In plain words
The UK has its own data protection regulator. It is called the ICO. UK GDPR sets the core rules. The Data Protection Act 2018 adds detail on top. Fines can reach £17.5 million. Or 4% of global turnover, if that is higher. UK documents carry UK-only fields. Think NINO, NHS Number, UTR, sort code. Generic tools built for the US or the EU often miss these. anonym.plus runs only on your device. No document goes to a server. No cloud sits in the middle. The app spots UK fields and redacts them on the spot. Nothing is transmitted, so there is no transfer question to answer. That keeps audits simple. That keeps risk low. That keeps your data where it belongs — with you.
Organisations handling personal data in the UK operate under a distinctly British regime, even though it started life as the EU's GDPR. Since Brexit, the UK runs its own version — UK GDPR — sitting alongside the Data Protection Act 2018, both enforced by a single national regulator rather than the patchwork of authorities found across the EU. In practice this means payroll files, tax correspondence, loan applications, NHS referral letters and HR records all carry identifiers that a US- or EU-tuned detector will not recognise: National Insurance Numbers, NHS Numbers, Unique Taxpayer References, and UK bank sort codes. The sections below cover who enforces UK data protection law, which UK-specific fields anonym.plus is built to detect, and why processing everything locally sidesteps the cross-border transfer question altogether.
ICO — the UK's Data Protection Regulator
A single national authority oversees data protection across the UK, backed by UK GDPR and the Data Protection Act 2018.
ICO — Information Commissioner's Office
Authority: Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection and freedom of information
Remit: Enforces UK GDPR and the Data Protection Act 2018 across private-sector organisations, public bodies and the NHS
Basis: UK GDPR (the retained, UK-specific version of the EU GDPR) read together with the Data Protection Act 2018
UK GDPR + Data Protection Act 2018
Status: Post-Brexit, the UK operates its own UK GDPR — the EU GDPR text retained into UK law with UK-specific amendments — rather than the EU Regulation directly
Supplementing law: The Data Protection Act 2018 fills in national detail: Part 2 covers general processing, Part 3 covers law enforcement processing, and Part 4 covers the intelligence services
Key point: This is a separate legal regime from the EU's — a UK organisation trading with the EU may need to satisfy both frameworks
Fines & enforcement
Maximum penalty: Up to £17.5 million or 4% of an organisation's total worldwide annual turnover, whichever is higher
Note: The UK figure is expressed in pounds sterling, not euros — a direct post-Brexit consequence of UK GDPR being a separate UK instrument rather than the EU Regulation
Enforcement: The ICO can also issue enforcement notices, reprimands and stop-processing orders in addition to monetary penalties
UK PII Entity Types
anonym.plus detects 340+ PII entity types overall, including the UK-specific identifiers below that generic, US-built scanners routinely miss.
| Entity | Format / Description | Validation note |
|---|---|---|
| National Insurance Number (NINO) | Two letters, six digits, one letter suffix, e.g. AB 12 34 56 C | Certain prefix-letter combinations are excluded and the suffix is restricted to A–D; format rules are HMRC-defined |
| NHS Number | 10 digits, e.g. 943 476 5919, used across NHS England, Wales and the Isle of Man | The first nine digits are each weighted (positions weighted 10 down to 2), summed, and reduced modulo 11; subtracting the remainder from 11 gives the check digit (11 → 0), and a remainder of 10 marks the number invalid |
| Unique Taxpayer Reference (UTR) | 10 digits, issued by HMRC to individuals and businesses for Self Assessment and Corporation Tax | Fixed-length numeric format; no publicly documented checksum is asserted here |
| Sort code + account number | 6-digit sort code in XX-XX-XX form plus an 8-digit account number, identifying a UK bank branch and account | Format-based detection; some sort-code ranges map to specific banking groups |
| IBAN (UK) | 22 characters: GB + 2 check digits + 4-letter bank code + 6-digit sort code + 8-digit account number | Check digits follow the international IBAN standard (ISO 13616 / MOD 97-10) |
| UK passport number | 9-digit numeric identifier printed on the passport's information page and machine-readable zone | Format described without asserting a specific check-digit algorithm here |
| UK driving licence number | 16-character alphanumeric code, e.g. MORGA657054SM9IJ, encoding parts of surname and date of birth | DVLA-defined structure; no checksum is asserted here |
| UK postcode | Outward + inward code, e.g. EC1A 1BB or SW1A 1AA | Royal Mail postcode-area pattern matching |
| Phone number / email address | UK dialling formats (+44) and standard email syntax | Pattern and context-based detection |
Before/After: Redaction in Practice
A sample sentence of the kind found in payslips, loan applications or HR files — before and after local anonymisation by anonym.plus.
Key UK GDPR Provisions for Anonymisation
Art. 4(1) — Personal data
Defines personal data as any information relating to an identified or identifiable natural person. UK GDPR retains the same article numbering as the EU Regulation, so this definition is unchanged from the EU text.
Art. 5(1)(c) — Data minimisation
Personal data must be adequate, relevant and limited to what is necessary for the purpose of processing. Anonymising documents before they are archived, shared, or fed into a third-party or AI system is a direct way to satisfy this principle.
Art. 9 — Special category data
Health data, biometric data and other sensitive categories are subject to a general processing prohibition with narrow exceptions. NHS Numbers and health information appearing in documents typically fall within this category.
Art. 17 — Right to erasure
Data subjects can require erasure of their personal data. Irreversible anonymisation often satisfies this requirement where a full technical deletion is not practicable — for example, when a record must be retained for other legal reasons.
Art. 32 — Security of processing
Requires appropriate technical and organisational measures proportionate to risk — pseudonymisation and encryption are named as example measures in Art. 32(1)(a).
Art. 44–49 — International transfers
Sets out the conditions under which personal data may be transferred outside the UK — adequacy regulations, standard contractual clauses, or specific derogations. This is exactly the chapter that becomes irrelevant when no transfer takes place at all.
The Offline Advantage: No Transfer, No Question
"There is no cross-border transfer question — the data never leaves your device, so UK GDPR's international-transfer rules simply don't apply."
The ICO enforces strict limits on cross-border data transfer and expects consistent data minimisation under Art. 5(1)(c) UK GDPR. Cloud-based PII tools have to work through adequacy assessments, standard contractual clauses or processor agreements precisely because a document leaves the organisation's own infrastructure the moment it is uploaded.
anonym.plus cannot breach those transfer rules in the first place, because no document ever leaves your device. Detection and anonymisation run entirely locally: Presidio and spaCy are bundled directly into the installer, there are no API calls out for text recognition, and there is no document data egress by design — you can verify this yourself by disconnecting the network entirely and confirming anonymisation still runs. Where encryption is used, it happens locally with AES-256-GCM — the key stays with you.
The result: no processor agreement to negotiate, no third-country transfer assessment, no cloud vendor anywhere in the chain. Just the app, the document, and your device.
Get Started
Download anonym.plus as a desktop app for Windows, macOS and Linux. Free starter plan available; one-time licences with no subscription from £149.