GDPR has been incorporated into UK law within the Data Protection Act 2018 and is the legal framework which governs the collection and processing* of users' "personal data"

Legal principles:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

*Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

^"Personal data is any information relating to a data subject who can be identified directly or indirectly by that data. For example, an NHS number, name or address relates to a specific individual, and could be used to identify them. Likewise, a CCTV recording of a person would be classed as data which identifies an individual."