UK GDPR Compliance

UK GDPR obligations, lawful basis and compliance programmes

Rob Bratby, Managing Partner
Last updated: April 2026

UK GDPR compliance is the foundation of lawful data handling in the UK. Organisations that get this right find it becomes a business enabler: it removes friction from partnerships, builds customer trust, and keeps regulators at arm’s length. Those that skip the basics or treat it as a compliance theatre exercise tend to face serious consequences, from ICO enforcement action to reputational damage and operational disruption. We help organisations build a working compliance programme that actually fits how they operate, rather than a documentation system that sits on a shelf.

When UK GDPR compliance becomes a live issue

Compliance is a constant discipline, but certain events force a serious rethink of your data handling architecture. A new product launch that relies on data analytics or personalisation will reveal whether your consent and lawful basis framework is fit for purpose. Mergers and acquisitions due diligence always surfaces gaps in data handling records and processor agreements, sometimes revealing risks that affect valuation or deal timing. Regulatory investigations, whether from the ICO or another regulator, make compliance urgent and leave no room for shortcuts. AI deployment in particular has exposed weak spots in many organisations’ data governance: feeding systems with training data requires a clear lawful basis, impact assessment and sometimes consent, and many teams have discovered their data roadmap was not fit for an AI context.

Cross-border expansion introduces a second dimension: if you operate in the EU or EEA, you are subject to GDPR as well as UK GDPR, and the two are not identical. Board-level accountability demands have intensified as institutional investors and governance codes place data protection squarely in the remit of directors and executive committees. These events force compliance from the margins into the boardroom where it belongs.

Why UK GDPR compliance matters now

The regulatory environment shifted in February 2026 with the Data Use and Access Act 2025 (DUAA). The Act introduced three material changes that have reshaped the compliance landscape. First, Article 6(1)(ea) UK GDPR now recognises a list of legitimate interest purposes that are pre-approved: safeguarding national security, responding to emergencies, crime investigation and a handful of others set out in Schedule 4 of the DUAA. For these specified purposes, organisations can process without the balancing test that ordinarily applies to Article 6(1)(f) legitimate interests. The practical effect is significant: compliance officers can move away from conducting lengthy legitimate interest assessments for certain routine processing activities and reduce the risk of challenge.

Second, the requirement to conduct data subject access request (DSAR) searches has been codified into statute. Article 15(1A) UK GDPR, inserted by section 78 DUAA, now mandates only a “reasonable and proportionate” search for personal data in response to access requests. Previously, this was ICO guidance. It is now law, and it gives organisations a clearer boundary for the effort they must invest in search and retrieval.

Third, the DUAA created a new statutory right for individuals to complain directly to organisations about data protection issues before escalating to the ICO. From 19 June 2026, controllers must acknowledge complaints within 30 days and investigate without unjustifiable delay. This is not a trivial administrative requirement: organisations without a complaints handling framework already in place need to design one now.

ICO enforcement trends have sharpened simultaneously. In 2025, the ICO issued fines totalling £19.6 million from seven cases, with the Capita settlement at £14 million standing as a marker of the scale of penalties now in play. The average fine has jumped from £150,000 in 2024 to £2.8 million in 2025. What is more significant than the headline figures is the pattern: two-thirds of the 2025 fines were issued for data security failures following cyber attacks, signalling a clear enforcement priority. Yet the ICO has also introduced a settlement framework under which early resolution can attract discounts of up to 40%, with 30% available after notice of intent and 20% after written representations. This structure has forced a reckoning: organisations can no longer simply dispute and defend. The incentive is to engage early and settle if appropriate.

Where organisations get UK GDPR compliance wrong

The most common failure is a conceptual one: treating compliance as a documentation exercise rather than an operational discipline. This looks like ticking boxes on an audit, filing privacy notices in a shared drive, and assuming that the paperwork equates to lawful practice. It does not. Lawfulness is about what you actually do with data, not what you say you will do. An organisation with a pristine ROPA and a detailed privacy notice that simultaneously fails to delete data when a contract expires, or processes employee data without considering proportionality, is not compliant in any meaningful sense.

The second failure is over-reliance on consent where legitimate interests would be more appropriate. Consent is strict: it must be freely given, specific, informed and granular. Yet many organisations default to consent for everything because it feels safer. The DUAA, ironically, has made legitimate interests easier to use, not consent harder. Treating every processing activity as requiring affirmative consent creates friction, drives poor user experience and often fails the “freely given” test when consent is a condition of service. Good compliance means asking whether consent is actually necessary, or whether legitimate interests under Article 6(1)(f) or the new recognised interests under Article 6(1)(ea) are more proportionate.

A third failure is privacy notices that satisfy no one. They are either so detailed that they are incomprehensible, or so vague that they disclose nothing of value. The DUAA did not change the requirements of Articles 13 and 14 UK GDPR, but it did make the regulator more active in enforcement. A privacy notice should tell a data subject in plain language what you do, why, how long you keep the data, and what rights they have. It should be specific to your actual processing, not a template lifted from another industry or copied from a competitor.

DPO appointments that lack genuine independence represent a fourth failure. Many organisations treat the DPO role as a box-ticking requirement, appointing someone with conflicting responsibilities as head of IT or chief compliance officer. The GDPR requires a degree of autonomy and independence. The ICO now examines this closely during investigations. A DPO without the seniority or resource to challenge a business decision is a DPO in name only.

Records of processing activities (ROPAs) that are created once and never updated are a fifth common weakness. A ROPA is not an artefact for your second-line review or a regulator investigation. It should be a living document that reflects how data is actually processed today. If you cannot point to your ROPA and trace a data flow on it, it is out of date and worse than useless.

Finally, many organisations engage in what might be called cookie compliance theatre: banner redesigns and cookie preference centres that satisfy the letter of the Privacy and Electronic Communications Regulations (PECR) but not the spirit. They present deliberately confusing choice mechanisms or make it harder to reject cookies than to accept them. The ICO has begun to examine this under the enforcement lens, and the reputational cost of a public reprimand now often exceeds the cost of a fine.

The overarching misreading of ICO enforcement is a subtle but important one. Organisations tend to focus on the quantum of fines and miss the real risk. An ICO investigation produces not just a fine but an enforcement notice requiring specific corrective action, a public decision, reputational damage and often mandatory third-party auditing. The indirect costs of enforcement are often larger than the fine itself, and the operational disruption is significant. This should concentrate minds more than the headline fine figure alone.

Common issue	Better approach
Treating compliance as a documentation exercise	Operational discipline tied to actual data handling
Over-relying on consent as a lawful basis	Lawful basis aligned with genuine data flows
Privacy notices that no one reads	Clear, proportionate notices reflecting real processing
DPO appointed for box-ticking	DPO positioned as strategic advisor with genuine independence
Processing records created once and shelved	Living records updated as processing activities change
Breach response drafted but never tested	Tested breach protocols with defined escalation routes

What good UK GDPR compliance looks like

Good compliance, in our view, starts with understanding what you actually do with data. Not what your templates say you do, or what the chief information officer thinks you do, but what the evidence shows. This means mapping your lawful basis against your actual data flows: when you process employee data, when you send data to third parties, when you retain it beyond the original purpose, when you use it for analytics or AI. For each flow, you assign a lawful basis that is genuinely justified and defensible. Where you rely on legitimate interests, you document the assessment and ensure you can point to a balancing test if challenged. Where you use the recognised interests under Article 6(1)(ea), you ensure the processing falls squarely within one of the listed purposes and that you have logged this decision.

Privacy programme design should reflect the organisation’s actual risk profile. A small marketing business has different risks from a healthcare provider or a payments processor. Good compliance means building governance, impact assessment and audit processes that are proportionate to your data footprint and your sector. It means investing in training that teaches people why they are complying, not just what the rules say. It means making your DPO a strategic advisor, not a gatekeeper who slows down business decisions.

Controller and processor allocation should be based on actual data flows and decision-making authority, not what contracts say. The ICO investigates this closely. If you are the one deciding what data to process and how, you are the controller, regardless of contract labels. Good compliance requires honest mapping of who controls what, often with legal advice, and documented processor agreements that genuinely reflect the relationship.

DSAR response frameworks must now work within the “reasonable and proportionate” standard introduced by the DUAA. This means designing a search protocol that balances the data subject’s right to access with the practical burden of retrieval. You should be able to articulate why a particular search was proportionate to the request. For complex organisations with multiple legacy systems, this requires planning.

Breach preparedness is increasingly a data protection function. You need a plan that covers not just UK GDPR notification (within 72 hours to the ICO, absent exceptional delay) but also cross-regime notification where relevant: PECR for customer communications, Network and Information Systems (NIS) Regulations for critical infrastructure, FCA rules for financial services, and others depending on your sector. The regulator’s settlement framework means that early notification and demonstrable remediation can affect the outcome of an investigation.

When to instruct specialist data protection counsel

The boundary is reasonably clear. Your internal teams should handle day-to-day compliance: GDPR compliance audits, processor agreements, DPA templates, training, DSAR processes and breach response. These are the working routines of the discipline. Specialist counsel becomes necessary when the stakes change or the law intersects with business-critical decisions.

An ICO investigation or the prospect of one demands specialist involvement. The investigation process is technical, the implications are material, and the opportunity to influence the outcome is time-limited. An adverse decision can alter the regulatory relationship with your organisation permanently. This is not a moment for internal teams without investigation experience to learn on the job.

Complex legitimate interest assessments, particularly where the interests are marginal or the balancing test is finely balanced, benefit from external input. Counsel experienced in ICO challenge and regulatory precedent can help you navigate the tension between commercial need and regulatory constraint. This is particularly acute in marketing, AI and analytics contexts where the case law is still developing.

Cross-border processing architectures and international transfer compliance require counsel who understands not just UK GDPR but EU GDPR, sector-specific regulations in other jurisdictions, and the FCA or PSR rules if payments or financial services are involved. The adequacy decision landscape is complex; the standard contractual clauses are periodically challenged; and the compliance burden is significant.

DUAA 2025 implementation for many organisations means rethinking data handling practices, lawful basis mapping and privacy notices. For organisations that process at scale or in regulated sectors, external counsel can help identify which of your processing activities fit into the new recognised interests and which require a fresh legal basis assessment. This can be a significant project.

AI governance frameworks are now a data protection function, not a separate ethics exercise. If you are deploying large language models, training neural networks or using any form of algorithmic decision-making, you need to ensure that data protection compliance is baked into the architecture from the outset. This requires counsel with expertise in both data protection and AI regulation.

Finally, transactions where data protection risk affects valuation or deal timing warrant specialist input. Mergers, acquisitions, joint ventures and the sale of data-dependent assets all require due diligence on data handling practices, regulatory history and compliance risk. A compliance gap discovered in transaction phase can materialise as a dispute, an earn-out adjustment or even a deal break.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology

Ready to discuss your matter?

Schedule an initial call

Frequently asked questions about UK GDPR compliance

What is the difference between a recognised legitimate interest under the DUAA and the ordinary legitimate interests ground under Article 6(1)(f)?

Recognised legitimate interests, listed in Schedule 4 of the DUAA and set out in the new Annex 1 to the UK GDPR, are pre-approved purposes for which the balancing test that ordinarily applies to Article 6(1)(f) does not apply. They include national security, crime investigation, emergency response and safeguarding vulnerable individuals. If your processing falls within one of these purposes, you do not need to conduct a full legitimate interest assessment. Ordinary Article 6(1)(f) processing requires a documented balancing test weighing your interests against the rights and freedoms of the data subject. The recognised interests framework is a regulatory shortcut for certain approved purposes.

How do I know if my search for personal data in response to a DSAR is “reasonable and proportionate” under the new Article 15(1A) standard?

The statute does not define “reasonable and proportionate” with precision; this will develop through ICO guidance and case law over the coming years. As a working principle, you should be able to articulate why you chose a particular search scope and why broader searches would have been disproportionate. Factors include the nature of the request, the size and complexity of your systems, the burden of retrieval and the legitimate interests of the organisation. Document your search protocol and your decision-making. If challenged, you should be able to defend the boundary.

What happens if I miss the 30-day deadline for acknowledging a data protection complaint under the DUAA?

The DUAA requires acknowledgement within 30 days from the day after the complaint is received. The day count runs regardless of weekends and public holidays, though if the 30th day falls on a non-working day, you can send the acknowledgement on the next working day. If you miss this deadline, you are in breach of your obligation under section 164A Data Protection Act 2018 (as amended by the DUAA). The ICO may take enforcement action if complaints are consistently not acknowledged on time. You should treat this as a hard deadline and build the acknowledgement into your operational process immediately.

Can I still use consent as my lawful basis if I prefer not to rely on legitimate interests?

Yes, consent remains a lawful basis under Article 6(1)(a) UK GDPR and the DUAA did not change this. However, consent is a higher hurdle than legitimate interests: it must be freely given, specific, informed and granular. It cannot be a condition of service unless the processing is necessary to provide that service. Many organisations have discovered that what they thought was consent is actually just a privacy notice. If legitimate interests, including the new recognised interests, are available and proportionate, they are often a better fit than stretched consent. Counsel can help you map which processing activities genuinely need consent and which do not.

Do I need to update my processor agreements now that the DUAA has come into force?

You should review your processor agreements to ensure they reflect the current state of the law and your actual processing activities. The DUAA itself does not mandate changes to existing agreements, but if you have not revisited your data processing agreement template since 2018, you should do so. The framework for what should be in a DPA is set out in Articles 28 and 32 UK GDPR and has not changed materially. However, if you have added processors, changed the scope of processing or added requirements around international transfers or sub-processing, your agreements should be updated to reflect this.

If the ICO is investigating me, should I disclose legal advice to a lawyer or is that privileged?

Legal professional privilege exists in UK law and applies to communications between you and a lawyer made for the purpose of obtaining legal advice. If the ICO requests disclosure of documents during an investigation, you can claim privilege over legal advice provided by your lawyer. However, privilege does not cover factual documents, correspondence with third parties, or your own internal deliberations. It also does not cover advice from non-lawyers. If the ICO issues a notice to produce documents under section 16 DPA 2018, you must comply unless privilege applies to the specific document. This is why it matters to work with counsel early: privilege can attach to the investigation file and give you protection in negotiations.

Representative experience

Recent and representative matters include:

Designed and implemented a UK GDPR compliance programme for a telecoms operator processing customer communications data, location data and traffic data across fixed and mobile networks.
Advised a fintech on its Article 6 lawful basis analysis for open banking data processing, including the application of legitimate interests assessments under Article 6(1)(f).
Conducted a gap analysis against the Article 5 processing principles and Article 30 record of processing activities requirements for a SaaS provider handling multi-jurisdictional personal data.
Advised on the ICO’s enforcement approach following a data subject complaint, preparing representations to the Commissioner and securing closure without formal action.
Reviewed and restructured a data governance framework for a PE portfolio company, addressing controller/processor relationships under Article 28 and international transfer mechanisms under Articles 44 to 49.

Related data protection pages

See also our other data protection pages: