Yes, all companies, businesses and organisations that process personal data of individuals within the United Kingdom are required to comply with the UK General Data Protection Regulation (UK GDPR) – and likewise, with the GDPR for EU residents.
The UK GDPR applies to both Data Controllers (entities that determine the purposes and means of processing personal data) and Data Processors (entities that process personal data on behalf of data controllers) operating within the UK.
Although all organisations must be compliant, not all organisations are required to register with the relevant enforcement body, such as the ICO. See our seperate post about those requirements.
The UK GDPR sets out rules and principles for the lawful and transparent processing of personal data, ensuring that individuals have control over their information and that Organisations handle data responsibly.
Key obligations under the UK GDPR include:
1. **Lawfulness, Fairness, and Transparency**: Personal data must be processed lawfully, fairly, and transparently, with individuals being informed about how their data is being used.
2. **Purpose Limitation**: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. **Data Minimisation**: Organisations should only collect data that is necessary for the intended purpose and should not retain personal data for longer than necessary.
4. **Accuracy**: Personal data should be accurate and kept up to date, with mechanisms in place to rectify or erase inaccurate data.
5. **Storage Limitation**: Personal data should be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed.
6. **Security**: Organisations are required to implement appropriate technical and organisational measures to ensure the security of personal data, protecting it against unauthorised or unlawful processing and accidental loss, destruction, or damage.
7. **Individual Rights**: The UK GDPR grants individuals various rights regarding their personal data, including the right to access, rectify, erase, and restrict processing of their information.
8. **Accountability**: Organisations are responsible for demonstrating compliance with the principles of the UK GDPR, including maintaining detailed records of data processing activities and implementing appropriate measures to ensure data protection.
Failure to comply with the UK GDPR can result in significant fines and penalties imposed by the UK Information Commissioner’s Office (ICO) or other relevant regulatory authorities. Therefore, it is essential for all companies operating within the UK or EU to understand their obligations and take appropriate steps to ensure compliance.
Data (Use and Access) Act 2025 (DUAA)
The DUAA received Royal Assent on 19 June 2025, building on, but not replacing, the UK GDPR, Data Protection Act 2018, and PECR. It modernises data protection law to support innovation and economic growth, introducing several key frameworks: “smart data” schemes (similar to open banking), statutorily-backed digital identity verification services, and a national register for underground utilities. Crucially, it reforms data protection by expanding permissible automated decision-making (ADM) – allowing decisions without human involvement across a wider range of lawful bases (except for special-category data) so long as safeguards (transparency, challenge rights, human review) are in place.
On a day-to-day basis most businesses won’t be affected by the DUAA, it will exist alongside the GDPR in the same way as the PECR does – it exists, companies comply with it, but most companies never give it a second thought.
The DUAA introduces key reforms to UK data protection law, particularly around how personal data is processed. It broadens the scope for automated decision-making (ADM) by removing the GDPR’s strict restrictions, allowing organisations to use ADM – even where significant effects arise – across most legal bases, provided there are safeguards such as transparency, the right to challenge decisions, and human review. The Act also introduces a new legal ground: “recognised legitimate interests”, which permits data processing for specific public interest purposes (e.g., national security, crime prevention) without the need to conduct a balancing test against individual rights.
It modifies the rules around subject access requests (SARs), allowing organisations to limit searches to what is “reasonable and proportionate” and introducing a “stop-the-clock” mechanism when clarification from the requester is needed. For scientific research, the DUAA allows for broad consent and relaxes transparency requirements when providing detailed information would be impractical. Additionally, it lowers the threshold for international data transfers, permitting transfers where protections are “not materially lower” than the UK standard, rather than “essentially equivalent,” easing global data flows while still protecting individual rights.
