UK data protection law is set out in the UK GDPR, the General Data Protection Regulation as retained in domestic law following the United Kingdom’s exit from the European Union, and the Data Protection Act 2018. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 and came into force in stages from 5 February 2026, has amended both instruments in ways that are now operationally live. Controllers and processors operating in the United Kingdom are subject to a regime that diverges materially from the EU GDPR, and that divergence is continuing.

The practical scope of UK GDPR compliance work covers the six lawful bases for processing (including the recognised legitimate interests introduced by the DUAA), transparency and privacy notice obligations, retention period governance, international data transfers, technical and organisational security measures, personal data breach notification to the ICO and affected data subjects, responding to access requests and other rights requests, carrying out data protection impact assessments before high-risk processing begins, and building the accountability documentation required under Article 5(2) and Article 30. For regulated businesses in telecoms, payments, and PE-backed fintech, those obligations sit on top of sector-specific requirements dealt with separately below.

What this practice area covers

The Data Protection practice area addresses the full range of UK GDPR and DPA 2018 obligations. The pages below cover discrete topics within it:

  • AI and Automated Decision-Making: the Articles 22A to 22D UK GDPR framework introduced by DUAA 2025, replacing the original Article 22 prohibition on solely automated decisions.
  • Data Governance, Transfers and Accountability: Article 5 accountability, Article 30 records of processing, and international data transfer mechanisms including transfer risk assessments.
  • Sector-Specific Data Protection: how UK GDPR obligations interact with sectoral regulation in telecoms (PECR, CA 2003), payments (PSRs 2017, FCA rules), and financial services.
  • Data Breach Response: Article 33 and Article 34 notification obligations, the ICO breach portal, and breach management.
  • PECR and e-Privacy: the Privacy and Electronic Communications Regulations 2003 as amended, including the revised penalty regime.
  • DPIAs: the Article 35 assessment process, prior consultation with the ICO under Article 36, and when a DPIA is required in practice.
  • UK/EU Divergence: the growing gap between the UK and EU regimes and the implications for businesses operating across both.

What the DUAA 2025 changed

The DUAA amended the UK GDPR and DPA 2018 across several areas that are already in force. DUAA Schedule 4 inserted a new Annex 1 into the UK GDPR (pursuant to section 70(6) of the Act), establishing a list of recognised legitimate interests. Those are categories of processing which satisfy the Article 6(1)(ea) UK GDPR basis without requiring a controller to carry out a balancing test. The DUAA also replaced Article 22 UK GDPR with a new Articles 22A to 22D framework for automated decision-making. The new framework differs structurally from the EU position and introduces specific transparency and human intervention rights. The DUAA further amended the international transfer framework, and made changes to the research, archiving, and statistics provisions, including amendments to the Article 14(5) disproportionate effort exemption on indirect collection transparency. These are substantive changes to day-to-day compliance practice.

The DUAA also introduces a mandatory controller complaints procedure. New sections inserted into the DPA 2018 by the DUAA require controllers to acknowledge and substantively respond to data subject complaints within prescribed timescales. Those provisions come into force on 19 June 2026, under the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026 (SI 2026/82). Controllers, including those in telecoms and payments sectors, need documented complaint-handling procedures in place before that date. The ICO has indicated it will treat a controller’s complaint procedure, or the absence of one, as a factor in regulatory assessment from that date forward.

How Bratby Law helps

For discrete compliance questions, a lawful basis review, an Article 35 DPIA, a response to an ICO information notice, or advice on a specific international transfer mechanism, we provide direct legal advice against a defined scope and timetable. Rob Bratby is recognised as a Lexology Global Elite Thought Leader for data protection, and brings the regulatory depth and commercial judgment that in-house teams need when facing a specific decision under time pressure.

For organisations with generalist technology, media, and telecommunications counsel but no dedicated data protection specialist, we act as specialist co-counsel. We take the data protection workstream, work within the client’s existing outside counsel relationship, and produce analysis the lead firm can rely on without building its own UK privacy capability.

For businesses that require ongoing data protection leadership, a fractional DPO function, an in-house programme to prepare for the 19 June 2026 complaints obligations, or continuous advisory support as the post-DUAA ICO guidance develops, we operate as Fractional General Counsel. That structure gives regulated businesses access to experienced general counsel judgment on data protection, at a cost and commitment level suited to businesses that do not require a full-time appointment.

Primary sources

To discuss a specific data protection matter, contact us to arrange an introductory call.