UK General Data Protection Regulation
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
The UK GDPR is the domestic version of the EU General Data Protection Regulation, retained in UK law after Brexit via the European Union (Withdrawal) Act 2018 and amended by the Data Protection Act 2018. While substantively similar to the EU GDPR, there are material differences that organisations operating across both jurisdictions must understand.
Key differences include: the UK's independent adequacy framework for international transfers, the ICO's distinct enforcement approach and penalty guidance, amendments introduced by the Data (Use and Access) Act 2025 (effective February 2026), and the UK's recognition of legitimate interest in certain public interest contexts without requiring a balancing test.
For organisations processing personal data of UK residents, the UK GDPR applies regardless of where the organisation is established. StremarControl engineers and operates the Microsoft-native controls required for UK GDPR mandates, translating obligations into enforceable Microsoft-native controls that satisfy both UK and EU requirements simultaneously, with structured evidence covering data residency, transfer mechanisms, and jurisdiction-specific retention.
Why This Matters Now
The UK GDPR, retained from EU law via the Data Protection Act 2018 and European Union (Withdrawal) Act 2018, governs how every UK organisation processes personal data. Post-Brexit divergence means UK organisations doing business in both markets must now navigate two parallel GDPR regimes with subtle but operationally significant differences. The ICO has signalled an increasingly enforcement-focused posture, with fines increasing year-on-year. For M365 environments, UK data residency requirements, the UK International Data Transfer Agreement (IDTA) replacing EU SCCs, and UK-specific lawful basis interpretations all require tenant-level configuration changes that differ from EU GDPR compliance alone.
Framework Metadata
Scope & Applicability
The UK GDPR applies to: (1) all organisations established in the UK that process personal data; (2) organisations outside the UK that offer goods/services to UK data subjects or monitor their behaviour. The Data Protection Act 2018 supplements the UK GDPR with UK-specific provisions including exemptions for immigration, national security, and journalism. Organisations processing data of both UK and EU individuals must comply with both the UK GDPR and EU GDPR, the two are not interchangeable. M365 tenant configuration must account for UK-specific data residency, UK IDTA transfer mechanisms, and ICO guidance on lawful basis for direct marketing.
Core Obligations
Data Protection Principles
Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability.
Lawful Basis for Processing
Establish and document a lawful basis for each processing activity. The UK recognises the same six bases as EU GDPR but with ICO-specific guidance on legitimate interest.
International Transfers
Transfer personal data outside the UK only to countries with UK adequacy decisions, under appropriate safeguards (UK SCCs, BCRs), or specific derogations.
Data Protection Officer
Appoint a DPO where core activities involve regular and systematic monitoring of individuals at scale, or large-scale processing of special category data.
Records of Processing Activities
Maintain comprehensive records of processing activities including purposes, data categories, recipients, transfers, retention periods, and security measures.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Article 5 - Storage Limitation
Purview retention labels with UK-specific retention periods. Auto-deletion policies for data exceeding stated retention. Disposition reviews with audit trail.
Retention label inventory, auto-deletion event logs, disposition review completion reports.
Articles 44–49 - International Transfers
Azure data residency configured for UK South / UK West regions. Conditional Access geo-blocking for non-UK/non-adequate jurisdictions. Purview DLP preventing personal data transfer to non-adequate regions.
Azure region configuration audit, CA geo-policy evaluation logs, DLP cross-border transfer incidents.
Article 32 - Security of Processing
Full M365 E5 security stack: Conditional Access, Defender XDR, Purview DLP, Intune device compliance. Encryption at rest (BitLocker) and in transit (TLS 1.2+).
Security posture dashboard, device compliance reports, encryption status audit, Defender health reports.
Article 30 - Records of Processing
Purview Data Map for rigorous data discovery and classification. Processing activity register strictly maintained against Purview data inventory. Precision ROPA generation from Purview metadata.
Data Map scan results, precise ROPA documentation, detailed data classification summary reports.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
Without Cyber Essentials certification, your firm is excluded from UK government contracts involving sensitive data and faces higher insurance premiums.
Ready to get UK GDPR-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against UK GDPR requirements, close gaps, and produce audit-ready evidence.