UK GDPR: UK General Data Protection Regulation - The primary legislation governing personal data processing in the UK post-Brexit, setting out fundamental principles, rights, and obligations for data protection
DPA 2018: Data Protection Act 2018 - The UK's implementation of data protection law, complementing and supplementing the UK GDPR with national specifications and requirements
PECR: Privacy and Electronic Communications Regulations 2003 - Specific rules for electronic communications, including regulations on cookies, marketing communications, and privacy in telecommunications
FOI Act 2000: Freedom of Information Act 2000 - Legislation governing public access to information held by public authorities, relevant when the organization is a public body
HRA 1998: Human Rights Act 1998 (Article 8) - Enshrines the right to privacy in UK law, providing a fundamental legal basis for data protection
ICO Guidance: Information Commissioner's Office guidance and codes of practice - Official regulatory guidance on interpreting and implementing data protection requirements in the UK
EDPB Guidelines: European Data Protection Board guidelines - While not binding post-Brexit, these remain influential in UK data protection practice and interpretation
Lawful Bases: The legal grounds under which personal data can be processed, including consent, contract, legal obligation, vital interests, public task, and legitimate interests
Data Subject Rights: The rights individuals have over their personal data, including access, rectification, erasure, portability, and objection to processing
Data Retention: Requirements for specifying and adhering to defined periods for keeping personal data, ensuring data is not kept longer than necessary
International Transfers: Rules and safeguards for transferring personal data outside the UK, including adequacy decisions and appropriate safeguards
Security Measures: Technical and organizational measures required to protect personal data from unauthorized access, loss, or damage
Controller Information: Mandatory information about the data controller, including contact details and identity
DPO Requirements: Details about the Data Protection Officer if applicable, including their role and contact information
Data Categories: Specification of the types and categories of personal data being processed
Processing Purposes: Clear explanation of why personal data is being collected and processed
Data Recipients: Information about who receives or has access to the personal data, including any third-party processors
Automated Processing: Information about any automated decision-making or profiling, including its significance and consequences for individuals
