UK GDPR Explained: Principles, Rights and 2026 Reforms

The UK GDPR is the retained, UK version of the EU's General Data Protection Regulation, sitting alongside the Data Protection Act 2018 and enforced by the ICO. This guide explains the principles, lawful bases, your rights, and what the Data (Use and Access) Act 2025 is changing.
The Data Protection Principles
Anyone processing personal data in the UK, from a sole trader with a customer mailing list to a national government department, has to follow seven data protection principles set out in the UK GDPR:
- Lawfulness, fairness and transparency: you need a valid lawful basis (see below), you must not process data in a way people would find unduly surprising or unfair, and you must tell people clearly what you are doing with their data.
- Purpose limitation: collect personal data for specified, explicit purposes and do not use it for something incompatible with those purposes later.
- Data minimisation: collect only the data that is adequate, relevant and limited to what is necessary.
- Accuracy: keep personal data accurate and, where necessary, up to date, correcting or erasing it without delay if it is wrong.
- Storage limitation: do not keep personal data for longer than is needed for the purpose it was collected for.
- Integrity and confidentiality: protect personal data with appropriate security, including against unauthorised or unlawful processing, loss, or damage.
- Accountability: you must be able to demonstrate compliance with the other six principles, not just comply with them, through policies, records and internal governance.
The ICO can take enforcement action, including fines, against organisations that breach these principles, and they underpin every other right and obligation in this guide.
The Lawful Bases for Processing (Article 6)
Every use of personal data needs at least one lawful basis under Article 6 of the UK GDPR. There is no hierarchy between the bases; which one applies depends on the specific purpose and relationship, not on which is easiest to claim.

- Consent: the person has given clear, freely given, specific and informed consent for a particular purpose, and can withdraw it at any time.
- Contract: the processing is necessary to perform a contract with the person, or to take steps at their request before entering one.
- Legal obligation: the processing is necessary to comply with a legal obligation, other than a contractual one.
- Vital interests: the processing is necessary to protect someone's life, typically used only in genuine life-or-death situations.
- Public task: the processing is necessary to perform a task in the public interest, or to exercise official authority, usually relied on by public bodies.
- Legitimate interests: the processing is necessary for a legitimate interest of the organisation or a third party, balanced against the individual's rights and freedoms.
- Recognised legitimate interests: a new basis, in force from 5 February 2026, added by the Data (Use and Access) Act 2025.
Recognised legitimate interests is a closed list set out in a new annex to the UK GDPR, covering purposes such as safeguarding, preventing or detecting crime, responding to emergencies, national security, and certain disclosures to public bodies carrying out their public tasks. Unlike ordinary legitimate interests, it does not require a balancing test weighing the organisation's interest against the individual's rights, though a necessity test still applies. Public authorities cannot rely on it for their own core functions; it is aimed at organisations that hold data a public body or safeguarding function needs, such as a school flagging a welfare concern to social services.
Your Rights Under the UK GDPR
The UK GDPR gives individuals a set of rights over their own personal data:
- Right of access: you can ask an organisation what personal data it holds about you and get a copy, through a subject access request.
- Right to rectification: you can have inaccurate personal data corrected or completed.
- Right to erasure: sometimes called the "right to be forgotten", letting you ask for data to be deleted in certain circumstances, such as when it is no longer necessary or consent has been withdrawn.
- Right to restrict processing: you can ask an organisation to pause using your data while a dispute, such as an accuracy challenge, is resolved.
- Right to data portability: you can ask for data you provided under consent or a contract in a structured, machine-readable format, to move to another provider.
- Right to object: you can object to processing based on legitimate interests or public task, and to direct marketing outright.
- Rights around automated decision-making: you have safeguards against decisions made solely by automated means that have a legal or similarly significant effect on you, though the Data (Use and Access) Act 2025 narrowed some of these protections, widening the circumstances in which solely automated decisions are allowed.
None of these rights is absolute. Each comes with its own exemptions and conditions, and an organisation can lawfully refuse or limit a request where an exemption applies, for example to protect another person's rights, legal privilege, or a manifestly unfounded or excessive request.
What the Data (Use and Access) Act 2025 Is Changing
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and is being brought into force in phases rather than all at once, so different changes take effect on different dates through 2026:

- 20 August 2025: the provision establishing a new body corporate, the Information Commission, came into force. This is intended to eventually replace the Information Commissioner's Office as a single post-holder, but the operational and branding transition is still in progress in mid-2026; the regulator continues to operate and trade as the ICO, and this guide refers to it as the ICO throughout.
- 5 February 2026: two significant changes commenced together: the new recognised legitimate interests lawful basis described above, and a change to how subject access requests are handled. DUAA confirms that a controller need only carry out a "reasonable and proportionate" search when responding to a subject access request, and allows the one-month response clock to be paused while the controller is waiting for the requester to provide identification or clarify what they want.
- 19 June 2026: the requirement for controllers to have a proper complaints process, and to acknowledge a complaint within 30 days, comes fully into force.
DUAA also made other changes not covered in depth on this page, including reforms to cookie consent rules, research and scientific processing, and international data transfer mechanisms. The core structure of the UK GDPR, the principles, and most individual rights are unchanged.
UK Adequacy and Data Flows With the EU
Because the UK GDPR is closely modelled on the EU GDPR, the European Commission can recognise the UK as offering an "adequate" level of data protection, which allows personal data to keep flowing from the EU and European Economic Area to the UK without organisations needing extra contractual safeguards for routine transfers. The original UK adequacy decisions were due to expire in 2025, and the Commission used part of that period to assess whether the Data (Use and Access) Act 2025 would weaken UK protection.

On 19 December 2025, the European Commission renewed the UK's adequacy decisions (covering both the general data protection regime and law enforcement data), concluding the reforms in DUAA did not undermine the UK's adequate status. The renewed decisions run to a new expiry of 27 December 2031, with the Commission committing to a review at the four-year mid-point. For most UK organisations receiving personal data from EU customers or partners, this means no immediate change is needed to contracts or safeguards on the strength of adequacy, though the Commission's mid-point review means the position should be checked again well before 2031.
For the wider picture, see the UK data privacy hub and the United Kingdom country hub. Related guides include how to make a subject access request, the right to be forgotten, how to complain to the ICO, and data breach compensation.
This article is general information about the UK GDPR, not legal advice. Data protection law is fact-specific and continuing to change through the Data (Use and Access) Act 2025; consult the ICO or a qualified solicitor about your particular situation.
Frequently Asked Questions
What is the UK GDPR?
The UK GDPR is the UK's retained version of the EU General Data Protection Regulation, kept in UK law after Brexit. It sits alongside the Data Protection Act 2018 and is regulated by the ICO.
Is the UK GDPR the same as the EU GDPR?
They started identical, since the UK GDPR is the EU regulation retained in domestic law. Since then the two have diverged in places, most recently through the Data (Use and Access) Act 2025, which the European Commission reviewed before renewing the UK's adequacy decisions in December 2025.
What are the lawful bases for processing personal data?
Consent, contract, legal obligation, vital interests, public task and legitimate interests under Article 6, plus a new recognised legitimate interests basis in force from 5 February 2026 for a closed list of purposes such as safeguarding and crime prevention.
What is the new 'recognised legitimate interests' basis?
A lawful basis added by the Data (Use and Access) Act 2025, in force from 5 February 2026, covering a closed list of purposes such as safeguarding, crime prevention, emergencies and national security. It needs no balancing test, though a necessity test still applies, and public authorities cannot use it for their own core functions.
Is the ICO becoming the Information Commission?
The Data (Use and Access) Act 2025 establishes a new body corporate, the Information Commission, and the provision creating it came into force on 20 August 2025. As of mid-2026 the operational and branding transition is still under way and the regulator continues to trade as the ICO.
What rights do I have under the UK GDPR?
Rights of access, rectification, erasure, restriction, portability and objection, plus safeguards around solely automated decision-making. None are absolute, and the Data (Use and Access) Act 2025 narrowed some of the automated-decision protections.
Does the UK still have EU data adequacy?
Yes. The European Commission renewed the UK's adequacy decisions on 19 December 2025, allowing personal data to keep flowing from the EU to the UK, with the renewed decisions running to 27 December 2031.
What is the Data (Use and Access) Act 2025?
An Act that received Royal Assent on 19 June 2025 and is amending UK data protection law in phases through 2026, including the new recognised legitimate interests basis, subject access request changes, a new Information Commission, and a stricter complaints-handling requirement for organisations.
Updates
The Data (Use and Access) Act 2025 brought the new 'recognised legitimate interests' lawful basis into force, along with the 'reasonable and proportionate search' standard and 'stop the clock' rule for subject access requests.
The European Commission renewed the UK's EU data adequacy decisions, with a new expiry of 27 December 2031, confirming reforms under the Data (Use and Access) Act 2025 did not undermine the UK's adequate status.
Sources and References
- ICO: A guide to lawful basis(ico.org.uk).gov
- ICO: Data (Use and Access) Act 2025 - summary of changes to data protection(ico.org.uk).gov
- Data (Use and Access) Act 2025(legislation.gov.uk).gov
- Data Protection Act 2018(legislation.gov.uk).gov
- European Commission: Commission renews decisions to allow free and safe flow of personal data with the UK(ec.europa.eu).gov