Yes, the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 apply to organizations established in the UK that process personal data.

For contracts with a cloud service provider as a data processor, such contracts would need to include provisions that address the mandatory requirements for contracts with data processors under Article 28 of the UK GDPR.