Data & Privacy - United Kingdom

The UK GDPR (a retained and amended version of EU GDPR) and the Data Protection Act 2018 together constitute the primary data-protection law, establishing lawful-basis requirements, data-subject rights, controller/processor obligations, and accountability duties.

Received Royal Assent on 19 June 2025 (UK Public General Act 2025 c.18). It amends the UK GDPR and DPA 2018 in areas including automated decision-making, international data transfers (adopting a 'not materially lower' protection test), AI/ADM codes of practice, and PECR cookie rules, but does not replace the UK GDPR framework. Commencement is phased, with the first commencement regulations effective 20 August 2025.

The Information Commissioner's Office (ICO) is the UK's independent data-protection regulator, with powers of investigation, audit, enforcement notices, and fines. DUAA 2025 provides for the ICO to be reconstituted as the 'Information Commission' (a body corporate); all existing functions transfer without operational disruption. The Act also grants new powers to compel witnesses and request technical reports.

Data subjects hold rights of access, rectification, erasure, restriction, data portability, objection, and rights relating to automated decision-making. Controllers must identify a lawful basis for processing, maintain records of processing activities, conduct DPIAs for high-risk processing, report qualifying breaches to the ICO within 72 hours, and ensure binding contracts with processors under Article 28.

The ICO can issue fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious infringements, aligned with PECR after DUAA 2025. Active enforcement continues: Reddit was fined £14.47 million in February 2026 for children's privacy failures.

The Privacy and Electronic Communications Regulations 2003 (PECR) governs cookies, direct marketing, and communications data. DUAA 2025 amended PECR to align enforcement powers and penalties with the UK GDPR, expand the soft opt-in to charities, clarify cookie rules permitting consent-free use for low-risk statistical functions, and broaden definitions of 'call' and 'communication'. Final ICO storage and access technologies guidance was published April 2026.