Practical guidance on UK GDPR compliance, ICO registration, data subject rights, and how to avoid enforcement action.
UK GDPR Article 5 sets out seven principles that must underpin all personal data processing. Accountability for compliance rests with the data controller.
Processing must have a lawful basis (Art. 6/9), be fair, and individuals must be informed about how their data is used.
Data must be collected for specified, explicit, and legitimate purposes and not processed incompatibly with those purposes.
Only collect and process the personal data that is actually necessary for your purpose.
Personal data must be accurate and kept up to date. Inaccurate data must be erased or corrected promptly.
Data should be kept no longer than necessary for the purpose. Define and document your retention schedules.
Appropriate technical and organisational measures must protect data against unauthorised access, loss, or destruction.
As controller, you are responsible for complying with the principles and must be able to demonstrate compliance.
You must identify and document a legal basis before processing personal data. This cannot be changed retrospectively.
Freely given, specific, informed, and unambiguous. Can be withdrawn at any time. Must be positive opt-in; pre-ticked boxes don't count.
Processing is necessary to perform a contract with the individual, or at their request before entering into a contract.
Processing is necessary to comply with a legal obligation (e.g. HMRC reporting, safeguarding duties).
Necessary to protect someone's life. Rarely used; usually only applicable in emergency situations.
Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Key for NHS and public bodies.
The controller's (or third party's) legitimate interests override the individual's rights and freedoms. Requires a three-part test.
Individuals can request a copy of their personal data. You must respond within one month (extendable to three for complex cases). No fee can be charged for standard requests.
Individuals can request correction of inaccurate data. You must respond within one month. If you have shared the data, you must tell the recipients.
The "right to be forgotten" — individuals can request deletion where the data is no longer necessary, consent is withdrawn, or processing is unlawful.
Individuals can ask you to stop processing their data in certain circumstances — for example, while accuracy is contested.
Where processing is automated and consent or contract-based, individuals can request their data in a machine-readable format.
Individuals can object to processing based on legitimate interests, direct marketing, or research. Direct marketing objections must always be honoured.
Understanding common enforcement patterns helps organisations prioritise their compliance efforts.
| Organisation | Fine | Year | Reason |
|---|---|---|---|
| Royal Mail | £5.6m | 2023 | Sending 70 million emails to customers who had opted out of marketing. |
| Clearview AI | £7.5m | 2022 | Unlawfully collecting facial images of UK residents without a lawful basis. |
| Interserve Group | £4.4m | 2022 | Failing to keep personal data of employees secure following a phishing attack. |
| NHS Trust (anon) | £78k | 2023 | Emailing patient information to incorrect recipients without adequate controls. |
Source: ICO enforcement action register. Fines may have been appealed or varied.
Most organisations that process personal data must register with the ICO and pay a data protection fee.
ico.org.uk →
ICO guidance on maintaining Records of Processing Activities under Article 30 UK GDPR.
ico.org.uk →
ICO's self-assessment accountability framework tool — check your compliance posture.
ico.org.uk →
Latest ICO guidance on PECR compliance and cookie consent requirements.
ico.org.uk →
ICO guidance on how UK GDPR applies to AI and automated decision-making systems.
ico.org.uk →
Age Appropriate Design Code — applies to online services likely to be accessed by children.
ico.org.uk →
Most organisations that process personal data must register with the ICO and pay an annual fee (£40–£2,900 depending on size). Failure to register is a criminal offence. Folelse tracks your ICO registration status and renewal date automatically.
Related resources
