Fact check: How does the UK's General Data Protection Regulation (GDPR) apply to digital ID systems?

Executive summary — Clear lines, shared obligations: The UK's data-protection rules apply to digital identity systems primarily through the UK General Data Protection Regulation (UK GDPR) and complementary rules such as the Digital Identity and Attributes Trust Framework (DIATF), which set operational expectations for privacy, security and lawful processing; certification lapses can immediately affect trust and compliance claims, as happened with the One Login certification loss reported in October 2025 ^[1]. Parallel European reforms aim for interoperability and high-security standards, but differences in timing and legal scope between UK and EU regimes shape cross-border use and obligations ^{[2] [3]}.

1. Why regulators say digital ID must live by data-protection law: UK GDPR requires controllers and processors of personal data to meet lawful bases, data minimisation, purpose limitation, and security-by-design obligations — all central to digital identity systems that process sensitive identity attributes. The UK’s DIATF frames how suppliers should operationalise those obligations, adding certification and technical expectations intended to translate GDPR principles into practice; the framework’s role is to make compliance auditable and interoperable across providers ^[1]. Where a supplier’s DIATF certification lapses, regulators, relying parties and users face immediate questions about ongoing lawful processing and risk management ^[1].

2. The One Login setback that exposed real-world frictions: The government’s One Login losing DIATF certification in October 2025 illustrated how technical and contractual dependencies can affect regulatory standing; reports attribute the lapse to a key supplier allowing its certification to expire, which in turn removed a layer of trust expected by relying parties ^[1]. This incident shows that compliance is both organisational and supply-chain dependent: UK GDPR obligations do not end at the border of a department or vendor, and auditability across subcontractors is critical to continuous certification and lawful service delivery ^[1].

3. Practical obligations for employers and service providers under UK GDPR: When a digital ID system is used for mandatory checks — notably right-to-work verification — employers and service providers become data controllers or joint controllers depending on design; they must ensure that any identity provider they accept has demonstrable lawful processing bases, retention limits, and technical safeguards. The government’s stated design choices for the scheme — smartphone-based wallets with fallback options for those without devices — raise inclusion and accessibility monitoring obligations under GDPR and equality law, requiring providers to document mitigations and DPIAs ^{[4] [5]}.

4. Technical design choices that matter for privacy and compliance: The UK policy aims to use state-of-the-art encryption and authentication to protect credentials held on phones, which impacts how data minimisation and purpose limitation are implemented. Design choices such as storing attributes locally versus central verification, use of selective disclosure, and reliance on biometrics change what data counts as a “processing” and what security measures suffices under UK GDPR. The DIATF and similar European frameworks codify expected technical controls, but real-world compliance depends on implementation details and independent auditing ^{[4] [5] [6]}.

5. Cross-border friction: UK rules versus the European Digital Identity agenda: The EU’s new digital-identity framework emphasises interoperability, cross-border recognition and high security for digital wallets, aiming to scale uptake and consistent protections; those aims were described in EU documents pushing for wide citizen adoption and technical harmonisation ^{[2] [3]}. The UK must reconcile equivalence of protection with the EU’s standards if cross-recognition is desired; while the UK GDPR shares core principles with the EU GDPR, differences in subordinate frameworks, certification processes and the DIATF’s scope create legal and operational gaps that relying parties should map before accepting foreign-issued credentials ^{[6] [2]}.

6. What to watch next — audits, supply chains and legal clarifications: The immediate priorities for organisations and regulators are restoring credible certification, tightening supplier assurance, and publishing clear guidance on controller responsibilities when digital IDs are used for mandatory checks. Regulatory enforcement will focus on failures in risk assessment, insufficient contractual protections, and lapses in technical controls. Observers should monitor government guidance updates, ICO decisions and whether mutual-recognition negotiations with the EU address technical equivalence and data-protection parity ^{[1] [4] [3]}.

7. Bottom line for organisations and citizens: Under UK GDPR, digital identity systems are treated as data-processing ecosystems that require documented legal bases, minimised attribute sharing, robust security controls, and transparent redress routes; certification frameworks like DIATF operationalise those principles but are not a substitute for controller duties, and certification lapses can immediately undermine trust and legal defensibility ^{[1] [4]}. For cross-border use, organisations should compare DIATF claims against EU interoperability commitments and track regulatory pronouncements to manage compliance and user rights effectively ^{[2] [3]}.