Articles
Country guides
UK privacy laws: The ultimate guide
Country guides
new

UK privacy laws: The ultimate guide

Published  

3/3/2026

by 

Ali Talip Pınarbaşı

7
min read

Published  

March 3, 2026

by 

Ali Talip Pınarbaşı

10 min read
Summary

For a legal system notorious for its simplicity, the UK’s data protection law regime is surprisingly patchy and complex. Spread across different legislation, regulations, and retained EU law, getting to grips with the UK data protection laws may seem daunting at first. 

In this article, we will unpack the complex structure of the UK data privacy law regime and help you understand how the UK GDPR, the PECR, and the UK Data Protection Act 2018 govern the processing of personal data by organisations like yours.

UK data protection law overview

Establishing and implementing a robust data protection compliance framework begins with identifying and understanding the applicable legal and regulatory instruments.

Accordingly, gaining a clear picture of the UK data protection regime is the first step in building an effective privacy compliance programme.

In the UK, the two principal pieces of legislation governing the processing of personal data are:

  • The UK General Data Protection Regulation (UK GDPR); and
  • The Data Protection Act 2018 (DPA 2018).

While the UK GDPR is the primary law governing the processing of personal data, the DPA 2018 supplements it by setting out national derogations, exemptions, and ICO enforcement provisions.

Now, we will provide you with a high-level overview of each data privacy laws and regulation that apply in the UK.

UK GDPR

The UK GDPR is the primary law that governs how organisations can process individuals’ personal data and the rights individuals can exercise in relation to it.

For example, Article 6 of the UK GDPR requires organisations to identify a lawful basis for processing individuals’ personal data. Similarly, it imposes on organisations various requirements, such as conducting a data processing impact assessment for certain high-risk data processing activities and complying with international data transfer rules.  

While it is the primary legislation that applies to the processing of personal data by organisations, you cannot get a full grasp of the UK GDPR without considering the supplementary provisions in the DPA 2018. 

UK Data Protection Act 2018 (DPA 2018) 

Alongside the UK GDPR, the UK Data Protection Act 2018 (DPA 2018) is another legislation that regulates the processing of personal data by supplementing the UK GDPR. 

For example, Part 2 of the DPA 2018 defines certain terms such as “public authority” and “public body”. Furthermore, Article 10 of the DPA 2018 provides that organisations may process sensitive categories of data in reliance on one of the exceptions set forth in Schedule 1 of the DPA 2018.

In addition to supplementing the UK GDPR, the DPA 2018 addresses the processing of personal data in other contexts:

  • Part 3 of the DPA 2018 regulates the processing of personal data for law enforcement purposes.
  • Part 4 governs the handling of personal data in the context of national security.
  • Parts 5 and 6 of the DPA 2018 set out the role and certain functions of the Information Commissioner’s Office, and create criminal offences, such as unlawful obtaining or re-identification of personal data.

PECR (Privacy and Electronic Communications Regulations)

While it is technically not a data protection law, the Privacy and Electronic Communications Regulations (PECR) are highly relevant to organisations’ privacy and marketing compliance efforts because they govern consent requirements for cookies and similar technologies, as well as electronic marketing, subject to certain exceptions. 

DUAA (Data Use and Access Act 2025)

The Data Use and Access Act 2025 (DUAA) is legislation that has brought long-awaited reforms to the UK data protection law regime by amending the UK GDPR, PECR, and the Data Protection Act 2018. 

To illustrate, the DUAA introduced a more permissive regime for automated decision-making and profiling, removed prior consent requirements for certain types of cookies, increased penalties for violations of the PECR, and introduced rules on smart data schemes.

Key data protection principles in the UK Law

Every right afforded to individuals and every obligation imposed on organisations can be traced back to the seven key principles of the UK GDPR, which are outlined in Article 5 of the UK GDPR

  1. Lawfulness, fairness and transparency principle: Personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)
  2. Purpose limitation: An organisation may collect and use personal data only for legitimate, explicit, and specified purposes. Additionally, personal data must not be processed for incompatible purposes.
  3. Data minimisation: Organisations must limit the types and amount of data they process to what is necessary, and must ensure that data processing is adequate and relevant to the purposes for which they collect and use personal data. 
  4. Data accuracy: Organisations must take every reasonable step to ensure personal data is accurate and, where necessary, kept up to date, and must rectify or erase inaccurate data without delay. Furthermore, they must rectify any inaccuracies in personal data or delete it.
  5. Data storage limitation: Organisations may store personal data only for as long as it is necessary for the purposes of the data processing.
  6. Integrity and confidentiality of personal data: Organisations must implement appropriate security measures and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  7. Accountability: The accountability principle is the overarching principle of the UK GDPR, requiring organisations to demonstrate compliance with the six key principles outlined above. 

If you fail to comply with these 7 key principles of the UK GDPR, the UK Information Commissioner’s Office may impose a fine of up to £17.5 million, or 4% of an organisation’s total worldwide annual turnover, whichever is higher.

Lawful bases for the processing under Article 6 UK GDPR

Under Article 6 of the UK GDPR, data controllers must identify and rely on one of the seven lawful bases before collecting and processing personal data. These lawful bases are “consent”, “contractual necessity”, “legal obligation”, “vital interests”, “public interest”, “recognised legitimate interest”, and “legitimate interest”. 

Contrary to the popular misconception that consent is the primary lawful basis under the UK GDPR, there is actually no formal hierarchy between these seven lawful bases, and organisations may rely on any one of them to justify the processing of personal data, provided that the processing is necessary for a particular purpose and the selected legal basis applies to the processing activity. 

Put simply, you should choose the most appropriate lawful basis, not the one that seems easiest.

Furthermore, you should explain the applicable lawful basis for each data processing activity/purpose in your privacy policy. 

How to process special categories of data under the UK GDPR? 

Under the UK GDPR, processing of special categories of data, such as data revealing race, ethnic origin, political opinions, health data, or genetic data, deserves a  higher degree of protection due to the risks to the rights and freedoms of individuals. 

Therefore, Article 9 of the UK GDPR requires that organisations rely on one of the specific conditions outlined in it, in addition to a lawful basis under Article 6 of the UK GDPR. 

Under Article 9 of the UK GDPR, ten specific conditions may allow you to process special category data. Here are a few examples of the specific conditions that may justify the processing of sensitive data, explained in a simplified way: 

  • Explicit consent: If the data subject gives explicit consent to the processing of special categories of personal data, special data may be processed. 
  • Special categories of data manifestly made public: If processing of special categories of personal data relates to personal data which are manifestly made public by the data subject, data may be processed. 
  • Processing for preventive medicine or the provision of health care: If processing sensitive data is necessary to provide health care or for preventive medicine, this condition may apply. 

When you consider whether one of the conditions outlined in Article 9 UK GDPR applies to your processing, you must take into account the Data Protection Act 2018’s supplementary provisions. 

Schedule 1 to the DPA 2018 lists conditions that may justify the processing of sensitive data. For example, if you intend to rely on the “substantial public interest” condition to process special categories of data, you should consider the applicability of one of the special conditions listed in Schedule 1. These include “prevention of fraud”, “safeguarding of children”, or “journalism in connection with unlawful acts”. 

Rights of the data subject in UK privacy laws

The UK GDPR empowers individuals by granting them certain rights regarding the processing of their personal data. Chapter III of the UK GDPR lists the data subject rights: 

Right to be informed

Articles 13 and 14 of the UK GDPR impose on organisations the obligation to provide certain disclosures to data subjects, depending on whether data is collected directly from data subjects or via other methods.

For instance, if data is collected directly from data subjects, the data controller must provide details such as the identity of the data controller, the purposes and legal bases of data processing, and the categories of recipients of personal data. 

Right to access personal data

Individuals have the right to ask whether you process their personal data. Furthermore, they have the right to obtain a copy of their personal data and other details concerning the processing.

These details include the purposes and legal bases of processing, the categories of data you process, and the third-party recipients of personal data.

Right to rectification

The data subject may submit a request for the rectification of any inaccuracy in his/her personal data.

Right to erasure of personal data

A data subject may request the erasure of his/her data if one of the grounds outlined in Article 17 of the UK GDPR applies. 

Right to restriction of processing

Under certain circumstances, a data subject may request the restriction of the processing of his/her personal data. 

Right to data portability

A data subject may require a data controller to receive his/her personal data in a structured, commonly used, and machine-readable format and have the right to request the transmission of that data to another data controller. 

Right to object

Individuals may object to the processing of their personal data at any time if the processing is based on public interest, recognised legitimate interest, or a lawful basis under article 6 (1) of the UK GDPR, subject to certain exceptions. 

Right not to be subjected to automated decision-making, including profiling

Under Article 22 of the UK GDPR, as amended by the DUAA, organisations may carry out solely automated decision-making that produces legal or similarly significant effects, provided that appropriate safeguards are in place, such as the right to obtain human intervention. Where special category data is involved, stricter requirements still apply.

Cookies and similar technologies under the UK data protection laws

If you run a website, mobile app, or any online service, compliance with cookie and consent requirements should be a key part of your UK data protection strategy.

In the UK, the PECR is the primary legal framework governing the use of cookies and similar technologies, including web beacons, device fingerprinting, and SDKs. Under the PECR, you must obtain prior, GDPR-compliant consent before using cookies or similar technologies to store information on user equipment or to access information. 

There are two established exemptions to this rule. Consent is not required where storing or accessing information on a user’s device is:

  • solely for the purpose of transmitting a communication over an electronic communications network; or
  • strictly necessary to provide a service explicitly requested by the user.

For instance, cookies used to maintain website security, provide core functionality, or prevent fraud fall within the scope of the “strictly necessary” exemption and do not require consent. 

The Data Use and Access Act 2025 introduced additional limited exemptions to the cookie consent requirement. In certain circumstances, cookies used for low-risk statistical purposes or to improve website functionality or appearance may not require prior consent. However, these exemptions apply only where specific statutory conditions are satisfied.

Additionally, the DUAA 2025 introduced other exceptions to the consent requirements for the storage of and access to information on user equipment.  If you use cookies or similar tools for statistical purposes, or to enhance website appearance, you may not need prior consent from users. However, these exceptions are subject to additional requirements you must fulfill, such as providing users with the right to opt out, providing a clear and comprehensive privacy notice, and not using the information for further purposes, such as marketing or targeted advertising. 

Should you appoint a data protection officer (DPO)?

One of the key UK GDPR obligations that both data controllers and data processors must consider is the appointment of a data protection officer(DPO). Under the UK GDPR, data controllers and processors are not automatically required to appoint a DPO.

However, if a business or organisation engages in certain data processing activities, such as large-scale processing of sensitive data, it must appoint a DPO. Given the threshold triggers for the DPO obligation, most small businesses are unlikely to be required to appoint a DPO.

ICO enforcement and penalties

If you fail to comply with certain UK GDPR provisions, such as data protection by design and default, you may be hit with penalties for up to £8.7 million or 2% of your undertaking’s total worldwide annual turnover in the preceding financial year.

If your data processing activities fail to comply with key principles of the UK GDPR, such as purpose limitation, consent requirements, international data transfers, or other specified UK GDPR obligations, you may face fines up to £17.5 million or 4% of your undertaking’s total worldwide annual turnover in the preceding financial year.

Similarly, if you violate the PECR, you may face penalties of up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

In addition to monetary penalties for non-compliance with the UK GDPR and the PECR, the UK Data Protection Act 2018 sets out criminal sanctions for certain violations. Under section 170 of the DPA 2018, it is a criminal offence to obtain or disclose personal data without a data controller’s consent, and such unauthorised access or disclosure.

Practical UK data protection law compliance checklist for businesses 

Key obligations of data controllers under the UK GDPR and the PECR  

  • Compliance with key data protection law principles: Data controllers must comply with the seven key principles of the UK GDPR outlined in Article 5. These include lawfulness of processing, storage limitation, and purpose limitation. 
  • Legal basis for each processing activity: Article 6(1) of the UK GDPR requires data controllers to justify the processing of personal data on one of the seven lawful grounds. 
  • Fulfill data subject access requests: data controllers must respond to them. 
  • Data processing agreement: If a data controller instructs a data processor to process personal data, it must enter into a data processing agreement with the data processor that contains the mandatory contractual clauses specified in Article 28 of the UK GDPR. 
  • Privacy-by-design and by-default: A data controller must embed privacy by design and by default into the processes early on. 
  • Data breaches: A data controller must comply with the data breach notification rules and deadlines specified in the UK GDPR. 
  • Cookie compliance: An organisation or person subject to the PECR must obtain prior, and UK GDPR-compliant consent before using cookies and similar technologies, unless one of the exceptions outlined in Schedule A1 to the PECR applies. 

How Didomi can help 

Compliance with the complex, interconnected web of UK data protection law is challenging and requires a proactive approach. With the entry into force of the DUAA changes on February 5, 2026, certain cookie types no longer require prior consent, and restrictions on automated decision-making have been relaxed. 

However, websites, mobile apps, and other online services are still  required to provide clear and comprehensive information about the purpose and use of cookies and similar technologies. Furthermore, websites still have to design and implement a cookie consent mechanism that allows users to opt out of cookies and withdraw their consent at any time. Advertising cookies, most third-party trackers, and social-media plugins continue to require prior consent under PECR and the UK GDPR.

Given that the maximum PECR penalty has been raised to £17.5 million or 4% of global turnover, organisations must ensure they correctly classify cookies and maintain a compliant cookie/consent mechanism that aligns with these requirements. To discuss your current setup and see how Didomi can help, book a call with one of our experts:

{{talk-to-an-expert}}

Frequently asked questions

What is the difference between the UK GDPR and the Data Protection Act 2018?

The UK GDPR is the primary law that governs how organisations can process individuals’ personal data and the rights individuals can exercise in relation to it.

Alongside the UK GDPR, the UK Data Protection Act 2018 (DPA 2018) is another legislation that regulates the processing of personal data by supplementing the UK GDPR. In contrast to the UK GDPR, it addresses other matters, such as the processing of personal data for law enforcement purposes and in a national security context, and it also sets out the ICO’s functions and powers. 

What are sensitive categories of data under Article 9 of the UK GDPR? 

Under Article  9 of the UK GDPR, sensitive categories of data are defined as follows: 

“Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.”

What are the monetary penalties under the PECR? 

If you violate the PECR, you may face penalties of up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

What are the rights of data subjects under the UK GDPR?

Articles 12 to 23 of the UK GDPR outline the rights of data subjects. These are the right to be informed, the right of access to personal data, the Right to rectification, the right to erasure of personal data, the right to restriction of processing, the right to data portability, the right to object, and the right not to be subjected to automated decision-making, including profiling.

Is non-compliance with the Data Protection Law 2018 and the UK GDPR a criminal offence? 

The Data Protection Act 2018 creates criminal offences in relation to personal data. For example, unauthorised access to or disclosure of personal data to third parties without the consent of the data controller is a criminal offence. If an employee steals personal data and sells it to a third party, this would constitute a criminal offence under the DPA 2018.

Do I need a data protection officer to comply with the UK data protection laws?

Depending on the scope and purposes of your data processing activities, you may need to appoint a DPO under Article 37 of the UK GDPR.

What legislation governs the right to private and family life in English Law?

Article 8 of the Human Rights Act 1998 governs the right to private and family life.

The author
The authors
Ali Talip Pınarbaşı
Freelance writer
London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London, advising businesses on how to comply with data protection laws.
Access author profile
Ali Talip Pınarbaşı
Freelance writer
London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London, advising businesses on how to comply with data protection laws.
Access author profile
Access author profile

Related Articles

Country guides
UK GDPR: Everything you need to know 
February 20, 2026
Read article
Country guides
Advertising privacy in Canada is getting more complex: What advertisers need to know
February 3, 2026
Read article
Country guides
The Data (Use and Access) Act 2025: Everything businesses should know  (updated February 2026)
December 9, 2025
Read article
Country guides
Chile privacy law: Everything you need to know about the Chilean Personal Data Protection Act (LPPD)
November 11, 2025
Read article
Country guides
Everything you need to know about GDPR compliance in 2025
August 19, 2025
Read article
Country guides
Data privacy in Nordic countries: An overview
June 26, 2025
Read article