Fact check: What are the potential GDPR risks associated with the UK's digital ID system?

1. Why the One Login decertification suddenly sharpens GDPR questions

The government's loss of certification for One Login under the trust framework is a concrete trigger that focuses GDPR scrutiny on the programme’s compliance posture, because certification signals conformity with legal and technical standards; its removal implies gaps in required safeguards and raises questions about lawful basis and accountability for processing personal data used to access public services ^[4]. Under GDPR, data controllers must demonstrate appropriate technical and organisational measures; a revoked certification increases regulatory and litigation risk for both state and private identity providers, and elevates the urgency of independent audits and clearer data protection impact assessments.

2. The cyber-risk argument: a “honeypot” that compounds GDPR obligations

Security experts warn the scheme could become an enormous honeypot for attackers if it centralises identity-related data, increasing the likelihood of large-scale breaches and thus triggering GDPR obligations around breach notification, impact mitigation, and potential fines ^{[1] [2]}. The hypothetical scale — concerns of a centralised store of tens of millions of records — would magnify obligations for controllers and processors to demonstrate proportionality and implement state-of-the-art security; failure to do so would expose the programme to enforcement by the Information Commissioner’s Office and private claims from data subjects.

3. On-device storage claims versus centralisation fears: competing narratives

Government guidance asserts that credentials will be stored on users’ devices encrypted and protected by modern authentication, a design intended to limit centralised risk and satisfy GDPR principles like data minimisation and purpose limitation ^[3]. Critics counter that device storage does not eliminate risks: metadata, backup services, credential revocation mechanisms, and supporting central services can reintroduce central points of failure or avenues for profiling and surveillance, undermining the GDPR’s safeguards against excessive or opaque processing ^{[5] [1]}.

4. Surveillance and discrimination concerns that intersect with GDPR rights

Civil liberties groups highlight the danger of a “papers, please” society where digital IDs could enable systemic surveillance and discrimination, particularly affecting marginalised communities who may be disproportionately profiled or coerced into digital interactions ^{[6] [1]}. GDPR rights to contest automated decisions, seek human review, and demand data portability intersect with social rights; if digital ID usage becomes quasi-mandatory for accessing services, the interplay between data protection rights and equal access protections becomes a legal and ethical flashpoint requiring legislative clarity and robust safeguards.

5. The financial and governance backdrop that informs compliance viability

Analyses estimate sizeable programme costs and warn that poor governance could exacerbate GDPR risks by underfunding security and oversight, with the digital ID project described as costing up to £2bn and described as politically contentious ^[2]. GDPR compliance is not merely technical; it demands sustained governance, adequate resourcing for incident response, independent oversight, and transparent accountability mechanisms. Without clear funding and governance commitments, the system risks being judged non-compliant on grounds of insufficient organisational measures and failure to protect data subject rights.

6. Possible mitigations regulators and designers should prioritise now

Experts and the department’s guidance point to encryption, device-local credential storage, and authentication best practices as mitigations, but GDPR compliance also requires demonstrable DPIAs, minimisation of retained data, clear lawful bases for processing, robust audit trails, and independent oversight bodies ^{[3] [4]}. Given the One Login certification loss, regulators should demand rapid publication of DPIAs and security assessments, mandate red-team testing, and require contractual limits on processors to ensure effective legal remedies and timely breach notifications, aligning technical promises with enforceable obligations.

7. Bottom line: accountability, transparency, and proportionality will decide GDPR outcomes

The debate shows two competing narratives: the government’s technical assurances versus civil society and security experts’ warnings about centralisation and systemic harms ^{[3] [1]}. GDPR compliance will hinge less on slogans and more on demonstrable, auditable controls, proportionality in data collection, and governance that prevents mission creep; if those elements are not convincingly published and enforced following the One Login decertification, the scheme will face heightened regulatory, legal, and public legitimacy challenges under data protection law ^{[4] [2]}.