Following the end of the Brexit transition period on 31 December 2020, the United Kingdom is no longer subject to the European Union General Data Protection Regulation (EU GDPR). However, the EU GDPR was incorporated into UK domestic law at that time, creating a new, parallel regime known as the UK GDPR.
While the UK GDPR is a separate legal framework, it is largely identical to the EU GDPR. The UK's Data Protection Act 2018 (DPA) also remains in force and works alongside the UK GDPR to govern data protection in the country. It is important to note that a UK business may still be subject to the EU GDPR if it offers goods or services to, or monitors the behavior of, individuals in the European Economic Area (EEA).
Most recently, the Data (Use and Access) Act 2025 (DUAA) has introduced several key reforms to the UK GDPR and DPA, notably implementing a "stop the clock" rule for data subject access requests, allowing data controllers to pause response times when seeking further information. It also establishes a more permissive framework for automated decision-making (ADM) using personal data, while retaining a strong prohibition for special categories of personal data unless specific exceptions (i.e., consent, performance of contract, domestic law authorization) apply. Moreover, the DUAA introduces "recognized legitimate interests" as a new lawful basis for non-public bodies to process personal data for purposes like national security, public security, defense, crime prevention, etc. It also imposes a new duty on online services accessed by children to consider their unique needs in service design.
The DPA works in conjunction with the UK GDPR, supplementing its provisions, providing specific details, and covering areas outside the UK GDPR's scope (e.g., processing by law enforcement bodies and intelligence services). Both should be read together to understand UK data protection obligations. For the purposes of this article, the focus will be mainly on general processing that applies to both private companies and public authorities.
So, what responsibilities do organizations have in the existing UK data protection legal framework? What are the data subjects’ rights? And what powers do the regulators have? Read on below to learn more:
1. Who Needs to Comply with the Law
Here’s how the UK GDPR and DPA apply to organizations:
a. Material Scope
The UK GDPR and the DPA apply to all forms of automated, structured, or unstructured personal data processing regarding data subjects based in the United Kingdom. Data processing by an individual during a purely personal or household activity is not included.
b. Territorial Scope
As far as the DPA and the UK GDPR’s territorial scope is concerned, it can be condensed as follows:
- It applies to organizations processing personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.
- It applies to organizations that are engaged in the processing of personal data of data subjects who are in the United Kingdom. This means the following:
- It applies to all organizations based outside the United Kingdom providing goods and services to data subjects within the United Kingdom.
- It applies to all organizations based outside the United Kingdom that monitor the digital behavior of data subjects within the United Kingdom.
2. Obligations for Organizations Under the DPA & UK GDPR
Like all other major data protection laws, the DPA and the UK GDPR place certain obligations and responsibilities on organizations that collect and process users’ data. Some of these responsibilities include the following:
a. Lawful Basis Requirements
Organizations must have one of the following lawful bases for the processing of personal data:
- Consent: The data subject consents to data processing for the specified purpose;
- Performance of Contract: The processing of data is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject’s request before entering into a contract;
- Legal Obligation: The processing of personal data is necessary to perform a legal obligation to which the data controller is subject;
- Vital Interests: To protect the vital interests of the data subject or of another natural person;
- Public Interest: The processing of personal data is necessary for the performance of a task carried out in the public interest or the exercise of the controller’s official authority;
- Legitimate Interests: The processing is necessary for the controller’s legitimate interests that override the data subject's interests;
- Recognized Legitimate Interests: The processing is necessary for purposes of a recognized legitimate interest. Schedule 4 of the DUAA introduces a non-exhaustive list of processing activities, including safeguarding vulnerable individuals, responding to emergencies, for which recognized legitimate interests can be used as a lawful basis of processing.
DPA further clarifies that processing of personal data carried out in public interest included the processing that is necessary for the administration of justice, the exercise of a function of either House of Parliament, the exercise of a function conferred on a person by an enactment or the rule of law, the exercise of a function of the Crown, a Minister of the Crown or a government department or activity that supports or promotes democratic engagement.
b. Consent Requirements
The UK GDPR and DPA define consent as “freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data”.
Under this description, consent gained from the user can only be valid if it is:
- Freely given: Individuals are offered real choice and control concerning the processing of their personal data. Data subjects must be allowed to refuse to consent without any consequences or withdraw consent at any time without any detriment.
- Informed: Individuals must be informed of the data controller, the purposes of the processing, and the types of processing activity. All information must be communicated in a concise, easy-to-understand, and user-friendly manner.
- Specific: Specific consent must be obtained for specific data processing purposes. Consent must be separate from other terms and conditions.
- Unambiguous: Consent must be obtained via a clear affirmative action (opt-in). The use of pre-ticked checkboxes is prohibited.
c. Security Requirements
The UK GDPR and the DPA require organizations to undertake standard security measures to protect all collected data appropriately. This includes implementing the following mechanisms:
- Appropriate technical, physical, and organizational security controls that ensure only relevant personnel have access to collected data.
- Encryption or pseudonymization of data, depending on the risks presented by the processing.
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a security incident.
- A process for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.
d. Data Breach Requirements
When a data breach has occurred, organizations are required to assess the severity of the potential or actual impact on individuals as a result of the breach. If it is likely that there will be a risk to an individual's rights and freedoms, organizations must notify the breach to the Information Commissioner's Office without undue delay and no later than 72 hours after having become aware of the breach.
The report to the Information Commissioner's Office (ICO) must include the following information:
- The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records concerned;
- Contact details of the Data Protection Officer (DPO);
- Likely consequences of the data breach;
- Description of all measures taken since the data breach to mitigate its effects.
If the data controller fails to notify the ICO within 72 hours, it must include an explanation for the delay.
If the data breach is likely to present a “high risk” to the rights and freedoms of individuals, the data controller must inform the data subjects of such without undue delay.
The communication must include the following:
- The nature of the breach in clear and plain language;
- Name and Contact details of the DPO;
- Likely consequences of the data breach; and
- Description of all measures taken since the data breach to mitigate its effects.
Data processors are also required to notify personal data breaches to data controllers without undue delay after becoming aware of the personal data breach.
e. Data Protection Officer Requirement
The data controller must hire a DPO if they meet any of the following criteria:
- The data controller is a public authority or body (except for courts acting in their judicial capacity);
- Their core activities involve large-scale, regular, and systematic monitoring of individuals (e.g., online behavioral tracking); or
- Their core activities consist of large-scale processing of special categories of data (e.g., health data) or data relating to criminal convictions.
f. Data Protection Impact Assessment
In case data processing activity is likely to result in a high risk to the rights and freedoms of individuals, the data controller/processor must conduct a data protection impact assessment (DPIA) before beginning the processing of data.
The DPIA must include the following:
- A general description of the processing activities envisioned and the purposes of processing;
- An assessment of the necessity and proportionality of processing operations in relation to the purposes;
- An assessment of potential risks to data subjects’ rights and freedoms;
- The measures undertaken to mitigate identified potential risks, including safeguards, security measures, and mechanisms, implemented to protect personal data.
g. Record of Processing Activities
The data processors and data controllers must maintain a regular record of all processing activities.
Such a record must contain the name and contact details of the data controller and data processor, purposes of processing, categories of data subjects, categories of personal data, categories of data recipients, details about international data transfers, and a description of technical and organizational security measures.
h. Cross-Border Data Transfer Requirements
Cross-border or international data transfers are allowed if there is a legal basis for doing so and one of the following criteria is met:
- The data is to be transferred to a country whose standard of data protection is “not materially lower” than the UK’s standards;
- There are binding corporate rules in place;
- There are approved standard contractual clauses in place;
- The data is to be transferred to a country that holds the necessary certifications related to data protection and security as per the approved certification scheme by the ICO;
- The data receiver has signed up to a code of conduct approved by the ICO;
- There exist administrative arrangements between public authorities or bodies.
In the absence of the above mechanisms, the cross-border transfer can take place in any of the following exceptions. These exceptions can be utilized in exceptional cases and not for routine data transfers.
- The data subject has provided his or her explicit consent;
- The transfer is necessary for the performance of a contract with the data subject;
- The transfer is necessary for the performance of a contract with another individual that benefits the data subject whose data is being transferred;
- The transfer is necessary for public interest reasons;
- The transfer is necessary for the establishment, exercise, or defense of legal claims;
- The transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- The transfer is made from a public register that is intended to provide information for the public.
3. Data Subject Rights
Here are the data subject rights users are entitled to as per the DPA and the UK GDPR. These rights can be exercised upon the data subject’s request under certain limited circumstances and have exemptions as discussed below:
All data subjects have a right to be informed about the collection and usage of their personal data. This right entails giving them precise, transparent, intelligible, and easily accessible form, using clear and plain language about what controllers do with their personal data. The right to be informed includes the following:
- The identity and contact information of the data controller and their representative;
- The contact information of the DPO, if applicable;
- The purpose of processing the personal data and the intended legal basis;
- The legitimate interests of the controller or a third party, when applicable;
- Any recipients or categories of recipients of the personal data;
- Information about any planned international transfers of personal data, including the safeguards in place or how to access them.
b. Right of Access
All data subjects have the right to access and know exactly what information has been collected on them. This includes the following:
- The purpose for which their personal data is being processed;
- The categories of personal data involved;
- The recipients of the data, especially those in third countries or international organizations;
- The storage period for the data, or the criteria used to determine that period;
- Their rights to request correction, erasure, or restriction of their data, or to object to its processing;
- Their right to lodge a complaint with the Commissioner;
- The source of the data, if it wasn't collected directly from them;
- The existence of any automated decision-making or profiling, including the logic and consequences of such processing.
The data subject will be informed if their personal data is transferred to a third country or an international organization, and the safeguards that organizations undertake. Moreover, data subjects have a right to obtain a copy of the personal data that is being processed. It is important to note that the data subject is only entitled to such information that the data controller is able to provide based on a reasonable and proportionate search for the personal data and other information as described above.
c. Right of Rectification
All data subjects have the right to request rectification of inaccurate personal data concerning them or to have their incomplete personal data completed, including by means of providing a supplementary statement.
d. Right of Erasure
All data subjects have the right to request that any data collected on them be erased without undue delay and any further data processing be ceased. A data subject can exercise this right in the following circumstances:
- Data collected is no longer necessary for the purpose they were collected;
- The data subject has withdrawn their consent to data collection;
- The data subject has objected to data collection, and there are no overriding legitimate grounds for the processing;
- Data was unlawfully processed;
- Data must be erased pursuant to a legal obligation in a state where the data controller is a subject.
e. Right of Data Portability
All data subjects have the right to transmit their data collected on them in a structured, commonly used, and machine-readable format to another controller without any hindrance as long as:
- The data subject has consented to such processing of the personal data and;
- The processing is carried out via automated means.
f. Right to Object
All data subjects have the right to object to the processing of personal data where processing is carried out in reliance on public interest or legitimate interest, including profiling. Data controllers are obligated to cease all data processing activities related to their data, including for direct marketing or scientific or historical research purposes, or statistical purposes. The data controller must abide by this request unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
g. Right to Restriction of Processing
All data subjects can request a restriction on the processing of their personal data in the following cases:
- The data subject contests the accuracy of the data collected, for a period enabling the controller to verify the accuracy of the personal data;
- Data was unlawfully processed, and the data subject requests the restriction of data processing rather than erasure of data;
- The data controller no longer needs to process the data, but the data subject requires that data for the establishment, exercise or defence of legal claims;
- The data subject has objected to their data being processed, and verification is pending as to whether the legitimate grounds of the controller override those of the data subject.
Where a data subject has exercised their right to restrict the processing, data can only be processed with the data subject’s consent for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest.
h. Automated Individual Decision-Making
The DUAA has shifted the approach from the previous regime under UK GDPR, which broadly prohibited automated decision-making with limited exceptions (e.g., consent, performance of contract, authorization by law). The DUAA now creates a more permissive framework, allowing organizations to use automated decision-making more freely, but with mandatory safeguards in place.
These safeguards ensure that organizations must:
- Provide information to individuals about how and why the decision was made.
- Enable individuals to make representations about the decision.
- Allow individuals to obtain human intervention to review the decision.
However, the restriction on using automated decision-making remains for processing special category data, such as health or biometric information.
i. Notification Obligation Regarding Rectification/Erasure of Personal Data
If a data subject makes a rectification, erasure, or restriction of processing data requests, the data controller must ensure that it communicates such requests to all parties to whom the data subject’s data has been disclosed.
However, the data controller is exempt from making such a communication if it proves impossible or would require a disproportionate effort.
Lastly, the DPA contains exceptions to data subjects’ rights. The aforementioned rights do not apply in situations pertaining to:
- Prevention or detection of crime;
- Prosecution of offenders;
- Imposition of duty (tax etc.) on an individual;
- Maintenance of effective immigration process or policies;
- Safeguard of national security or defense purposes; and
- All other functions designed to protect the public and regulatory functions.
4. Regulatory Authority
The Information Commissioner's Office (ICO) is the primary regulatory authority and holds investigative, corrective, and advisory powers and is responsible for enforcing both the UK GDPR and the DPA within the British territories.
Among the ICO’s responsibilities include advising the Parliament, the government, other institutions, and bodies in matters related to legislation on ensuring data subject rights and processing of personal data. In addition to that, ICO is also responsible for making and presenting to the parliament an annual report on the types of infringements that took place and measures that were taken.
The ICO is also responsible to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing, along with spreading awareness to controllers and processors on their obligations. ICO must also handle the complaints lodged by data subjects, adopt standard contractual clauses and maintain a public register of certification mechanisms and data protection seals and marks
Furthermore, the ICO also has the power to issue, per its own initiative or on request, opinions related to the protection of personal data to the Parliament, the government, other institutions, and bodies, as well as the general public.
The ICO is also responsible for preparing a code of practice meant to provide practical guidelines related to sharing personal data per data protection legislation’s requirements.
5. Penalties for Non-compliance
In case of infringements and non-compliance with the UK GDPR and DPA provisions, administrative fines can be imposed on the organization or a person. While deciding whether to impose an administrative fine and the amount, various factors are taken into consideration, such as the nature, severity, and duration of the failure, whether it was intentional or negligent, and any actions taken to mitigate harm. They also look at the controller's or processor's responsibility and cooperation, any relevant past failures, the categories of data affected, and whether the penalty would be effective and proportional.
The standard maximum amount of penalty that can be imposed is £10 million or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed in case there is an infringement of obligations of the
- Controller or processor
- Certification body
- Monitoring body
The higher amount of penalty is £20 million or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed when the following are not dealt with as prescribed by the UK GDPR and DPA:
- The basic principles for processing, including conditions for consent;
- Data subject rights;
- The transfers of personal data to a recipient in a third country or an international organization;
- Non-compliance with an order of ICO.
6. How an Organization Can Operationalize the Law
The GDPR often comes across as an intimidating piece of legislation for most organizations since it places so many responsibilities on them while detailing them down to the minute details. The fact that the DPA is supposed to be read alongside the UK GDPR makes compliance for organizations in the UK all the more complicated.
However, it doesn’t necessarily have to be so. An effective way to initiate compliance efforts is to lay the proper foundations. Some steps that can help tremendously in that regard include the following:
- Make sure your privacy policy is easily understandable and communicates all your obligations and data subject rights effectively;
- Hire a DPO who is well-versed in both the UK GDPR and the DPA to ensure your compliance efforts are up to par;
- Ensure all the company's employees and staff are aware of their responsibilities under the UK GDPR and DPA;
- Conduct regular DPIAs for high-risk data processing activities as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
- Implement robust vendor due diligence processes for third-party agents;
- Notify the regulatory authority and impacted data subjects in case of a personal data breach without undue delay;
- Ensure data subjects' rights fulfillment;
- Ensure adequate consent management by obtaining consent as per the applicable requirements and maintaining consent records.
7. How Can Securiti Help
The GDPR remains a formidable piece of data protection legislation. Despite what its detractors might say, it managed to strike the perfect balance between ensuring user privacy and giving organizations enough leeway to appropriately market their products/services to their desired customers.
The UK is a unique case since, despite no longer being part of the EU, its primary data protection legislation, the DPA, is supposed to be read alongside the UK GDPR. For organizations hoping to be in complete compliance with the UK’s data protection framework in the UK, this can pose a challenge.
Securiti aims to alleviate that issue.
Securiti has built a reputation in the privacy industry by providing enterprises with reliable data compliance and governance solutions. These solutions include DSR automation, cookie management, vendor risk assessments, and data mapping.
Request a demo today and learn more about how Securiti can aid your data compliance efforts in the UK.
