Data & Privacy · United Kingdom
Data protection & privacy laws in United Kingdom (2026)
United Kingdom shaded by its data & privacy status
The United Kingdom operates a comprehensive data-protection regime built on the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, both retained and adapted post-Brexit. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being commenced in stages; it amends the UK GDPR and DPA 2018 (notably on automated decision-making, international transfers, and PECR) without replacing the core framework. The ICO is the independent supervisory authority and continues active enforcement, including fines of up to £17.5 million or 4% of global turnover.
Key points
The UK GDPR (a retained and amended version of EU GDPR) and the Data Protection Act 2018 together constitute the primary data-protection law, establishing lawful-basis requirements, data-subject rights, controller/processor obligations, and accountability duties.
Received Royal Assent on 19 June 2025 (UK Public General Act 2025 c.18). It amends the UK GDPR and DPA 2018 in areas including automated decision-making, international data transfers (adopting a 'not materially lower' protection test), AI/ADM codes of practice, and PECR cookie rules, but does not replace the UK GDPR framework. Commencement is phased, with the first commencement regulations effective 20 August 2025.
The Information Commissioner's Office (ICO) is the UK's independent data-protection regulator, with powers of investigation, audit, enforcement notices, and fines. DUAA 2025 provides for the ICO to be reconstituted as the 'Information Commission' (a body corporate); all existing functions transfer without operational disruption. The Act also grants new powers to compel witnesses and request technical reports.
Data subjects hold rights of access, rectification, erasure, restriction, data portability, objection, and rights relating to automated decision-making. Controllers must identify a lawful basis for processing, maintain records of processing activities, conduct DPIAs for high-risk processing, report qualifying breaches to the ICO within 72 hours, and ensure binding contracts with processors under Article 28.
The ICO can issue fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious infringements, aligned with PECR after DUAA 2025. Active enforcement continues: Reddit was fined £14.47 million in February 2026 for children's privacy failures.
The Privacy and Electronic Communications Regulations 2003 (PECR) governs cookies, direct marketing, and communications data. DUAA 2025 amended PECR to align enforcement powers and penalties with the UK GDPR, expand the soft opt-in to charities, clarify cookie rules permitting consent-free use for low-risk statistical functions, and broaden definitions of 'call' and 'communication'. Final ICO storage and access technologies guidance was published April 2026.
Timeline - major decisions & events
The ICO imposed a £14 million penalty on Capita plc and Capita Pension Solutions for UK GDPR failures arising from a March 2023 cyber-attack that exposed personal data of over 6.6 million individuals. The fine was reduced from a proposed £45 million after Capita settled early and did not appeal.
ICO ↗The DUA Act 2025 — the UK's first major data legislation since Brexit — received Royal Assent, amending the UK GDPR, Data Protection Act 2018, and PECR to streamline compliance, establish a Digital Verification Services framework, introduce Smart Data schemes (extending Open Banking), and extend ICO powers. Commencement is phased over 12 months.
GOV.UK ↗The Data Protection and Digital Information Bill — which aimed to replace UK GDPR with a lighter-touch domestic regime — was lost when Parliament was prorogued for the snap general election called on 22 May 2024. The incoming Labour government subsequently restarted the reform agenda, leading to the DUA Act 2025.
UK Parliament ↗After a one-year transition period from its July 2020 publication, the ICO's statutory Children's Code required all online services likely accessed by under-18s to apply high-privacy defaults, minimise data collection, and give primacy to children's best interests. The code became a global template for children's privacy regulation.
ICO ↗Just two days before expiry of the post-Brexit data-bridge arrangement, the European Commission adopted two adequacy decisions — under the GDPR and the Law Enforcement Directive — confirming UK standards were 'essentially equivalent' to EU standards, enabling continued free EU-to-UK data flows. The decisions included an unprecedented four-year sunset clause expiring June 2025.
European Commission ↗With the end of the Brexit transition period, the EU GDPR was retained into UK domestic law as the 'UK GDPR' under the European Union (Withdrawal) Act 2018, operating alongside the Data Protection Act 2018. The UK became a fully autonomous data-protection jurisdiction with the ICO as its sole lead supervisory authority.
legislation.gov.uk ↗The Data Protection Act 2018 (Royal Assent 23 May 2018) came into force alongside the EU GDPR, repealing the DPA 1998. It granted the ICO power to fine up to £17.5 million or 4% of global annual turnover, created UK-specific exemptions for national security, law enforcement, and immigration, and established individuals' enhanced rights including erasure and data portability.
legislation.gov.uk ↗PECR transposed the EU ePrivacy Directive 2002/58/EC into UK law, governing cookies, unsolicited electronic marketing, and telecommunications traffic and location data. It introduced the foundational 'cookie consent' requirement and remains in force today alongside the UK GDPR, enforced by the ICO.
legislation.gov.uk ↗The DPA 1998 (Royal Assent 16 July 1998) came into full force, implementing EU Directive 95/46/EC. It extended data-protection obligations beyond computerised records to structured manual filing systems, established the Information Commissioner's Office (replacing the Data Protection Registrar), and gave individuals the right to access personal data held about them.
legislation.gov.uk ↗The DPA 1984 received Royal Assent as the UK's inaugural data-protection statute, shaped by the OECD Privacy Guidelines (1980) and the Council of Europe Convention 108 (1981). It applied exclusively to computerised personal data, established eight core data-protection principles, and created the Data Protection Registrar — the forerunner of the ICO.
legislation.gov.uk ↗United Kingdom - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →