Overview of UK GDPR

The General Data Protection Regulation (GDPR), adopted in April 2016, is the most comprehensive data protection law in the European Union. The main objective of GDPR was to strengthen individual privacy rights, harmonise data protection laws across the EU, and regulate international transfers of personal data. The DUAA, passed into law on June 19, 2025, represents the most significant evolution of UK data protection law since the UK GDPR’s implementation.

UK GDPR Timeline
14 April 2016: Adoption of GDPR by EU Parliament and Council
25 May 2018: GDPR becomes enforceable across the EU
01 January 2021: UK General Data Protection Regulation (UK GDPR)
Oct 2024: Data (Use and Access) Bill introduced
19 June 2025: Data (Use and Access) Act (DUAA) received Royal Assent, becoming law.
Mid-2026 (Anticipated): Further provisions to be fully implemented, finalizing reforms.

UK’s data protection and key legislative frameworks

The DUAA lessens restrictions on automated decision-making, allowing for the use of AI across sectors, including recruitment, credit scoring, performance management, and customer service.

Additionally, the DUAA introduces a new lawful basis for data processing when processing data for these specified purposes, organizations no longer need to conduct the traditional balancing test weighing their interests against individuals’ rights. Researchers conducting scientific studies are now allowed to obtain broad consent covering related research fields, rather than needing separate permission for each project. The Act relaxes consent requirements for specific low-risk uses of storage and access technologies (cookies and similar technologies).

Core GDPR Principles for Businesses

The DUAA‘s objectives explicitly include promoting innovation and economic growth alongside protecting individual rights. Within the DUAA, the UK is providing opportunities to consider innovation, crime prevention, and national security when exercising its regulatory functions in data protection.

Compliance Strategies for Market Entry

Organizations must demonstrate compliance with the following seven principles through documentation, policies, and operational practices:
1. Lawfulness, Fairness, and Transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability

To understand requirements, organizations must conduct comprehensive data mapping to identify data collection points and processing steps. Following the data mapping and processing review, organizations must create and maintain privacy documentation and implement systems to handle individuals’ requests. If an organization’s processing of data poses a high risk to individuals’ rights, it must conduct a Data Protection Impact Assessment before commencing processing. Additionally, organisations must manage third-party relationships, as they remain accountable for personal data even when third parties collect it.