The United Kingdom left the EU on January 31, 2020, and following a short transition period, which ended on December 31, 2020, the UK now has its own distinct data privacy legislation.

UK data privacy laws are largely based on the previously applicable European Regulation (EU) 2016/679 (“GDPR”), but the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 introduced a new UK version of the GDPR (“UK GDPR”).  The EU-wide GDPR is now known as the EU GDPR in the UK.

The UK GDPR applies to the processing of personal data if you offer goods and services to, or monitor the behaviour of, individuals in the UK.  The EU GDPR may also continue to apply if you offer goods and services to, or monitor the behaviour of, individuals in the EEA. So, for businesses that offer goods and services to both individuals in the UK and the EEA, they may need to comply with both the UK GDPR and the EU GDPR.

The Data Protection Act 2018 ("DPA 2018") was introduced to ensure that the UK and EU regimes were aligned post-Brexit. The DPA 2018 supplements the EU GDPR requirements and standards, sets out UK-specific exemptions, and addresses areas not dealt with by the EU GDPR (for example, the processing of personal data by law enforcement authorities and intelligence services).

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) implement European Directive 2002/58/EC, which grants certain privacy rights to individuals in respect of electronic communications. 

More recently, the UK has implemented the Data (Use and Access) Act 2025 (“DUA 2025”), which modifies certain provisions of the UK GDPR, the DPA 2018 and PECR. Certain provisions take effect immediately following royal assent on 19th June 2025, while other changes are phased in over the following 12 months. The extra-territorial reach of the UK GDPR means that, in practice, many businesses operating in or with the UK need to also adopt UK data privacy standards. As in the EEA, the increased fines under the UK GDPR, together with increased public expectations around data privacy, mean that compliance with data privacy laws must be taken seriously. Throughout this report, any changes that are specified in DUA 2025 but are not yet implemented at the time of writing are indicated by [square brackets] or as otherwise described.

For detailed information on the application of data protection laws in the United Kingdom, along with the implementation of DUA 2025, please contact Burness Paull LLP directly. 

The UK’s data protection supervisory authority, the Information Commissioner’s Office (“ICO”), is primarily responsible for enforcement action under the UK GDPR, the DPA 2018 and PECR. On 15th May 2023, the ICO issued its highest-ever monetary penalty of £12.7M against TikTok Information Technologies UK Limited and TikTok Inc for infringement of the DPA 2018 and the UK GDPR, primarily in respect of the misuse of children’s data. The most recent high-profile monetary penalty of £2.31M was applied against 23andMe. on 5th June 2025, for failing to protect the genetic data of its users.

UK courts regularly provide determinations on the application of the UK’s data protection law regime. Notable decisions include:

• Lloyd v Google LLC [2021] UKSC 50: The UK’s supreme court determined that a class action suit for unlawful processing of personal data under the Data Protection Act 1998 (which was replaced by the DPA 2018) could not proceed on the basis that (i) damage suffered by individual claimants could not be less than “material” and (ii) it had to be proven that unlawful processing had in fact occurred in respect of a given individual claimant.
• WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12: The UK’s supreme court determined that an employer could not be held vicariously liable for a “rogue” employee who unlawfully obtained personal data from the employer’s systems. 
• Rolfe & Others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB): The English High Court determined that a claim for damages arising from an unlawful disclosure of personal data could not succeed where there was no credible case of distress or damage arising from the unlawful disclosure of minimal personal data.  

Personal data: Article 4 UK GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”)” where “natural person” means “ one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.  

Sensitive data: Where UK data protection laws previously referred to “sensitive data” prior to the implementation of the EU GDPR, the UK continues to utilise the concept of “Special Category” personal data post-Brexit. 

Special Category Data is described at Article 9 UK GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

Criminal data is distinct from special category data and is described as “personal data relating to criminal convictions and offences”.

The UK GDPR does not apply to fully anonymized or aggregated data where a natural person cannot be identified.

Article 32 UK GDPR sets out the primary obligations of controllers and processors in respect of the security of processing. Article 32 requires all data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

In practice, this means that where the processing of certain data is inherently higher risk (whether by virtue of the nature of the data, the purpose of processing, or various other factors), there is a requirement to take more substantial precautions against the unlawful processing or disclosure of that data.

Other requirements of UK GDPR which are relevant to the protection of personal data include:

• Article 5 (principles relating to processing of personal data)
• Article 6 (Lawfulness of processing)
• Articles 12 to 14 (information to be provided to data subjects)
• Articles 15 to 18 (rights to access rectification, erasure, and restriction of processing)
• Article 25 (data protection by design and by default)
• Articles 33 and 34 (notification and communication of a personal data breach)
• Article 35 (data protection impact assessment)
• Article 36 (prior consultation)
• Articles 45 to 47 (transfer to third countries on the basis of adequacy decision, appropriate safeguards or binding corporate rules)

The UK GDPR’s obligations primarily apply to data controllers, which are defined as any natural person, corporate entity or other legal person, public authority, agency or other body that determines the purposes and means of data processing (alone or together with others). It also imposes direct obligations on data processors, which are defined as any natural person, corporate entity or other legal person, public authority, agency or other body that processes personal data on behalf of the data controller.

The UK GDPR applies to:

• The processing of personal data in the context of the activities of a data controller’s or data processor’s establishment in the UK (for UK GDPR), regardless of whether the data is processed in the UK or not or regardless of whether the data relates to UK residents or not. 
• The processing of personal data of persons within the UK by data controllers or data processors who are established outside the UK, where the processing is related to: 
  
  • the offering of goods or services to such data subjects in the UK (irrespective of whether payment is required); or 
  • the monitoring of the behaviour of such data subjects as far as the behaviour takes place in the UK.

Article 4 UK GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

In practice, the inclusion of “structuring” and “storage” in this definition means that processing is broadly defined, and so regardless of whether an organisation makes use of the personal data or not, its possession and storage will amount to processing, including the storage of physical documents or records. 
Personal data must be processed for specified, explicit and legitimate purposes.

Under the UK GDPR, a data controller must comply with the following principles under Article 5:

• Lawfulness, Fairness and Transparency – 
  
  • the data shall be processed lawfully (i.e., based on one of the six specified legal bases), fairly and in a transparent manner (e.g., pursuant to a privacy policy that meets the requirements of the UK GDPR) in relation to the data subject;
  • Please note that DUA 2025 will implement new exceptions to the obligation to provide privacy notice information to data subjects, but at the time of writing this has not yet been implemented.
• Purpose Limitation – the data
  
  • shall be collected [(whether from the data subject or otherwise)] for specified, explicit and legitimate purposes; 
  • shall not be further processed [by or on behalf of a controller] in a manner incompatible with the purposes for which the controller collected the data.
    Please note that DUA 2025 introduces provisions for processing data for new purposes which are compatible with the original purpose, but at the time of writing this has not yet been implemented.
• Data Minimization – the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed or are further processed;
• Accuracy – the data shall be accurate and, where necessary, kept up to date;
• Storage Limitation – the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed; 
• Integrity and Confidentiality – the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures; and 
• Accountability – The data controller shall be responsible for and be able to demonstrate compliance with the above principles.

To be processed lawfully, the UK GDPR requires that personal data processing is based on one of the specified legal bases described in Article 6(1), which include the following:

1. Consent
   Personal data may be processed based on the data subject’s specific, freely given and informed consent.  
   
   • such consent must be provided by way of “a statement or by a clear affirmative action” (so pre-ticked boxes and implied consent fall short of the standard);
   • Data subjects have the right to withdraw their consent at any time and in an easy manner.
     The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  
     Consent from a child in relation to online services will only be valid if authorized by a parent or guardian. According to Article 8 of the UK GDPR, a child can consent from 13 years old in respect of the provision of online services. 
2. Legitimate Interests
   A data controller may process personal data based on its legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.  
   
   The data controller must, however, inform the data subject of the particular legitimate interest pursued and the data subject has the right to object to the legitimate interest-based processing on grounds particular to his or her situation (see "Right of Objection" below). 
   
   Public authorities may not rely on this legal basis in the performance of their tasks.
   DUA 2025 will introduce a new lawful basis of processing for “recognised legitimate interests” (as set out in Schedule 4 DUA 2025); however, this provision has not yet been implemented at the time of writing. 
3. Contractual Necessity
   Personal data may be processed where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract. The processing must, however, be necessary to contract performance rather than merely facilitative. 
4. Legal Obligations
   A data controller may process personal data where it is necessary to comply with a legal obligation to which it is subject. 
5. Vital Interest of the Data Subject
   The data controller may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. 
6. Public Interest or in the exercise of Official Authority
   The data controller may process personal data where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

Special Categories of Personal Data
The processing of special categories of personal data is prohibited, except where [the processing is based on Article 6(1) and] it relies on one of the exceptions set out in Article 9:

1. The data subject has given explicit consent;
2. Processing is necessary for compliance with obligations or exercising rights under employment and social security and social protection laws in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the rights and freedoms of data subjects;
3. Processing is necessary to protect the vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;
4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a political, philosophical, religious or trade union foundation, association or not-for-profit body and relates to the personal data of its members, former members and persons in regular contact only, which are not disclosed outside without consent;
5. The personal data processed are manifestly made public by the data subject;
6. Processing is necessary for the establishment, exercise or defence of a legal claim or whenever courts [or tribunals] are acting in their judicial capacity;
7. Processing is necessary for reasons of substantial public interest on the basis of domestic law [or relevant international law] which is proportionate, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the rights and interests of the data subjects;
8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of domestic law or pursuant to a contract with a health professional;
9. Processing is necessary for reasons of public interest in the area of public health on the basis of domestic law;
10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, [is carried out in accordance with Article 84B (additional requirements when processing for RAS purposes) and is] on the basis of domestic law.
    In the United Kingdom, the ICO, and the NHS have published specific guidance and rules for the processing of health data.

Risk-Based Approach

Data controllers must also have “appropriate technical and organizational measures” in place to ensure and to be able to demonstrate that processing is performed in accordance with the UK GDPR, taking a risk-based approach. This requires that the controller takes account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The measures must be reviewed and updated where necessary and shall include the implementation of appropriate data protection policies.

Privacy by design and by default

The UK GDPR also requires controllers to implement the concepts of ‘privacy by design’ and ‘privacy by default’. This requires that a controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to:

• the amount of personal data collected;
• the extent of their processing; and 
• the period of their storage and their accessibility. 

[In the case of processing carried out in the course of providing information society services which are likely to be accessed by children, the controller must take into account additional matters including how children can best be protected and supported when using the services and the fact that children merit specific protection with regard to their personal data  because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing and have different needs at different ages and at different stages of development.]

The UK GDPR requires that “appropriate technical and organizational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Article 32 provides some detail on the standards that controllers and processors should take into account in determining appropriate security measures against unauthorized or unlawful processing, accidental damage, destruction or loss of data. The data controller must take into account:

• the state of the art; 
• the cost of implementing the measures; 
• the nature, scope, context and purposes of processing; and
• the risk of varying likelihood and severity for rights and freedoms of the data subject posed by the processing, in particular, those presented against unauthorized or unlawful processing, accidental damage, destruction or loss of data.

The UK GDPR notably states that pseudonymization and encryption should be considered where appropriate and that controllers maintain system resilience and security testing, backup, recovery and continuity measures.

Data controllers and data processors must ensure all of their employees comply with the security measures in place and not process personal data other than on the instructions of the controller.

Personal data may not be kept for longer than is necessary for the specified purpose or purposes for which it was collected and a data retention procedure or policy should be implemented in this respect. 

Under the UK GDPR, data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances.

The data controller shall provide information on action taken on a request within one month of receipt, which period may be extended by two further months where necessary, taking account of the complexity and number of requests and provided that the controller informs the data subject of such extension within one month of the request.

Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may charge a “reasonable fee based on administrative costs” or refuse the request.

Right of Access

The data subject can ask the data controller for a copy of his or her personal data being processed by the data controller.

Right of Rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right of Erasure

In certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right of Restriction of Processing

The data subject has the right to obtain from the controller restriction (i.e. suspension) of the processing in certain circumstances, such as where the accuracy of the data is being contested, the processing is unlawful or the data subject has objected to the processing.

Right to Data Portability

The right to data portability of personal data is the right to receive the personal data provided by the data subject to the controller (on the basis of consent or contractual necessity) in a structured, commonly used and machine-readable format and to transmit that data to another controller.

Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, to the processing of the personal data based on the performance of a task carried out in the public interest or for the legitimate interests of the controller or a third party.

The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data at any time.

Automated Decisions with Legal or Significant Effects

Data subjects have a right not to be subject to automated decision-making in respect of the personal data, including profiling, with no human intervention where such a decision produces legal effects concerning the data subject or similarly significantly affects him or her (e.g., creditworthiness check or e-recruitment). This does not apply where explicit consent is provided, the processing is authorized by domestic law or the processing is necessary for the purposes of entering into or performing a contract with the data subject. 

Pursuant to Article 23 of the UK GDPR, these data subject rights may be subject to limitations or restrictions as prescribed by domestic law where necessary and proportionate to safeguard various matters specified in Article 23, ranging from issues of national security to the enforcement of civil law claims.

Restriction of the data subject’s rights

DPA 2018 provides for specific restrictions on the exercise of rights afforded to data subjects under UK GDPR. Details are provided for Schedules 2 (exemptions etc. from the UK GDPR), 3 (exemptions etc. from the UK GDPR: health, social work, education and child abuse data) and 4 (exemptions etc. from the UK GDPR:  disclosure prohibited or restricted by an enactment).

Exemptions to certain rights of data subjects which can be relied upon by most private organisations are found at Part 4 of Schedule 2, which include:

• legal professional privilege
• management forecasts
• negotiations
• confidential references

Right to make a complaint to the controller

Data subjects have a right to make a complaint to the controller where the data subject considers that, in connection with personal data relating to the data subject, there has been an infringement of the UK GDPR or Part 3 of the DPA 2018 (law enforcement processing). Controllers must facilitate the making of complaints, acknowledge complaints within 30 days, and take appropriate steps to respond to the complaint and inform the complainant of the outcome without undue delay. ]

Not applicable.

Where processing is carried out on the basis of consent by the data subject in accordance with Article 6(1)(a) UK GDPR, the controller must be able to demonstrate that the data subject has provided such consent in accordance with Article 7(1), which requires a record to be maintained of such consent.

Controllers may also process data without consent of the data subject where another lawful basis under Article 6(1) applies, and so authorisation by the data subject is not always required. Where processing is carried out on the basis that such processing is either necessary for performance of a task in the public interest or in the exercise of official authority (Article 6(1)(e)), or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f)), the data subject still has the right to object to such processing. 

The UK GDPR also restricts the transfer of personal data to a country outside the United Kingdom unless certain conditions or safeguards are in place.

Transfer to Adequate Countries Outside the United Kingdom

Transfers of data to a third country or international organization are permitted where the UK Government has made an adequacy regulation under Article 45 of the UK GDPR that there is an adequate level of protection of personal data in that country or organization.

The current list of countries that have been approved by the UK Government includes:

• The European Economic Area;
• Gibraltar;
• The Republic of Korea;
• The United States of America (only data transferred under the UK Extension to the EU-US Data Privacy Framework); and
• All countries, territories and sectors are covered by the European Commission’s adequacy decisions.
  There are also partial findings of adequacy for the following countries:
  
  • Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA");
  • Japan - only covers personal data transferred to private sector organisations falling within the scope of Japan’s Act on the Protection of Personal Information ("APPI") by Personal Information Handling Business Operators ("PIHBOs") within the meaning of the APPI. There are sectoral exclusions that apply, and these are listed in the EU’s adequacy decision for Japan.

Transfer to Non-Adequate Countries

Where the country to which the personal data will be transferred is not covered by an adequacy regulation, the transfer of personal data can still take place only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available.

The appropriate safeguards may be provided for by:

• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules in accordance with Article 47; 
• standard data protection clauses issued by the ICO (which are distinct from the standard contractual clauses issued by the European Commission);
• an approved code of conduct pursuant to Article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
• an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; 
• binding corporate rules pursuant to Article 47.

There are two sets of standard data protection clauses available for use in the UK: the “International Data Transfer Agreement” (“IDTA”) and the “International Data Transfer Addendum” (“Addendum”), which is an addendum to the existing European Commission standard contractual clauses.

The standard data protection clauses are the most commonly used appropriate safeguard mechanism. However, according to the Schrems II Decision, controllers relying on the IDTA, Addendum or BCRs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the United Kingdom. This process is referred to in the UK as a “Transfer Risk Assessment” (“TRA”). Where necessary, supplementary measures (i.e., legal, technical or organizational measures) have to be implemented to ensure such an essentially equivalent level of protection.

The UK GDPR also provides for derogations to the prohibition of personal data transfers, for instance, where the data subject has explicitly consented to the transfer, after having been informed of the possible risks due to the absence of an adequacy regulation. 

DUA 2025 will implement modifications to the existing international transfer mechanisms. In particular, a new “data protection test” will be implemented to be used when carrying out TRAs and will seek to ensure that the third country’s standard of protection is “not materially lower” than the standard under the UK GDPR. The updates will also allow the UK Government to “blacklist” certain countries from receiving personal data where the restriction is in the public interest. 

Not applicable.

The UK GDPR introduces a compulsory requirement for controllers to report data breaches to the competent national supervisory authority(ies) (please see below) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  

A risk assessment will, therefore, need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the UK GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether notification to the regulator is made or not, controllers must document all personal data breaches, including the facts, their effects, and remedial action taken.

Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

The UK GDPR provides for enhanced, wide-ranging powers of enforcement to the ICO, which may impose substantial fines for breaches of the UK GDPR.

The tasks of the ICO are set out in Article 57 of the UK GDPR and include, among others:

• monitoring and enforcing the application of the UK GDPR; 
• promoting awareness;
• handling complaints; 
• conducting investigations;
• cooperating with other supervisory authorities;
• administrative tasks such as drawing up codes of conduct, reviewing certifications and approving binding corporate rules. 

The powers of the ICO are set out in Article 58 and include, among others:

• ordering the production of information from controllers and processors;
• conducting investigations in the form of audits, including onsite investigations;
• issuing warnings, reprimands, and enforcement orders, 
• ordering the suspension or ban of non-compliant processing activities;
• the imposition of administrative fines; and
• advising, for example, in relation to high-risk processing or issuing opinions.

The primary risk to controllers of data breaches is the application of administrative fines by the ICO.  The amount of a fine depends on the nature of the infringement in question with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or GBP 8,700,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or GBP 17,500,000, whichever is higher.

Controllers are required to generally comply with any orders of the ICO during its investigations, including the provision of information relating to the data breach, the affected data and the controller’s processes, procedures and other safeguards.

Data subjects who have suffered some material harm have the right to seek damages from the controller via litigation in the UK courts. Damages can be payable for monetary losses as well as other harm in the form of distress and alarm.

Even where the ICO chooses not to impose monetary fines, the publication of reprimands can still result in reputational damage to data controllers. 

The use of publicly available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing is restricted. Generally, such communications by electronic means require consent or are subject to a right to opt out.

In the United Kingdom, the PECR (as amended) requires prior consent to send direct marketing electronic communications (e.g., emails and texts). However, there are limited exemptions for certain existing commercial relationships, in respect of similar products or services (known as the "soft opt-in"). Individuals must be given an opportunity to opt out of direct marketing at the time their personal data is collected. If they do not opt out, recipients must be given, on each communication, an opportunity to opt out (unsubscribe).

Where direct marketing requires the processing of personal data, the UK GDPR applies, and controllers will be required to ensure that a lawful basis applies to the use of personal data for direct marketing purposes. In particular, it should be noted that the soft opt-in approach described above is not compatible with processing on the basis of Article 6(1)(a) UK GDPR (consent) and is therefore most commonly used where the controller is relying on Article 6(1)(f) (legitimate interest). 

The UK GDPR, DPA 2018, and PECR are the most comprehensive legislative provisions in the United Kingdom in respect of personal data privacy requirements. Certain sectors are required to comply with additional procedural and security requirements, where applicable, under the supervision of sector-specific regulators. Examples include:

• Health and social care: additional requirements apply to the use of confidential patient data, including the use of such data beyond individual care. 
• Financial services: financial institutions regulated by the Financial Conduct Authority and the Prudential Regulation Authority are subject to enhanced data security requirements, along with other safeguards against fraud and money-laundering. The processing of payment card transactions is subject to the Payment Card Industry Data Security Standard. 
• Telecoms: Telecommunication service providers are subject to further security requirements under the regulation of Ofcom.

Article 37 UK GPDR requires a controller to designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or; (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Where a DPO is appointed, Article 38, UK GDPR requires controllers to:

• ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
• support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge.
• ensure that the data protection officer does not receive any instructions regarding the exercise of their tasks, and to not dismiss or penalise them for performing their tasks. The DPO must directly report to the highest management level of the controller or the processor.
  Article 39 UK GDPR sets out the minimum tasks that must be conducted by DPOs, which include:
  
  • inform and advise the controller and the employees who carry out processing of their obligations
  • monitor compliance with applicable data protection laws in the United Kingdom and with the polices of the controller or processor in relation to the protection of personal data
  • provide advice on DPIAs and monitor its performance
  • cooperate with the ICO and act as a point of contact 

Data controllers must generally maintain records to demonstrate accountability as specified under the accountability principle at Article 5 UK GDPR.

Article 7(1) UK GDPR requires that when processing is based on consent, controllers must be able to demonstrate that a data subject has consented to such processing, and so records of consent will need to be maintained.  

Article 30 UK GDPR requires all controllers and processors to maintain a record of their processing activities. Such records must include, amongst other things, the purpose of processing, a description of the categories of data subjects, the categories of recipients of the personal data, and transfers of personal data to a third country or international organisation. The information to be recorded depends on whether the organisation is acting as a controller or processor.

This requirement does not apply if the controller or processor employs fewer than 250 persons, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Article 28 UK GDPR requires a contract to govern the processing of personal data by processors on behalf of controllers. Written contracts should therefore be retained to demonstrate compliance with this obligation.  
Controllers will generally also need to maintain records of the following documents in order to comply with the accountability principle:

• Legitimate interest assessments to determine whether processing is lawful under Article 6(1)(f) UK GDPR;
• TRAs
• DPIAs

Controllers must carry out a DPIA prior to processing if processing is likely to result in a high risk to the rights and freedoms of the data subject. The controller must also seek the advice of the data protection officer if one has been appointed (whether voluntarily or as required under Article 37) when carrying out a data protection impact assessment.

DPIAs are always required if the processing involves either:

• systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
• processing on a large scale of special category data, or criminal data; or
• a systematic monitoring of a publicly accessible area on a large scale. 

The ICO also maintains a list of processing activities which it considers likely to result in high risk, including the use of the following:

• Innovative technology;
• Denial of service;
• Large-scale profiling;
• Biometrics: any processing of biometric data;
• Genetic data;
• Data matching;
• Tracking;
• Targeting of children or other vulnerable individuals; and
• Risk of physical harm.

Further details on the ICO's Guidance on DPIAs and the activities referred to above can be reviewed here.

The ICO provides a DPIA template however, its use is not mandatory.  

Controllers must only engage third-party vendors/processors who provide sufficient guarantees to implement appropriate technical and organisational measures to comply with the UK GDPR. In practice, this requires a degree of due diligence to be carried out in respect of all processors. The process will largely depend on the nature and scale of processing.

Article 28 UK GDPR requires a contract to govern the processing of personal data by processors on behalf of controllers.

While there is no explicit requirement to enter in to a contract with another independent or joint controller with whom data is shared, the broader obligations and principles of the UK GDPR, including the accountability principle under Article 5 and the data protection by design and by default requirements under Article 25 would generally impose an obligation to enter a formal data sharing agreement in these circumstances. Where the sharing of data with processors or controllers involves an international transfer of personal data, the requirements of the UK GDPR relevant to such activity (see above) will apply.    

For detailed information on how this aspect of UK GDPR applies, please contact Burness Paull LLP directly.

Administrative Fines

The level of administrative fines is set out in Article 83 together with examples of aggravating and mitigating factors in determining whether to impose a fine and, if so, the level of such fine. In each case, the ICO is to ensure that the imposition of fines is effective, proportionate, and dissuasive. The amount of a fine depends on the nature of the infringement in questio,n with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or GBP 8,700,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or GBP 17,500,000, whichever is higher.

Other Enforcement Mechanisms

The ICO can take other actions short of administrative fines for breaches of data protection law, including:

• Assessment notices;
• Warnings;
• Reprimands; and 
• Enforcement notices.

The ICO generally seeks to maximise its impact by focusing on high-risk areas or circumstances where non-compliance results in the most harm. Compared to other jurisdictions, the ICO generally limits its use of administrative fines, particularly where it considers organisations have genuinely sought to comply with data protection laws and has taken reasonable steps to comply.

Offences under DPA 2018

There is a limited number of criminal offences specified in DPA 2018. The primary offences are specified at sections 170 to 173 relating to the unlawful obtaining, and re-identification of personal data, and also for altering or deleting personal data to prevent disclosure to data subjects. Section 184 also provides that it is an offence to request records relating to health, convictions, or statutory functions for recruitment and employment purposes, or for a contract for services, unless permitted by applicable law or for reasons of public interest. 

There are limited obligations under UK GDPR to renew or update documentation, or to carry out audits.

Where Article 30 (record of processing activities) applies, controllers are required to maintain such records, and so they should be reviewed regularly for accuracy.

Controllers are required to review existing DPIAs if there is a change in the risk presented by the processing operations.

Other ongoing compliance review activities which are not explicitly stated but are generally recommended, include:

• Ensuring risk assessments (such as LIAs, TRAs or DPIAs) remain relevant and accurate
• Reviewing records of processing activities for accuracy and completeness
• Reviewing technical and organisational measures (including policies and procedures) to ensure they remain appropriate, taking into account the state of the art (Article 32)
• Maintaining privacy notices (Article 13/14) for accuracy
• Internal audits of the controller’s personnel for compliance with technical and organisational measures

The DUA 2025 is the most significant recent development in the United Kingdom. The act makes various changes to the current domestic law. At the time of writing, a number of provisions of DUA 2025 have been implemented, while others have not. The remaining provisions detailed in DUA 2025, which have not yet been implemented, are expected to be phased in over the 12-month period following royal assent. Material changes arising from DUA 2025 are indicated throughout this report; however, notable changes include:

• a new “recognised legitimate interests” lawful basis for processing personal data in specified circumstances;
• streamlined rules for international data transfers (shifting the test to “not materially lower” protection);
• requirement for “reasonable and proportionate” searches when responding to data subject access requests;
• relaxing certain restrictions on automated decision-making; and
• strengthens children’s data protection.