Information Commissioner's Office
Primary UK GDPR enforcer. Also FOI regulator and PECR authority.
Investigates, fines, reprimands, audits.
Lead regulator for the AI × data-protection intersection.
Most recent AI guidance update · 31 Mar 2026 ↗- UK GDPR enforcement
- Data Protection Act 2018
- Freedom of Information Act
- PECR (e-privacy)
- ADM & AI guidance
Practical guidance
Artificial intelligence
ML lawful basis, fairness, transparency, ADM rights, generative AI training data.
Lawful basis
Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests.
Individual rights
Access, rectification, erasure, portability, objection, automated decisions, restriction.
International transfers
Adequacy, SCCs, IDTA, BCRs, supplementary measures, transfer risk assessments.
Security, including cyber security
Technical and organisational measures, breach notification, encryption, incident response.
Online tracking
PECR, cookies and similar technologies, consent for tracking, analytics.
Employment information
Recruitment, monitoring, references, health data, pre-employment checks.
Children's information
Age-appropriate design code, parental consent, education sector, age verification.
Recently updated
- 24 AprRegulatory sandboxAdvice & services
- 23 AprTop data protection tips for small organisationsSmall orgs
- 17 AprHow to obtain, record and manage consentLawful basis
- 7 AprHow to recognise a subject access requestIndividual rights
- 2 AprA guide to lawful basisLawful basis