy Summit 2022, U.K. Information Commissioner John Edwards envisioned many would be looking to regulators to “just tell us what we need to do” to minimize risks, reach compliance and reduce associated costs. “That’s fine,” Edwards said. But he was quick to point out, the most “important thing” about privacy and data protection is “the human story.” “You’re going to see your drug counselor later today. You made that insuran... Read More

Data transfers, UK GDPR reform top of mind at DPI: UK

Among the many topics top of mind for privacy pros at the IAPP Data Protection Intensive: UK in London is proposed reforms to the UK General Data Protection Regulation and the future of transborder data flows. This comes as the U.K.'s post-Brexit international data transfers agreement officially went into force Monday and negotiations around the current trans-Atlantic impasse continue behind the scenes.  A day after U.K. Information Commissioner John Edwards made his first major public speech s... Read More

The way the third-party cookie crumbles: Part 1 – EU and UK developments

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn. Part one of this two-part series ... Read More

The UK's new plans for data transfers: An interview with Joe Jones

On Aug. 26, the United Kingdom announced big new plans for international data transfers. As one of the world’s largest economies, a long-time leader in multilateral privacy fora, and a frequent interpreter between European and U.S. approaches to data protection, the U.K. is well-positioned to innovate in this endlessly challenging and integral policy arena. Last week, I had the opportunity to discuss the U.K.’s plans with Joe Jones, Deputy Director of International Data Transfers at the U.K. De... Read More

UK launches wide-ranging data reform initiative

A period of transition for the U.K. data regime has morphed into a complete overhaul. Along with its recent announcement on the future of international data transfers, the U.K. government is now planning further shakeups that could dramatically alter the country's data protection landscape. U.K. Secretary of State for Digital, Culture, Media and Sport Oliver Dowden announced Thursday the government opened a consultation on a series of reforms aimed at reshaping the U.K.'s use and regulation of ... Read More

UK announces independent adequacy decisions; Edwards named ICO top candidate

Plenty of questions around data transfers emerged within the U.K. following Brexit, and it seems the privacy industry is starting to get some answers. In June, the European Commission adopted a pair of adequacy decisions for the U.K., and now the British government has laid out a new slate of initiatives to clarify the picture even further. The U.K. plans to strike independent data adequacy decisions with its international partners, with the goal of delivering alternative data transfer mechani... Read More

European Commission adopts UK adequacy decisions

Almost five years to the day from when the Brexit vote took place, the questions around U.K. adequacy have been laid to rest, at least for now. The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the "bridging mechanism" for data transfers between the EU and U.K. was set to expire. "The U.K. has left the EU but t... Read More

NIS representation in the EU and UK — Was the March 31 deadline a turning point?

Under the recent amendments to the U.K. Network and Information System Regulations, digital service providers needed to appoint a NIS representative by March 31, 2021, in the U.K. The NIS Directive (EU 2016/1148 – NISD) aims to achieve a high standard network and information systems security in the European Union, including the U.K. when initiated. It applies to two types of organizations: operators of essential services and DSPs.   Due to its legal nature, the NIS Directive is different from ... Read More

GDPR representatives in EU and UK after Brexit

With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint ... Read More

Draft UK adequacy decisions — A somewhat lukewarm embrace?

On Feb. 19, 2021, the European Commission, making use of the powers conferred to it by Article 45(3) of the EU General Data Protection Regulation, released two draft decisions on the adequate protection of personal data by the U.K.: one under the General Data Protection Regulation, the other under the Law Enforcement Directive. If approved, the decisions would grant adequacy status to the U.K. under the GDPR and LED, thereby ensuring EU personal data can continue to flow freely to the U.K., now ... Read More

Government leaders discuss state of play for UK adequacy, data transfers

After years of uncertainty in the wake of the U.K.'s vote in 2016 to leave the EU, there are finally sign posts for privacy pros to look to as both regions aim to secure cross-border data transfers through U.K. adequacy. In a massive trade agreement signed last Christmas Eve, both regions secured a temporary transfer period that provides the U.K. government and European Commission time to complete an adequacy agreement.  But, of course, the clock is ticking.  "We don't see why the U.K. shouldn... Read More

Data brokers under the spotlight: A commentary on the ICO vs. Experian case

Data brokers, data processing, credit agencies  — for some of us, these terms are mere ambiguities, while for others, common technology buzzwords. For the U.K. legal scene, though, they describe one of the most discussed cases, involving some billion-dollar industries that operate under the radar: "Credit Reference Agencies" and data brokers. The U.K. Information Commissioner's Office recently ordered the credit reference agency Experian to obey its enforcement order and make critical modifica... Read More

UK, EU reach interim data flow agreement

After years of wrangling and with the clock ticking louder by the day, British and European negotiators provided a temporary grace period for data flows to continue between the EU and U.K. In the Trade and Cooperation Agreement signed between the EU and U.K. Dec. 24, 2020, data transfers for business and law enforcement purposes can continue until adequacy decisions under the EU General Data Protection Regulation and the Law Enforcement Directive are approved before the end of a six-month grace ... Read More

Online Harms White Paper — UK Government

This white paper sets out the U.K.’s ambitious vision for online safety, including a new regulatory framework to tackle a broad range of harms, the development of a safety-by-design framework and support for innovation in safety technologies, and a new online media literacy strategy. Click To View ... Read More