Marketing compliance: PECR and UK GDPR
- 7 steps
Retained EU Law
2016
United Kingdom
UK GDPR (retained EU law)
At a glance
Enforced by
What's here
253 compliance obligations, 39 practical guides across 5 topics · 34 journeys
Penalty landscape
197 of 253 obligations carry a fine up to £17,500,000. 3 carry different penalties and 53 have no criminal penalty — flagged in the list below.
Who this Act binds
Business-side actors with duties under this Act, ranked by how often they appear.
- Data Controller 210
- Employer 14
- Data Processor 14
- Any Person 8
- Trader 1
Plus 6 non-business duties on Crown ministers, regulators, local authorities or tribunals — shown collapsed under each section below.
Step-by-step journeys using this legislation
Walkthroughs that take you from a real business situation to compliance.
Comply with the Online Safety Act from scratch
- 1 step
Respond to a data breach
- 5 steps
- 29 requirements
Data breach 72-hour checklist
- 4 steps
- 28 requirements
Start using AI responsibly in your business
- 7 steps
- 14 requirements
AI compliance quick check
- 9 steps
- 14 requirements
Relevant guidance
Practical guides for businesses affected by this Act, ordered by how closely they engage with it.
Direct — cites this Act
20 guidesAI compliance checklist
AI transparency and explainability obligations
Assess your AI compliance obligations
Carry out a data protection impact assessment (DPIA)
Create a data retention policy
Data Use and Access Act 2025: what changed for businesses
Data protection annual compliance checklist
Data protection for businesses
Supporting — topic alignment
7 guidesMentioned in related content
12 guides- AI Regulation Framework
- AI compliance for financial services firms
- AI medical device compliance
- Annual retail compliance checklist
- Approvals and registrations you need before trading
- Cookie consent: comply with PECR requirements
- Cyber security requirements for UK businesses
- Data protection for security CCTV and body-worn cameras
- Electronic marketing rules (PECR)
- Mandatory registrations every business must complete
Other Acts binding the same actors
For each actor bound by this Act, the other UK Acts that bind them most often. Useful for understanding the full compliance landscape facing each role.
Data Controllers also bound by 7 other Acts (top 5 shown)
- Data Protection Act 2018 2018 46 duties
- Privacy and Electronic Communications Regulations 2003 2003 5 duties
- Equality Act 2010 2010 1 duty
- Data Protection (Charges and Information) Regulations 2018 2018 1 duty
- The Waste and Contaminated Land (Northern Ireland) Order 1997 1997 1 duty
Employers also bound by 171 other Acts (top 5 shown)
- Provision and Use of Work Equipment Regulations 1998 1998 204 duties
- The Income Tax (Pay As You Earn) Regulations 2003 2003 201 duties
- Electricity at Work Regulations 1989 1989 55 duties
- Fire Safety (Scotland) Regulations 2006 2006 51 duties
- TULRCA 1992 1992 47 duties
Any Person also bound by 749 other Acts (top 5 shown)
- Human Medicines Regulations 2012 2012 110 duties
- Licensing Act 2003 2003 105 duties
- Merchant Shipping Act 1995 1995 97 duties
- Road Traffic Act 1988 1988 95 duties
- Air Navigation Order 2016 2016 86 duties
Traders also bound by 219 other Acts (top 5 shown)
- Value Added Tax Regulations 1995 1995 952 duties
- TULRCA 1992 1992 39 duties
- Companies Act 2006 2006 39 duties
- Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 2013 39 duties
- The Customs (Import Duty) (EU Exit) Regulations 2018 2018 33 duties
What this Act requires
Sections that create concrete duties on businesses or carry penalties. Procedural and definitional sections are folded into the “Browse other sections” expander at the bottom of each group. Click any section title to read the source text on legislation.gov.uk.
Principles relating to processing of personal data
Fine up to £17,500,000- Adhere to the six data protection principles and prove compliance Data Controller
- Comply with data protection principles and prove your compliance Data Controller
- Comply with GDPR data protection principles Data Controller
- Ensure GDPR‑compliant processing of personal data Data Controller
- Follow GDPR data protection principles and demonstrate compliance Data Controller
- Process personal data according to GDPR principles and show compliance Data Controller
- Process personal data in line with GDPR principles Data Controller
- Process personal data in line with GDPR principles and demonstrate compliance Data Controller
- Process personal data lawfully and demonstrate compliance Data Controller
- Process personal data lawfully, fairly, transparently and securely Data Controller
Conditions for consent
Fine up to £17,500,000- Ensure valid and withdrawable consent for data processing Data Controller
- Obtain and manage consent in line with UK GDPR Data Controller
- Obtain and manage valid consent for personal data Data Controller
- Obtain and manage valid consent for personal data processing Data Controller
- Obtain, document and allow withdrawal of valid consent Data Controller
- Obtain, record and allow easy withdrawal of consent Data Controller
- Obtain, record and allow easy withdrawal of valid consent Data Controller
- Obtain, record and manage valid consent for personal data Data Controller
- Obtain, document and manage valid consent for data processing Data Controller
Conditions applicable to child's consent in relation to information society services
Fine up to £17,500,000- Obtain and verify parental consent for children under 13 Data Controller
- Obtain and verify parental consent for under‑13 users of online services Data Controller
- Obtain parental consent for online services offered to children under 13 Data Controller
- Verify parental consent for children under 13 Data Controller
- Verify parental consent for children under 13 for online services Data Controller
- Verify parental consent for children under 13 using online services Data Controller
Processing of personal data relating to criminal convictions and offences
Fine up to £17,500,000- Only process criminal conviction data with proper authority or legal authorisation Data Controller
Transparent information, communication and modalities for the exercise of the rights of the data subject
Fine up to £17,500,000- Provide clear, free information and enable data‑subject rights Data Controller
- Provide clear, free information and facilitate data‑subject rights Data Controller
- Provide clear info and respond to data subject rights requests Data Controller
- Provide clear information and handle data subject rights requests Data Controller
- Provide clear information and promptly handle data subject rights requests Data Controller
- Provide clear information and respond to data subject rights requests Data Controller
- Provide clear privacy information and handle data‑subject rights requests promptly Data Controller
- Provide transparent information and handle data‑subject rights requests Data Controller
- Respond to data subject rights requests transparently and promptly Data Controller
Information to be provided where personal data have not been obtained from the data subject
Fine up to £17,500,000- Provide information to data subjects when you obtain their data from other sources Data Controller
- Provide required data‑subject information when you collect data from other sources Data Controller
- Provide required information when data not obtained directly Data Controller
- Provide required information when you obtain data from other sources Data Controller
- Provide required privacy information to data subjects Data Controller
- Provide required transparency information to data subjects Data Controller
- Provide privacy information when personal data is obtained from third parties Data Controller
- Provide required information to data subjects when you did not collect their data directly Data Controller
- Provide required info when you obtain data from third parties Data Controller
- Provide required privacy information to data subjects when data not obtained from them Data Controller
- Give data subjects required information when you obtain their data from other sources Data Controller
- Give required information to people when you collect their data from other sources Data Controller
- Provide information to data subjects when you haven’t collected their data directly Data Controller
- Provide required information to data subjects when data not collected directly Data Controller
Right of access by the data subject
Fine up to £17,500,000- Provide data‑subject access to personal data and information Data Controller
- Provide data subjects access to their personal data and related information Data Controller
- Provide data subjects with access to their personal data Data Controller
- Provide data subject access to personal data on request Data Controller
- Respond to personal data access requests Data Controller
Right to rectification
Fine up to £17,500,000- Correct inaccurate or incomplete personal data on request Data Controller
- Correct inaccurate or incomplete personal data upon request Data Controller
- Correct inaccurate personal data on request Data Controller
- Correct personal data when requested Data Controller
- Rectify inaccurate or incomplete personal data on request Data Controller
- Rectify inaccurate or incomplete personal data promptly Data Controller
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Fine up to £17,500,000- Notify all data recipients of corrections, deletions or restrictions Data Controller
- Notify all recipients when you correct, delete or restrict personal data Data Controller
- Notify data recipients of any correction, deletion or restriction of personal data Data Controller
- Notify data recipients of any rectification, erasure or restriction Data Controller
- Notify data recipients of corrections, deletions or processing limits Data Controller
- Notify data recipients of corrections, deletions or restrictions Data Controller
- Notify recipients of corrected, deleted or restricted personal data Data Controller
- Notify recipients of data corrections, deletions or processing restrictions Data Controller
- Notify recipients of data corrections, deletions or restrictions Data Controller
- Notify third parties when updating or deleting personal data Data Controller
- Notify third parties when you correct or delete personal data Data Controller
Right to object
Fine up to £17,500,000- Allow and respect data subjects’ right to object Data Controller
- Allow data subjects to object and stop processing on request Data Controller
- Give individuals a right to object and stop processing on objection Data Controller
- Inform data subjects of right to object and stop processing on objection Data Controller
- Provide right‑to‑object notice and honour objections Data Controller
- Respect data subjects' right to object and halt processing on objection Data Controller
- Respect data subjects’ right to object and inform them Data Controller
- Respect data subjects' right to object and stop processing Data Controller
- Respect data subjects' right to object and stop processing on request Data Controller
- Respect data subjects’ right to object to processing Data Controller
- Stop processing when a data subject objects and tell them they can object Data Controller
- Respect and notify individuals of their right to object to data processing Data Controller
Responsibility of the controller
Fine up to £17,500,000- Implement and demonstrate appropriate data protection measures Data Controller
- Implement and demonstrate data protection compliance measures Data Controller
- Implement and demonstrate data protection measures Data Controller
- Implement and demonstrate GDPR compliance measures Data Controller
- Implement and demonstrate GDPR‑compliant data protection measures Data Controller
- Implement and maintain data protection measures and policies Data Controller
- Implement and maintain data‑protection policies and safeguards Data Controller
- Implement and maintain GDPR compliance measures Data Controller
Data protection by design and by default
Fine up to £17,500,000- Apply data protection by design and by default Data Controller
- Design your systems and processes to protect personal data Data Controller
- Implement data protection by design and by default Data Controller
Joint controllers
Fine up to £17,500,000- Agree a joint‑controller arrangement and disclose it to data subjects Data Controller
- Agree and disclose joint controller responsibilities Data Controller
- Agree and document joint controller responsibilities Data Controller
- Agree and document responsibilities as joint controllers Data Controller
- Agree and document responsibilities with joint controllers Data Controller
- Agree and share responsibilities with joint controllers Data Controller
- Agree joint‑controller responsibilities and inform data subjects Data Controller
- Agree on and share GDPR responsibilities with joint controllers Data Controller
- Agree responsibilities with joint controllers and inform data subjects Data Controller
- Create a written agreement between joint data controllers Data Controller
- Establish and document responsibilities with joint data controllers Data Controller
- Set up transparent joint‑controller agreement Data Controller
Processor
Unlimited fine- Comply with data processing contract and data protection duties Data Processor
- Comply with data‑processor responsibilities under UK GDPR Data Processor
- Comply with UK GDPR processor obligations Data Processor
- Contract with controller and control sub‑processors Data Processor
- Enter into a compliant data‑processing contract and meet processor duties Data Processor
- Enter into a GDPR processor contract and follow its duties Data Processor
- Enter into and comply with a data processing agreement with the controller Data Processor
- Enter into and comply with a data processing contract with the controller Data Processor
- Enter into and comply with a written data‑processing contract Data Processor
- Process personal data only under a compliant contract with the controller Data Processor
- Use and manage data processors under a written contract Data Controller
- Enter into and comply with a data processing agreement Data Processor
Processing under the authority of the controller or processor
Fine up to £17,500,000- Only process personal data based on the controller's instructions Data Controller
- Process personal data only on controller instructions Data Processor
- Process personal data only on controller's instructions Data Processor
- Process personal data only on the controller's instructions Data Processor
- Process personal data only on the instructions of the controller Data Controller
Cooperation with the Commissioner
Fine up to £17,500,000- Cooperate with the ICO on request Data Controller
- Cooperate with the ICO when asked Data Controller
- Cooperate with the ICO when it requests assistance Employer
- Cooperate with the ICO when requested Data Controller
- Cooperate with the Information Commissioner’s Office (ICO) Data Controller
Security of processing
Fine up to £17,500,000- Implement appropriate data security measures Data Controller
- Implement appropriate security measures for personal data Employer
- Implement appropriate security measures for personal data processing Employer
- Implement appropriate technical and organisational security measures Data Controller
- Secure all personal data using appropriate technical and organisational measures Data Controller
Notification of a personal data breach to the Commissioner
Fine up to £17,500,000- Notify personal data breaches to the ICO within 72 hours Data Controller
- Notify personal data breach to the ICO within 72 hours Data Controller
- Notify the ICO of a personal data breach within 72 hours Data Controller
- Notify the ICO of personal data breaches Data Controller
- Notify the ICO of personal data breaches and keep breach records Data Controller
- Notify the ICO of personal data breaches and keep records Data Controller
- Notify the ICO of personal data breaches within 72 hours Data Controller
- Report personal data breaches to the ICO within 72 hours Data Controller
- Notify the ICO of personal data breaches and keep a breach register Data Controller
Communication of a personal data breach to the data subject
Fine up to £17,500,000- Inform data subjects of high‑risk personal data breaches Data Controller
- Notify affected individuals of high‑risk data breaches Data Controller
- Notify data subjects of high‑risk personal data breaches Data Controller
- Notify individuals of high‑risk data breaches Data Controller
- Tell people if their personal data has been breached and poses a high risk Data Controller
- Notify individuals of high‑risk data breaches promptly Data Controller
Data protection impact assessment
Fine up to £17,500,000- Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing Data Controller
- Carry out data protection impact assessments (DPIAs) Data Controller
- Carry out data protection impact assessments for high‑risk processing Data Controller
- Conduct a Data Protection Impact Assessment (DPIA) before high‑risk processing Data Controller
- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing Data Controller
- Conduct data protection impact assessments (DPIAs) Data Controller
Prior consultation
Fine up to £17,500,000- Consult ICO before carrying out high‑risk data processing Data Controller
- Consult ICO before high‑risk data processing Data Controller
- Consult ICO before high‑risk processing Data Controller
- Consult ICO before high‑risk processing and supply required information Data Controller
- Consult the ICO before carrying out high‑risk processing Data Controller
- Consult the ICO before high‑risk data processing Data Controller
Designation of the data protection officer
Unlimited fine- Appoint a Data Protection Officer and publish their contact details Employer
- Appoint a Data Protection Officer (DPO) Employer
- Appoint a Data Protection Officer (DPO) if specific criteria are met Data Controller
- Appoint a Data Protection Officer (DPO) when required Employer
- Appoint a data protection officer where required Data Controller
- Appoint and publish a Data Protection Officer (DPO) Data Controller
- Designate a Data Protection Officer (DPO) if thresholds are met Data Controller
Position of the data protection officer
Fine up to £17,500,000- Ensure independent, adequately resourced DPO reporting to senior management Employer
- Ensure the Data Protection Officer is independent and properly supported Data Controller
- Give the Data Protection Officer independence, resources and senior reporting Data Controller
- Give the DPO independence, resources and top‑level reporting Data Controller
- Maintain an independent and well‑resourced Data Protection Officer Data Controller
- Maintain independence and support for your Data Protection Officer Employer
- Maintain independent, well‑resourced Data Protection Officer Data Controller
- Support and ensure independence of your Data Protection Officer Data Controller
- Support and maintain independence of your data protection officer Employer
- Support and protect the data protection officer Data Controller
- Support and protect the independence of your Data Protection Officer (DPO) Data Controller
- Support and protect your Data Protection Officer Data Controller
- Support and protect your Data Protection Officer (DPO) Employer
Tasks of the data protection officer
Fine up to £17,500,000- Appoint a Data Protection Officer and ensure they fulfill core duties Data Controller
- Ensure Data Protection Officer carries out data‑protection duties Employer
- Ensure data protection officer carries out required tasks Data Controller
- Ensure DPO carries out advisory, monitoring and ICO liaison duties Any Person
- Ensure your Data Protection Officer carries out core GDPR duties Any Person
- Ensure your data protection officer carries out GDPR duties Data Controller
- Ensure your Data Protection Officer carries out key data protection duties Data Controller
- Ensure your Data Protection Officer carries out key DPO duties Data Controller
- Ensure your Data Protection Officer carries out required duties Data Controller
- Ensure your Data Protection Officer carries out statutory duties Data Controller
- Ensure your Data Protection Officer fulfills GDPR duties Data Controller
- Ensure your Data Protection Officer performs prescribed GDPR tasks Data Controller
- Ensure your Data Protection Officer performs their statutory duties Data Controller
Codes of conduct
Fine up to £17,500,000- Adopt and follow an approved data‑protection code of conduct Data Controller
- Prepare and submit data‑protection codes of conduct for ICO approval Any Person
- Adhere to an approved code of conduct by making binding commitments Data Controller
- Adopt a UK GDPR code of conduct and commit to its safeguards Data Controller
- Adopt a GDPR‑approved code of conduct for data handling Data Controller
Other duties (1) — Crown / regulator
- ICO must encourage and approve industry codes of conduct Statutory regulator
Certification
Fine up to £17,500,000- Obtain and maintain data‑protection certification (if you choose to) Data Controller
- Provide information and access for data‑protection certification Data Controller
- Provide information and maintain data‑protection certification Data Controller
- Provide information to certification body for data‑protection certification Data Controller
- Provide information to data‑protection certification bodies Data Controller
- Apply for and keep a voluntary data‑protection certification Data Controller
- Provide information to certification body when seeking GDPR certification Employer
- Provide information to certification bodies when seeking GDPR certification Data Controller
- Provide information to obtain a data protection certification Data Controller
Certification bodies
Fine up to £17,500,000- Accredit and run a certified data‑protection compliance body Any Person
- Certification bodies must meet strict standards to issue GDPR certificates Data Controller
- Obtain and maintain accreditation as a data‑protection certification body Trader
- Obtain and maintain accreditation for data‑protection certification bodies Any Person
- Obtain and maintain ICO accreditation to issue data protection certifications Employer
- Obtain and maintain ICO or UK accreditation as a data‑protection certification body Any Person
- Maintain accreditation to issue data protection certifications Any Person
- Maintain accredited certification body status and processes Any Person
International cooperation for the protection of personal data
Other duties (1) — Crown / regulator
- ICO must cooperate internationally to enforce data protection Statutory regulator
Independence
Other duties (1) — Crown / regulator
- ICO must act with complete independence Statutory regulator
Tasks
Other duties (1) — Crown / regulator
- ICO must monitor, enforce, and support UK GDPR compliance Statutory regulator
General conditions for imposing administrative fines
Other duties (1) — Crown / regulator
- ICO must ensure data protection fines are fair and effective Statutory regulator
Penalties
Unlimited fine- Infringe UK GDPR information obligations (Article 14) Data Controller
Additional requirements when processing for RAS purposes
Fine up to £17,500,000- Only process personal data for RAS purposes with proper safeguards Data Controller
- Process personal data for RAS only if necessary and with safeguards Data Controller
- Process personal data for RAS only with justification and safeguards Data Controller
- Process personal data for RAS purposes only with safeguards Data Controller
- Process personal data for research only with safeguards Data Controller
- Process personal data for research/statistics only with safeguards Data Controller
General principles for transfers
Fine up to £17,500,000- Ensure international data transfers comply with UK GDPR Data Controller
- Ensure lawful international transfers of personal data Employer
- Ensure lawful transfer of personal data abroad Data Controller
- Ensure lawful transfers of personal data abroad Data Controller
- Ensure lawful transfers of personal data overseas Data Controller
- Ensure legal grounds before transferring personal data abroad Data Controller
- Transfer personal data abroad only with appropriate safeguards Data Controller
Restrictions on automated decision-making
Fine up to £17,500,000- Avoid sole automated decisions using special‑category data Data Controller
- Do not rely only on automated decisions using special‑category data Data Controller
- Do not rely solely on automated decisions for special category data Data Controller
- Do not rely solely on automated decisions using special‑category data Data Controller
- Ensure lawful use of automated decisions with special personal data Data Controller
- Restrict automated decisions on special category data Data Controller
- Restricted use of sensitive data for automated decisions Data Controller
- Restrict fully automated decisions using sensitive personal data Data Controller
Safeguards for automated decision-making
Fine up to £17,500,000- Establish safeguards for automated decision-making Data Controller
- Implement safeguards for automated decision‑making Data Controller
- Provide safeguards for automated decision‑making Data Controller
- Provide safeguards for automated decisions Data Controller
- Provide safeguards for automated decisions about individuals Data Controller
- Provide safeguards for automated decisions affecting individuals Data Controller
- Provide safeguards for significant automated decisions Data Controller
- Put safeguards in place for automated decisions Data Controller
- Put safeguards in place for fully automated decisions that affect individuals Data Controller
- Put safeguards in place for significant automated decisions Data Controller
Transfers approved by regulations: monitoring
Other duties (1) — Crown / regulator
- Secretary of State must monitor and update approved data transfer lists Crown / Minister / Government department
Browse 82 other sections — procedural / definitional / commencement
Subject-matter and objectives
Material scope
Territorial scope
Definitions
Lawfulness of processing
Processing of special categories of personal data
Processing which does not require identification
Information to be provided where personal data are collected from the data subject
Right to erasure (‘right to be forgotten’)
Right to restriction of processing
Right to data portability
Automated individual decision-making, including profiling
Restrictions
Representatives of controllers or processors not established in the United Kingdom
Records of processing activities
Monitoring of approved codes of conduct
General principle for transfers
Transfers on the basis of an adequacy decision
Transfers subject to appropriate safeguards
Transfers subject to appropriate safeguards: Binding corporate rules
Transfers or disclosures not authorised by Union law
Derogations for specific situations
Monitoring the application of this Regulation
General conditions for the members of the supervisory authority
Rules on the establishment of the supervisory authority
Competence
Competence of the lead supervisory authority
Powers
Activity reports
Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Mutual assistance
Joint operations of supervisory authorities
Consistency mechanism
Opinion of the Board
Dispute resolution by the Board
Urgency procedure
Exchange of information
European Data Protection Board
Independence
Tasks of the Board
Reports
Procedure
Chair
Tasks of the Chair
Secretariat
Confidentiality
Right to lodge a complaint with the Commissioner
Right to an effective judicial remedy against the Commissioner
Right to an effective judicial remedy against a controller or processor
Representation of data subjects
Suspension of proceedings
Right to compensation and liability
Processing and freedom of expression and information
Processing and public access to official documents
Processing of the national identification number
Processing in the context of employment
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Obligations of secrecy
Existing data protection rules of churches and religious associations
Exercise of the delegation
Committee procedure
Repeal of Directive 95/46/EC
Relationship with domestic law made before IP completion day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
Relationship with previously concluded Agreements
Commission reports
Review of other Union legal acts on data protection
Entry into force and application
Appropriate safeguards
Appropriate safeguards: further provision
Automated processing and significant decisions
Further provision about automated decision-making
Further provision about processing of special categories of personal data
Meaning of “applicable time period”
Periods of time
Processing and national security and defence
Purpose limitation: further processing
Regulations made by Secretary of State
Research, archives and statistics
Restriction in the public interest
The data protection test
Transfers approved by regulations
Transfers subject to appropriate safeguards: further provision
Official guidance
Authoritative sources published by regulators or government explaining this legislation.
- Age Verification Providers Association (AVPA) (opens in a new tab) Detailed Guidance
- ICO: Age Appropriate Design Code (opens in a new tab) from ICO Detailed Guidance
- ICO: Age Appropriate Design Code (opens in a new tab) from ICO Detailed Guidance
- Ofcom: Online Safety Act compliance guide for services (opens in a new tab) from Ofcom Detailed Guidance
- HSE: Regulatory approach to artificial intelligence (opens in a new tab) from HSE Detailed Guidance
- CDEI: Algorithmic Transparency Recording Standard (opens in a new tab) Detailed Guidance
- Alan Turing Institute: AI Standards Hub (opens in a new tab) Detailed Guidance
- EHRC: Equality and Human Rights Commission (opens in a new tab) Detailed Guidance
- ICO - SME web hub (opens in a new tab) from ICO Detailed Guidance
- Business Services Organisation NI (opens in a new tab) Detailed Guidance
- ... and 46 more
Enforcement and responsible bodies
The regulators that administer or enforce this legislation.
Information Commissioner's Office
Data protection, freedom of information, privacy and electronic communications regulation. Enforces UK GDPR and Data Protection Act 2018. Issues fines for breaches. …
Explore more
Browse legislation
Find other UK business legislation with related guidance.
Regulators
Learn more about the bodies that enforce this legislation.