UK Data Privacy Laws: UK GDPR, DPA 2018 & 2025 Reforms
This page is being updated. Please check back shortly.
Frequently Asked Questions
What is the difference between UK GDPR and EU GDPR?
The UK GDPR is the version of the EU GDPR incorporated into UK domestic law after Brexit through the European Union (Withdrawal) Act 2018. Both share the same core principles, rights framework, and penalty structure. Key differences have grown with the Data (Use and Access) Act 2025: the UK has introduced recognised legitimate interests (five public-interest categories exempt from the balancing test), a more permissive automated decision-making framework, expanded PECR cookie exemptions, a stop-the-clock mechanism for SARs, and a simplified adequacy test for international transfers. The UK GDPR is enforced by the ICO (transitioning to the Information Commission), with fines denominated in GBP up to GBP 17.5 million, while the EU GDPR is enforced by national supervisory authorities with fines in EUR up to EUR 20 million.
What is the Data (Use and Access) Act 2025 and when did it come into force?
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It is the most significant reform to UK data protection law since the Data Protection Act 2018 and amends the UK GDPR, DPA 2018, and PECR. The Act was commenced in stages: technical provisions from 20 August 2025, digital identity and child safety provisions from 1 December 2025, and the main data protection amendments (recognised legitimate interests, automated decision-making, SAR stop-the-clock, and PECR cookie changes) from 5 February 2026. The ICO governance transition to the Information Commission and complaints provisions are expected in mid-to-late 2026.
What are recognised legitimate interests under the DUAA 2025?
Recognised legitimate interests are five specific public-interest processing purposes for which Parliament has determined the legitimate interest automatically outweighs data subjects' rights, removing the need for organisations to conduct the balancing test step of the usual legitimate interests assessment. The five categories are: national security, public security, or defence; preventing, detecting, investigating, or prosecuting crime; safeguarding vulnerable individuals including children; responding to emergencies under the Civil Contingencies Act 2004; and assisting public bodies in performing statutory tasks. Direct marketing and network security are not recognised legitimate interests; they remain codified legitimate interests that still require a full three-part assessment.
What are the penalties for violating UK data privacy laws?
The ICO enforces a two-tier penalty structure. The higher tier allows fines of up to GBP 17.5 million or 4% of total annual worldwide turnover, whichever is greater, for serious violations including breaches of data protection principles, processing without a lawful basis, and violating data subject rights. The standard tier allows fines of up to GBP 8.7 million or 2% of global turnover for less severe breaches. Following the DUAA, PECR infringements can also attract fines up to GBP 17.5 million or 4% of turnover, compared to the previous GBP 500,000 maximum.
How quickly must a data breach be reported to the ICO?
Under Article 33 of the UK GDPR, organisations must report a qualifying personal data breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Not all breaches require notification; only those likely to result in a risk to individuals' rights and freedoms. Where a breach is likely to result in a high risk, the organisation must also notify affected individuals directly. Phased reporting is permitted: initial information can be provided within 72 hours with further details following as the investigation progresses. Failing to report when required can result in a fine of up to GBP 8.7 million or 2% of global turnover.
Can EU organisations still transfer personal data to the UK after Brexit?
Yes. The European Commission renewed its adequacy decisions for the UK on 19 December 2025, extending them until 27 December 2031. Both decisions cover transfers under the EU GDPR and under the Law Enforcement Directive. EU and EEA organisations can therefore continue to send personal data to the UK without Standard Contractual Clauses or other Article 46 safeguards. The Commission assessed that the Data (Use and Access) Act 2025 did not lower UK data protection standards.
What are the new cookie rules under the DUAA 2025?
The DUAA amended Regulation 6(1) of PECR to expand the categories of cookies that may be placed without prior user consent. In addition to strictly necessary cookies, websites can now use cookies without consent for: statistical or analytics purposes aimed at improving the service, service functionality and personalisation, software updates and user experience improvement, fault and technical error detection, and security or fraud detection. Analytics cookies used under this exemption must not be used for individual profiling and users must be informed and given a simple, free mechanism to object. PECR fines were also increased to match the UK GDPR maximum of GBP 17.5 million or 4% of turnover.
What is the Information Commission and when will it replace the ICO?
The Information Commission is the new data protection regulatory body that will replace the ICO under the Data (Use and Access) Act 2025. Unlike the ICO, which is a corporation sole with authority vested in the Information Commissioner personally, the Information Commission will be a body corporate governed by a board comprising a Chair, a CEO, and seven non-executive members. Paul Arnold has been appointed as the first CEO on an interim basis. Recruitment for non-executive board members was ongoing in early 2026, with the governance transition expected in spring/summer 2026 once appointments are completed.
Sources and References
- Data Protection Act 2018(legislation.gov.uk).gov
- Data (Use and Access) Act 2025(legislation.gov.uk).gov
- UK GDPR Guidance and Resources(ico.org.uk).gov
- A Guide to the Data Protection Principles(ico.org.uk).gov
- A Guide to Lawful Basis for Processing(ico.org.uk).gov
- Special Category Data Rules(ico.org.uk).gov
- Individual Rights Under UK GDPR(ico.org.uk).gov
- Personal Data Breaches: A Guide(ico.org.uk).gov
- Maximum Fine Under UK GDPR and DPA 2018(ico.org.uk).gov
- DUAA Data Protection and Privacy Changes(gov.uk).gov
- DUAA Plans for Commencement(gov.uk).gov
- DUAA Factsheet: UK GDPR and DPA(gov.uk).gov
- DUAA Factsheet: ICO Reforms(gov.uk).gov
- EU Renews UK Adequacy Decisions(ec.europa.eu).gov
- International Data Transfer Agreement and Guidance(ico.org.uk).gov
- Data Protection Officers Guidance(ico.org.uk).gov
- Data Protection Impact Assessments (DPIAs)(ico.org.uk).gov
- ICO Enforcement Action: TikTok(ico.org.uk).gov
- ICO Clearview AI Upper Tribunal Judgment(ico.org.uk).gov
- Reddit £14.47m Fine for Children Privacy Failures — ICO 2026(ico.org.uk).gov
- Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025(legislation.gov.uk).gov
- Information Commission Non-Executive Member Appointments(apply-for-public-appointment.service.gov.uk).gov
- Data (Use and Access) Act 2025 (Commencement No. 2) Regulations 2025 (SI 2025/982)(legislation.gov.uk).gov
- Data (Use and Access) Act 2025 (Commencement No. 3 and Transitional and Saving Provisions) Regulations 2025 (SI 2025/996)(legislation.gov.uk).gov
- Data (Use and Access) Act 2025 (Commencement No. 4) Regulations 2025 (SI 2025/1213)(legislation.gov.uk).gov
- Data (Use and Access) Act 2025 (Commencement No. 5) Regulations 2026 (SI 2026/31)(legislation.gov.uk).gov