Skip to main content

UK GDPR guidance and resources

Subject access requests (SARs)

What is a subject access request (SAR), how to recognise them and when and how to respond to them.
Personal information - what is it?

Key definitions, what is considered personal information and what "identifiable" means.
Individual rights

Writing a privacy notice, responding to a subject access request, and when to delete, change, move or stop processing people's information.
Principles

Fairness, transparency, purpose limitation, minimisation, accuracy, accountability, storage and security.
Lawful basis, special category data and criminal offence data

Consent, contracts, legitimate interests, vital interests, public task, legal obligation, special category data, criminal offence data and biometrics.
CCTV and video surveillance

CCTV, video surveillance, body worn cameras and drones.
Controllers and processors

Definitions of 'controllers' and 'processors', how to determine them and their responsibilities.
Accountability and governance

DPIAs, accountability principle, internal governance, contracts, documentation, and data protection officers.
International transfers

International data transfers, transfer agreements, transfer risk assessments and binding corporate rules.
Exemptions

When and how you can apply exemptions to the UK GDPR requirements.
Security (data protection and cyber)

The security principles, personal data breaches, and guidance on encryption, ransomware and passwords.
Data sharing

The data sharing code, case studies and examples, checklist, the sharing of personal information with and by law enforcement authorities, sharing information to prevent harm and for child safeguarding purposes.
Employment information

Advice for employers and organisations involved in employment issues on how to use and look after your workers’ personal information, and guidance about working from home.
Children's information

How to protect children's information, the Age Appropriate Design Code and resources for online service providers.
Artificial intelligence

Artificial intelligence and data protection, AI risk assessment, explaining decisions made with AI and data analytics.
Designing products that protect privacy

Privacy in the product lifecycle and designing online services for children.
Research provisions

Research provisions in the UK GDPR and the DPA 2018, the principles and grounds for processing, research exemptions and safeguards.
Data protection and journalism code of practice

The data protection and journalism code, reference notes, consultation responses and impact assessment.
Online safety and data protection

Resources for organisations that use online safety technologies and processes.
Training videos

View the information governance and legislation training modules we provide to ICO staff as part of their internal training.