Clym Logo
GB flag

GB

UK General Data Protection Regulation (UK GDPR)

Overview

The UK General Data Protection Regulation (UK GDPR), along with the Data Protection Act 2018 form the foundation of UK data protection law. In 2025, the Data (Use and Access) Act 2025 introduced reforms to simplify compliance for businesses while maintaining high privacy protections. These changes affect lawful bases for processing, subject access requests, cookies, and ICO governance.

Regulation Summary

  • 25 May 2018 – EU GDPR enforceable
  • 26 June 2018 – UK Data Protection Act effective
  • 1 January 2021 – UK GDPR replaced EU GDPR post-Brexit
  • 19 June 2025 – First reforms take effect
  • June–August 2025 – Provisions phased in, including PEC reforms and SAR changes
  • Late 2025 – ICO governance reforms finalized and most provisions fully implemented

  • UK-based organizations processing personal data
  • Non-UK businesses targeting UK residents
  • Public authorities and law enforcement under DPA 2018
  • Reforms ease international transfers by broadening adequacy rules and simplifying safeguards

  • Household and personal use
  • National security and law enforcement
  • Journalism, art, and literature
  • Expanded 2025 exemptions for public interest, national security, and research/statistics – allowing more use of data for AI training and innovation, provided proper safeguards are in place

  • Accountability – Demonstrate compliance with principles
  • Transparency – Clear and accessible privacy notices
  • Lawful Bases (2025): Clearer grounds for processing in research, innovation, AI, and public interest
  • Subject Access Requests (SARs): Organizations may now refuse or charge for requests that are vexatious or excessive, while legitimate requests must still be answered
  • High-Risk Processing: DPIAs replaced by more flexible assessments of high-risk processing, focusing on outcomes rather than formats

  • Cookies & Tracking (PEC reforms):
    • Consent no longer required for minimal-impact analytics, fraud detection, or service-improvement cookies
    • Consent still required for high-impact tracking such as targeted advertising
    • Government powers allow a future shift to an opt-out model for cookies, subject to safeguards and consultation
  • Privacy Notices: Must reference updated lawful bases
  • DSARs: Excessive requests may be refused, but explanations must be given
  • Breach Reporting: Notify ICO within 72 hours of a high-risk breach and notify individuals if risks are serious

  • Senior Responsible Individual (SRI): May replace the DPO role for many organizations, shifting accountability to senior management
  • International Transfers: Simplified processes for adequacy and safeguards reduce paperwork
  • Children’s Data: Parental consent still required for under-13s
  • Sensitive Data: Explicit consent or another legal ground required for health, biometric, and similar data

  • Access, correction, deletion, portability
  • Objection and restriction
  • Automated Decision-Making (2025): Organizations gain more flexibility in using AI and automated processes, but individuals retain the right to human review for decisions that have significant impact

  • Regulator: Information Commissioner’s Office (ICO)
  • ICO Reform (2025): Creation of a statutory board with non-executive members, a new statutory objective to uphold rights while supporting innovation and economic growth, and a duty for the ICO to publish a Strategic Plan and improve transparency in enforcement decisions
  • Fines: Up to £17.5m (~$21.9m) or 4% of global turnover for severe breaches, and up to £8.7m (~$10.9m) or 2% of global turnover for lesser breaches
Book a demo