UK GDPR and Regulatory Compliance

UK GDPR compliance, controller obligations, data subject rights and ICO enforcement

UK GDPR compliance is a core requirement for any organisation processing the personal data of individuals in the United Kingdom. The UK General Data Protection Regulation (UK GDPR), retained in domestic law under the European Union (Withdrawal) Act 2018, operates alongside the Data Protection Act 2018 (DPA 2018) and the Data Use and Access Act 2025 (DUAA) to form the UK data protection framework. The Information Commissioner’s Office (ICO) is the supervisory authority responsible for monitoring and enforcing compliance.

bratby.law advises controllers and processors on building and maintaining compliant data protection programmes. Our work covers the full lifecycle: from lawful basis assessments and privacy notices through to breach response and ICO engagement. For wider context on our data protection practice, see Data Protection.

The UK data protection framework

The UK GDPR sets out seven principles for lawful processing of personal data under Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Controllers must demonstrate compliance with each principle, not merely assert it.

The DUAA, which received Royal Assent in November 2025, amends elements of the DPA 2018 and introduces new provisions on recognised legitimate interests (inserting a new Annex 1 to the UK GDPR listing recognised legitimate interests for which no balancing test is required), reforms to automated decision-making under Article 22, and a new framework for smart data schemes. It does not replace the UK GDPR but supplements it. The ICO has published transitional guidance on the DUAA provisions as they come into force.

Organisations must identify and document a lawful basis under Article 6 for each processing activity. Where special category data is processed, an additional condition under Article 9 and Schedule 1 of the DPA 2018 must be met. Consent, where relied upon, must be freely given, specific, informed and unambiguous, and must be as easy to withdraw as to give.

Data subject rights under the UK GDPR

The UK GDPR confers extensive rights on individuals. Controllers must have documented procedures for receiving, verifying and responding to requests within the statutory time limits. The core rights are:

The right of access under Article 15 entitles individuals to confirmation of whether their personal data is being processed and, if so, a copy of that data together with supplementary information. Controllers must respond within one calendar month, extendable by two months for complex or numerous requests. The ICO has emphasised that controllers should not use exemptions as a default and must apply them on a case-by-case basis.

The right to erasure under Article 17 applies where personal data is no longer necessary for its original purpose, where consent has been withdrawn, or where processing is unlawful. The right to rectification under Article 16 requires controllers to correct inaccurate personal data without undue delay. The right to restrict processing under Article 18 and the right to data portability under Article 20 impose further obligations on controllers handling structured, commonly used and machine-readable data.

Rights relating to automated decision-making, including profiling, are set out in Article 22. The DUAA introduces amendments to the Article 22 regime, replacing the existing prohibition on solely automated decisions with a new framework requiring meaningful human involvement and appropriate safeguards. For detailed analysis, see our page on AI and Automated Decision-Making.

International data transfers

Cross-border transfers of personal data to third countries remain one of the most complex areas of UK GDPR compliance. Controllers must ensure an adequate level of protection for personal data exported outside the UK. The lawful transfer mechanisms under Chapter V of the UK GDPR include: UK adequacy regulations issued by the Secretary of State under Article 45; the International Data Transfer Agreement (IDTA) and the UK Addendum to EU Standard Contractual Clauses; binding corporate rules approved by the ICO; and derogations under Article 49 for specific situations.

Where a transfer relies on the IDTA or UK Addendum, the exporter must carry out a Transfer Risk Assessment (TRA) evaluating the legal framework and practical enforcement environment in the recipient country. The DUAA maintains the existing adequacy and safeguards framework while giving the Secretary of State additional powers to recognise new transfer mechanisms. For detailed transfer governance advice, see Data Governance, Transfers and Accountability.

Data breach notification and ICO enforcement

Under Articles 33 and 34 of the UK GDPR, controllers must notify the ICO of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals’ rights and freedoms. Where the breach is likely to result in a high risk, affected individuals must also be informed directly.

The ICO has the power to issue enforcement notices, reprimands, and administrative fines of up to the higher of 17.5 million pounds or 4% of annual worldwide turnover under Article 83. Recent ICO enforcement activity has focused on inadequate security measures, failure to conduct DPIAs, and non-compliant direct marketing. Effective breach preparedness, including documented incident response plans and tabletop testing, is essential.

How bratby.law helps with UK GDPR compliance

Our UK GDPR compliance services include:

Compliance programme design and audit: gap analysis against UK GDPR requirements, prioritised remediation plans and board-level reporting
Lawful basis assessments: Article 6 and Article 9 analysis for processing activities including direct marketing, profiling and employee monitoring
Privacy notices and consent frameworks: drafting and reviewing fair processing information, cookie policies and consent mechanisms
Data subject rights procedures: designing internal workflows for access requests, erasure requests and portability under statutory time limits
International data transfer assessments: IDTA implementation, Transfer Risk Assessments and binding corporate rules applications
Data breach response: incident assessment, ICO notification drafting, individual communications and post-incident review
ICO engagement and enforcement defence: responding to ICO audits, assessment notices and enforcement action
Processor and controller agreements: drafting and negotiating data processing agreements, data sharing agreements and joint controller arrangements under Article 28

Book a call to discuss your UK GDPR compliance requirements.

Frequently asked questions about UK GDPR compliance

What is the difference between the UK GDPR and the EU GDPR?

The UK GDPR is the version of the EU General Data Protection Regulation retained in UK law after Brexit under the European Union (Withdrawal) Act 2018. Its substantive provisions mirror the EU GDPR, but it operates within the UK’s own regulatory framework, supervised by the ICO rather than EU data protection authorities. The Data Use and Access Act 2025 introduces UK-specific amendments that create further divergence from the EU regime.

When do I need to conduct a Data Protection Impact Assessment?

A DPIA is required under Article 35 of the UK GDPR where processing is likely to result in a high risk to individuals’ rights and freedoms. This includes systematic and extensive profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The ICO has published a list of processing operations that require a DPIA. Good practice is to conduct a DPIA for any new processing activity involving personal data at scale or using new technologies.

What are the penalties for non-compliance with the UK GDPR?

The ICO can impose fines at two tiers. The standard maximum is the higher of 8.7 million pounds or 2% of annual worldwide turnover for breaches of controller and processor obligations. The higher maximum is the higher of 17.5 million pounds or 4% of annual worldwide turnover for breaches of data processing principles, data subject rights and international transfer requirements. The ICO also has powers to issue enforcement notices, reprimands and assessment notices.

How has the Data Use and Access Act 2025 changed UK data protection law?

The DUAA introduces several changes to the UK data protection framework. Key provisions include a list of recognised legitimate interests for which no balancing test is required, reforms to the automated decision-making regime under Article 22, a new framework for smart data schemes, changes to the ICO’s governance structure, and provisions on digital verification services. The core principles and rights framework of the UK GDPR remains in place. The DUAA provisions are being brought into force in stages through commencement regulations.

Do I need a Data Protection Officer?

Under Articles 37 to 39 of the UK GDPR, a DPO must be appointed where the organisation is a public authority, where core activities involve regular and systematic monitoring of individuals on a large scale, or where core activities involve large-scale processing of special category data. Even where a DPO is not legally required, appointing one or designating a data protection lead is good practice and demonstrates accountability. For organisations that need senior data protection support without a full-time appointment, see our Fractional General Counsel service.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology

What clients say about bratby.law

“…one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in.”
“I worked with Rob over many years whilst I was at Orange. He is one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in. Most notably he provided first class support to me and my team on a high profile / high value joint venture network sharing deal. His ability to see both the detail and the bigger strategic picture were enormously helpful.”
Amanda Doyle
(Former) General Counsel, Orange UK
“I would highly recommend Rob and his team.”
“I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
Nick White
(Former) Deloitte
“I would recommend Rob for any major Telecoms project”
“I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
Toby Lovell
(Former) Chief of Staff, The One Touch Switching Company

Call us to talk about data protection

Book a call

Data Protection

Related data protection pages

See also our other data protection pages: