UK GDPR
UK General Data Protection Regulation (Data Protection Act 2018)
Post-Brexit UK domestic equivalent of EU GDPR. Same shape with the Information Commissioner's Office (ICO) as supervisor and notable divergences on adequacy decisions and the age of consent.
Who does it apply to?
- Any organisation processing personal data of UK data subjects, regardless of location.
- UK-based controllers and processors using EU-residency services — the EU-UK transfer story is symmetric to the EU's adequacy decision toward the UK (currently in force).
- Agents serving UK users from UK regions (europe-west2 London) — UK GDPR applies even if the underlying GCP organisation is EU-headquartered.
Two-minute explainer
UK GDPR is the post-Brexit domestic equivalent of the EU GDPR. Substantively, it’s the EU GDPR with the Information Commissioner’s Office (ICO) substituted for EU supervisory authorities, and a few operational tweaks codified in the Data Protection Act 2018. For agentic AI builders, the practical difference from EU GDPR is small; the regulatory expectations are nearly identical.
Where the regulations meaningfully diverge:
Adequacy decisions. The UK has its own adequacy framework. The UK-EU corridor is adequacy-bridged (current as of 2026): UK personal data can move to the EU and vice versa without SCCs. UK to non-EU adequate countries (e.g. Japan, South Korea) is adequacy-based. UK to inadequate countries (US, India, etc.) requires International Data Transfer Agreements (IDTAs) or addenda to the EU SCCs.
Age of consent. UK GDPR’s child-consent threshold is 13; EU GDPR varies by member state from 13 to 16. For consumer-facing agents, this affects when the agent must require parental consent.
Schedule 1 of the Data Protection Act 2018 provides specific conditions for processing special-category data (Article 9 of the GDPR — racial origin, political opinions, religious beliefs, health, sex life, biometric data). These conditions are UK-specific and need to be cited in the audit chain when special-category data flows through the agent.
ICO-specific procedural expectations. Breach notification (72 hours), SAR fulfilment (1 calendar month), and DPIA submission all go through ICO channels with ICO-specific format expectations.
The Regulus uk-gdpr profile composes with gdpr — running both
together resolves to a strict superset of obligations: UK GDPR
articles applied with ICO procedural expectations, EU GDPR articles
applied with EDPB procedural expectations. Most multinational
financial-services and healthcare operators run both profiles.
What it actually requires of an engineer
- Operationally identical to EU GDPR for most agentic workflows. The 99 articles in EU GDPR map almost 1:1 to UK GDPR. The differences matter mostly at the transfer-mechanism level and the age of consent (UK = 13, EU varies 13–16).
- ICO is the supervisor. SARs, breach notifications, and DPIA submissions go to the ICO, not the EDPB. The audit-evidence export needs to be ICO-formatted (different field names in some cases).
- Data Protection Act 2018 supplements the GDPR. Schedule 1 conditions for special-category data and Part 2 specific provisions on automated decision-making apply alongside UK GDPR.
- UK Adequacy Bridge to the EU is in place (as of 2026). Personal data can flow UK → EU and EU → UK on the adequacy basis without SCCs. Outside this corridor (UK → US, UK → APAC), SCC/IDTA are required.
What Regulus does for you
| Regulus control | Delivers |
|---|---|
RegulusPolicyPlugin | Identical purpose-limitation enforcement to the GDPR profile, with the ICO field-name overlay applied to the audit envelope. |
RegulusPrivacyPlugin | UK PII pattern catalogue — NINO, NHS Number, UK postcode, UK mobile + landline patterns, UK passport, UK driving licence — alongside the shared EU patterns. |
RegulusDataResidencyPlugin | UK + EU residency by default (post-Brexit adequacy). Configurable to restrict to UK only for ICO-sensitive workloads. |
RegulusGovernanceEvidencePlugin | ICO-formatted breach-notification envelope template. Webhook adapter posts to your existing ICO-notification workflow with the structured fields the ICO expects. |
Saves you ~6 engineer-weeks
Estimate based on the following honest assumptions:
- Mostly delta from the GDPR baseline — UK pattern catalogue (1 week), ICO field-name overlay (1 week), ICO-specific breach notification format (2 weeks), Schedule 1 Special Category handling (2 weeks).
- Assumes EU GDPR is already in place. If starting from scratch, count the 12 weeks from the GDPR page plus this 6.
What an auditor will ask
The questions you'll see in a real walkthrough — and where to point them.
-
Show me your ICO-facing breach-notification envelope.
The GRC adapter exports breach-relevant events in ICO format. The events themselves are in the audit chain; the format mapping is in
regulus.grc.ico-breach-format. -
How do you handle Schedule 1 special category data?
The privacy plugin tags Special Category indicators (Art. 9 PII) with the Schedule 1 condition that authorises processing. Filter by
tags contains 'schedule-1-condition-X'. -
What's your UK → EU transfer story?
The residency plugin permits EU + UK regions by default under the current adequacy bridge. Cross-border events outside that corridor are denied unless an SCC is configured. The adequacy basis is captured in
transfer_basisfield on events.
What this doesn't cover
- The Data Protection Act 2018 has sector-specific provisions (intelligence services, immigration) that Regulus doesn't profile. If you operate in those sectors, custom profile authoring is required.
- ICO registration fee handling — Regulus doesn't manage your ICO controller registration.
- UK GDPR Part 4 law-enforcement processing — Regulus targets commercial deployments; law-enforcement-side processing requires specialised tooling.
Citations
Activate this profile in your agent
regulus init my-agent --profiles=uk-gdpr