Penningtons Manches Cooper LLP
What law(s) specifically govern personal data / information?
The UK data protection regime is set out in the UK GDPR, the Data Protection Act 2018 (DPA) and the Data (Use and Access) Act 2025 (DUAA).
The UK GDPR is an adapted version of the EU General Data Protection Regulation (EU 2016/679) (EU GDPR) created when The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended) were adopted under the European Union (Withdrawal) Act 2018. The UK GDPR came into effect on 1 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR, with some changes to make it work more effectively in a UK context.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK's status outside the EU. It sits alongside and supplements the UK GDPR.
In addition, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) contains some specific requirements relating to cookies and to use of personal data for electronic marketing.
The DUAA 2025 received Royal Assent on 19 June 2025. It aims to promote innovation and make compliance with data protection laws easier for organisations. It makes some changes to the Information Commissioner's Office (ICO), including changing its structure and giving it new powers and duties to help it regulate more effectively. DUAA 2025 amends aspects of data protection law. Changes will be implemented in stages over the next year by secondary legislation.
What are the key data protection principles in this jurisdiction?:
The UK GDPR sets out seven (7) key principles that need to be followed when processing personal data. The principles are set out in Chapter 2 of the UK GDPR (articles 5 to 11) and in summary are:
Lawfulness, fairness and transparency: Personal data must be processed fairly, lawfully and in a manner transparent to the data subject.
Purpose limitation: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimisation: Personal data processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date or be rectified.
Storage limitation: Personal data must be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality (security): Personal data must be processed in a way that ensures appropriate security measures are in place to protect against unauthorised and unlawful processing, as well as accidental loss.
Accountability: The data controller is responsible for what it does with personal data and how it complies with the other principles, even if it uses other entities to execute the processing, and must have appropriate measures and records in place to demonstrate its compliance.
There are enhanced obligations under UK GDPR for certain ‘special’ categories of personal data. Special category data encompasses data relating to an individual’s race or ethnicity, politics or religion or philosophical beliefs, trade union membership, genetic or biometric data, health data, and data relating to sex life or sexual orientation.
Personal data cannot be processed unless one from a specified list of lawful reasons for processing is met. These reasons include that:
- the data subject has given consent to the processing;
- that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or another person;
- where processing is necessary for performance of a task carried out in the public interest in some circumstances or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of "legitimate interests" pursued by the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. When relying on "legitimate interests" as a lawful reason, a controller should carry out a legitimate interests assessment to ensure that the processing is necessary for the interests in question, and to balance the relevant interests against the rights and freedoms of the data subject which require protection. This lawful reason does not apply to public authorities in performance of their tasks.
There are enhanced obligations under UK GDPR for certain ‘special’ categories of personal data, and this type of personal data cannot be processed unless an additional condition listed in the UK GDPR is met. These conditions must always be carefully considered for the specific circumstances as additional conditions could apply. They include where:
- the data subject has given explicit consent;
- processing is necessary for carrying out specific obligations and exercising specific rights of the controller or data subject in the field of employment and social security and social protection law;
- processing is necessary to protect the vital interests of the data subject or another natural person, where the data subject is not capable of giving consent;
- certain limited processing is carried out during the legitimate activities (with appropriate safeguards and additional conditions) of a foundation, association or other not-for-profit body solely in relation to its members or former members;
- processing relates to personal data which has manifestly been made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims;
- processing is necessary for reasons of substantial public interest (and these interests are further specified, the processing must be proportionate and with safeguards in place);
- processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to conditions and safeguards;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Special category data encompasses data relating to an individual’s race or ethnicity, politics or religion or philosophical beliefs, trade union membership, genetic or biometric data, health data, and data relating to sex life or sexual orientation. The DUAA 2025 gives the Secretary of State power to expand the list of special categories of data by regulations (section 74) (from 20 August 2025).
The DUAA 2025 introduces the concept of 'recognised legitimate interest' (RLI) as a lawful basis for processing, which includes disclosures for purposes of processing described in article 6(1)(e) of UK GDPR (task carried out in the public interest), national security, public security or defence, responding to an emergency, detection and prevention of crime, and safeguarding vulnerable individuals (schedule 4) (from a date to be appointed). When relying on a RLI a necessity test will still be required but a balancing test will not be required. The DUAA 2025 also provides a non-exhaustive list of examples of processing that may be necessary for a legitimate interest (these include direct marketing, intra-group transfers of personal data for internal administrative purposes and ensuring the security of network and information systems) (section 70) (from a date to be appointed). These changes aim to simplify a data controller's ability to rely on the "legitimate interests" grounds when carrying out fairly typical data processing activities.
The DUAA 2025 also clarifies the rules relating to purpose limitation. These changes are primarily aimed at facilitating circumstances, such as use of personal data for research purposes, where the purpose for processing changes from the original purpose at the time that personal data was collected. It sets out the conditions under which processing of personal data for a new purpose (which is different to the original purpose for which the personal data was collected) is compatible with the original purpose. It sets out factors which must be taken into account in making this determination and introduces a new annex of processing to be treated as compatible (schedule 5 para 1) (from a date to be appointed). There are different rules depending on whether the personal data originally collected was consented personal data or non-consented personal data (with more restrictive rules for consented personal data).
The DUAA 2025 confirms that processing for research archiving and statistical (RAS) purposes is compatible with the original purpose for which the personal data was collected, provided that safeguards are in place (section 71) (from a date to be appointed). It also clarifies the definition of scientific research to include publicly or privately funded research and whether carried out as a commercial or non-commercial activity (section 67) (from a date to be appointed).The DUAA 2025 relaxes the standard of consent for scientific research allowing data subjects to give broad consent where at the time their consent was collected it was not possible to identify fully the research purposes, subject to certain conditions (section 68) (from a date to be appointed). It also sets out requirements and safeguards for RAS processing (section 86) (from a date to be appointed).
What is the supervisory authority / regulator in charge of data protection?
The Information Commissioner's Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Under the DUAA 2025 the ICO will be abolished (from a date to be appointed) and replaced by a new statutory body corporate known as the Information Commission (IC) which will be established (section 117). Changes to the governance structure are expected in 2026.
The DUAA 2025 makes changes to the IC's role, including an obligation to prepare codes of practice giving guidance on good practice for processing of personal data, as well as other obligations (sections 91-93, 95 and parts of schedule 11 came into force on 20 August 2025). The DUAA 2025 also expands the IC's enforcement powers (sections 102, 104, 106 – 108 came into force on 20 August 2025). New powers enable the IC to give notices by email (section 96) and to require documents (section 97) (from 19 August 2025).
For contact details see: Contact us | ICO.
Is there a requirement to register with a supervisory authority / regulator?
Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data must pay an annual data protection fee to the IC unless they are exempt.
A self-assessment tool is available to assist organisations in deciding if a fee needs to be paid and, if so, the amount payable (Data protection fee self assessment | ICO).
The cost of the annual data protection fee depends on size and turnover. There are three tiers ranging from £52 and £3,763, but most organisations will pay between £52 and £78. The fee can be paid online at Pay | ICO. To complete the form the following information is needed:
- credit/debit card or other payment details;
- details about the organisation being registered (e.g. Companies House number (if applicable), name, address; and
- details about number of staff and turnover.
Is there a requirement to notify the supervisory authority / regulator?
No, a notification to the IC before carrying out processing activities is not generally necessary.
However, if a Data Protection Impact Assessment (DPIA) is carried out that identifies a high risk and you cannot do anything to reduce it, prior consultation with the IC is required under UK GDPR. An organisation cannot go ahead with the processing in these circumstances until it has consulted the IC.
The focus is on the 'residual risk' after taking any mitigating measures. If the DPIA identified a high risk but steps have been taken to reduce the risk so it is no longer high, it is not necessary to consult.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes (see: Register | ICO).
What are the key data subject rights under the data protection laws of this jurisdiction?
The data subject rights are set out in Chapter 3 of the UK GDPR (articles 13 to 22) and in summary are:
The right to be informed
Pursuant to articles 13 and 14 of the UK GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
The DUAA 2025 introduces an exemption to the obligation to provide information to data subjects, where the controller intends to process the personal data for RAS purposes and providing the information is impossible or would involve a disproportionate effort (subject to some additional requirements). Where personal data was not obtained from the data subject, the DUAA 2025 amends the provisions so they are easier to follow and clarifies the exemptions (for example where providing the information is impossible or would involve a disproportionate effort, or providing the information is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended) (section 77) (from a date to be appointed). A controller relying on an exemption will need to make information available publicly.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject's personal data as listed in article 15 of the UK GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
The DUAA 2025 introduces changes which codify IC guidance on the right of access (see: Right of access | ICO), which are expected to make it easier for controllers to comply with a data subject access request (DSAR). For example, where a data controller asks a data subject to provide further information, the time limit for responding to the DSAR will be paused until the information is received (known as 'stopping the clock') (section 76 and 77) (from a date to be appointed).
The DUAA 2025 clarifies that a data controller is only required to conduct a 'reasonable and proportionate' search when responding to a DSAR (section 78). This change came into effect on 19 June 2025 but applies retrospectively from 1 January 2024. The DUAA 2025 also introduces court procedures for DSARs (section 104) (from 20 August 2025).
Right to rectification of errors
Pursuant to article 16 of the UK GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the 'right to be forgotten') if one of the reasons as listed in article 17 of the UK GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, if one of the reasons as listed in article 18 UK GDPR apply.
Right to data portability
Data subjects have a right to receive a copy of certain of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (article 20 of the UK GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (article 6 para 1(e) of the UK GDPR) or legitimate interest of the controller (article 6 para 1(f) of the UK GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal claims.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling related to marketing. Under the DUAA 2025 data subjects have the right to object to processing where the lawful basis relied upon is RLI (section 70) (from a date to be appointed).
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (article 7 para 3 of the UK GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects currently have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority (ie the IC) (article 77 of the UK GDPR). The DUAA 2025 introduces a new requirement for organisations to deal with complaints brought by individuals before they can complain to the IC. Controllers will need to comply with new complaint handling obligations (including providing complaint forms, acknowledging receipt of complaints within 30 days, taking appropriate steps to respond without undue delay and informing individuals about the outcome of their complaint). The DUAA 2025 also gives the Secretary of State powers by regulation to require controllers to notify it of the number of complaints received (section 103) (from a date to be appointed).
The IC is expected to publish new guidance on complaints.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (article 22 of the UK GDPR). The DUAA 2025 relaxes the rules on automated decision-making (ADM) by allowing organisations to make decisions based solely on automated processing, which produces legal effects or similarly significant effects for the data subject, provided they are not processing special category data and they ensure that appropriate safeguards in place (being the right for the data subject to be provided with information about decisions, to make representations, to obtain human intervention and to contest decisions). A decision is based solely on automated processing if there is no meaningful human involvement. There are limited exceptions to the prohibition on ADM based on special categories of personal data (being (i) the data subject has given explicit consent, or (ii) the decision is necessary for entering into or performing a contract between the data subject and a controller, or required or authorised by law and the processing is necessary for reasons of substantial public interest). For ADM not involving special categories of personal data, the DUAA 2025 will allow organisations to rely on any lawful basis for processing (except RLI) (section 80) (from a date to be appointed).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the UK GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations:
- that are a public authority or body (except for courts and tribunals acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Organisations must carry out a DPIA before carrying out any type of processing that is likely to result in a high risk to individuals. Evaluating whether processing is likely to result in a high risk should involve consideration of the likelihood and severity of the potential harm.
Article 35 of the UK GDPR provides some examples of processing activities likely to result in high risk:
- use of systematic and extensive profiling with legal or similarly significant effects;
- processing special category or criminal offence data on a large scale; or
- systematically monitoring publicly accessible places on a large scale.
In these cases, a DPIA is compulsory. The list is non-exhaustive; other processing operations that pose a similarly high risk would also require a DPIA.
The IC DPIA guidance is based on the guidelines endorsed by the European Data Protection Board (see: https://ec.europa.eu/newsroom/article29/items/611236 ). These define nine criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, organisations may consider that just meeting one criterion could require a DPIA.
IC DPIA guidance sets out a further 10 types of processing operation that mean a DPIA is compulsory if you plan to:
- use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice ('invisible processing') (in combination with any of the criteria from the European guidelines);
- track individuals' location or behaviour (in combination with any of the criteria from the European guidelines);
- profile children or target marketing or online services at them; or
- process data that might endanger the individual's physical health or safety in the event of a security breach.
The IC provides screening checklists (see: Data protection impact assessments | ICO), that organisations can use to assess whether a DPIA is required.
Even if there is no specific indication of likely high risk, the IC DPIA guidance provides that it is good practice to do a DPIA for any major new project involving the use of personal data.
Does this jurisdiction have any specific data breach notification requirements?
Article 33 of the UK GDPR provides that notification to the IC is required where a breach is likely to result in a risk to individuals' rights and freedoms. The IC must be notified without undue delay, but not later than 72 hours after becoming aware of the breach, where feasible. If longer is taken, then the organisations must give reasons for the delay.
When assessing the risk to individuals, organisations need to consider the specific circumstances of the breach, including the likelihood, severity and potential impact of the risk. The IC refers to the European Data Protection Board (EDPB) guidelines which continue to be relevant although the UK has left the EU and provide that the following factors should be taken into account when assessing risk:
- type of breach.
- nature, sensitivity and volume of personal data.
- ease of identification of individuals.
- severity of consequences for individuals
- special characteristics of the individual (for example, children or other vulnerable individuals may be at greater risk).
- number of individuals affected.
- specific characteristics of the data controller (e.g. a medical organisation processing special categories of personal data will pose a greater threat than the mailing list of a newspaper).
The EDPB guidelines state that an example of where a breach is unlikely to result in such a risk may be where personal data are already publicly available and therefore disclosure of the data does not, of itself, constitute a further risk to the individual or where data are encrypted, and the relevant key is not at risk of compromise.
When an organisation decides against reporting a breach, it should ensure it documents any decisions and retains any relevant evidence in support of its decision that the breach does not pose any risk to individuals' rights and freedoms.
The requirement to communicate a breach to individuals is triggered where a breach is likely to result in a high risk to their rights and freedoms (see article 34, UK GDPR) and the obligation falls on the controller.
The threshold for communicating a breach to individuals is higher than for notifying the ICO. Consequently, where notification to individuals is required, notification to the ICO will always be required. The same factors as set out above apply when assessing whether communication to individuals is required. A presumption of high risk to individuals is suggested where the data involved is one of the special categories of data identified in article 9 of the UK GDPR and section 10(1) of the DPA 2018.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR provides that organisations must inform those concerned directly and without undue delay.
Article 33(5) of the UK GDPR and section 67(6) of the DPA 2018 provide that all data breaches (including those not reported) must be recorded, including the facts relating to the breach, the effects of the breach and any remedial action taken in response. The ICO may inspect these records.
The IC has a self-assessment tool to assist organisations in determining whether a particular breach needs to be reported (see: Self-assessment for data breaches | ICO).
There are separate data breach notification requirements under PECR. The DUAA 2025 brings the timeframe for notifying the IC under PECR in line with UK GDPR. Service providers must notify the IC of data breaches without undue delay and where feasible, not later than 72 hours after having become aware. If notification takes longer than 72 hours, it must be accompanied by reasons for delay (section 111) (from 20 August 2025).
What restrictions apply to the international transfer of personal data / information?
Chapter 5 of the UK GDPR restricts the transfer of personal data to countries outside the UK or to international organisations. Transfers are only permitted if:
- the receiver is located in a country or territory or is an international organisation covered by the UK 'adequacy regulations' (the UK has 'adequacy regulations' in relation to EEA countries, Gibraltar, The Republic of Korea, and countries, territories and sectors covered by the European Commission's adequacy decisions in force at 31 December 2020, as well as partial findings of adequacy for Canada and Japan (for private sector organisations only) and the US (for organisations that have certified under the UK extension to the EU-US Data Privacy Framework) (see article 45);
- the transfer is made subject to one of the appropriate safeguards set out in articles 46, such as:
- Binding Corporate Rules (BCRs), which are more simplified in the UK than in the EU; and
- ii. either the UK international data transfer agreement (IDTA) or, where Standard Contractual Clauses (SCCs) approved under the EU GDPR are also being used, the UK International Data Transfer Addendum to the EU SCC's. In these circumstances, a transfer risk assessment should also be carried out. The IC has published a transfer risk assessment tool and transfer risk assessment guidance; or
- the transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
The UK is the subject of an adequacy decision by the European Commission under the GDPR and the Law Enforcement Directive. This means that transfers of personal data from the EEA to the UK continue as they did before Brexit without the need for further safeguards, such as SCCs or data transfer impact assessments. Both adequacy decisions were due to expire on 27 June 2025 but were extended to 27 December 2025. On 22 July 2025, the European Commission launched the process to adopt two new adequacy decisions to allow the flow of personal data from the EEA to the UK, following a period of assessment to decide whether the DUAA 2025 provides data protection safeguards that are essentially equivalent to those provided by the EU, which concluded that it does.
The DUAA 2025 introduces a new data protection test for international transfers under which the standard of protection provided by a third country must not be materially lower than the standard of protection in the UK (Section 85 and schedule 7) (from a date to be appointed). The Secretary of State must apply the new data protection test when assessing whether to award an adequacy regulation to a third country or an international organisation. The data protection test also applies to organisations assessing transfer risk prior to a transfer of personal data to a third country using appropriate safeguards (such as standard contractual clauses). The organisation must carry out a transfer risk assessment, which can be met if the controller or processor acting reasonably and proportionately considers the data protection test is met.
The DUAA 2025 introduces powers for the Secretary of State to establish lists of prohibited destinations and to introduce standard contractual clauses (schedule 7) (from a date to be appointed).
The IC is expected to publish new guidance on international transfers.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, article 3 of the UK GDPR and s207 of the DPA 2018 (subject to limited exceptions) extend the territorial scope of the UK data protection regime such that it applies to the processing of personal data:
(a) in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not;
(b) of data subjects who are in the UK by a controller or processor not established in the UK, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the UK, or
- the monitoring of their behaviour as far as their behaviour takes place within the UK; or
(c) by a controller not established in the UK, but in a place where the law of the UK (or a part) applies by virtue of public international law.
What rules specifically deal with marketing?
PECR sits alongside the DPA 2018 and the UK GDPR to provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text, and picture or video message, or by using an automated calling system. PECR also includes other rules relating to cookies, telephone directories, traffic data, location data, and security breaches.
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations (e.g. charities, political parties, etc). The DUAA 2025 adds a legal definition of direct marketing ('the communication (by whatever means) of advertising or marketing material which is directed to particular individuals') to PECR (section 110) (from 20 August 2025). It also amends the definition of a 'call' to include attempts to make a call and the definition of 'communication' to include communications that have been transmitted (catching sent emails even if not received) (section 110) (from a date to be appointed).
In many cases, organisations will need consent to send people marketing, or to pass their details on and such consent must meet the UK GDPR standard (including that the consent is a positive action from the individual, freely given, specific and informed, an unambiguous indication and capable of verification). Organisations must make it easy for people to withdraw consent.
The IC recommends that opt-in boxes are used. The rules on calls, texts, and emails are stricter than those on mail marketing, and consent must be more specific.
Organisations can make live marketing calls to numbers not registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS), but only if the recipient has not objected to the organisation's calls in the past and the organisation is not marketing claims management services (calls for this purpose require consent). Pension scheme calls can only be made to individuals (including sole traders and partnerships) if authorised and with consent or meeting existing customer criteria.
Organisations should note that some businesses (sole traders and some partnerships) register with the TPS, and others (companies, some partnerships and government bodies) register with the CTPS. For business-to-business calls, organisations therefore need to screen against both the TPS and the CTPS registers, as well as its own 'do not call' list.
Organisations must not call any number on the TPS or CTPS list without specific prior consent.
The rules on automated calls are stricter. Organisations must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the recipient has specifically consented to receive this type of call. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.
Organisations making marketing calls must display their number (or an alternative contact number) to the person receiving the call and must say who is calling and provide contact details or a freephone telephone number if requested.
Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for existing customers, known as the ‘soft opt-in’ (for further details see section 15 below). Senders must not disguise or hide their identity and must provide a valid contact address for people and businesses to opt-out or unsubscribe.
Organisations must stop sending marketing messages to anyone who opts out or unsubscribes or who withdraws their consent.
Organisations must carry out rigorous checks before relying on indirect consent (i.e. consent originally given to a third party). Indirect consent is highly unlikely to be valid for calls, texts, or emails.
Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples' wishes. Bought-in call lists should be screened against the TPS and the organisation’s ‘do not call’ list. It will be very difficult to use bought-in lists for text, email, or automated call campaigns to market to private individuals since these require very specific consent.
The IC's direct marketing checklist summarises the rules on direct marketing (see: Direct marketing checklist | ICO).
The IC has also published guidance on its direct marketing and privacy and electronic communications hub (see: Direct marketing and privacy and electronic communications | ICO.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, there are different rules for marketing to companies and marketing to individuals (which includes sole traders and some partnerships). The IC has published an at-a-glance guide to the different marketing rules that apply to individuals and companies. As part of the direct marketing hub, the IC has published guidance on business-business marketing (see: Business-to-business marketing | ICO).
Under PECR organisations can only send marketing emails or texts to individuals if they have specifically consented, or if the PECR 'soft opt-in' applies (see section 15 below for further details).
Organisations can email or text any corporate body (a company, Scottish partnership, limited liability partnership or some government bodies). However, IC guidance provides that senders must not disguise or conceal their identity and must give a valid contact address for opt-outs. It is good practice to keep a 'do not email or text' list of any businesses that object or opt out, and screen any new marketing lists against that.
See section 13 above for details of the rules with regard to regard to live calls and automated calls.
The UK GDPR applies wherever you are processing 'personal data'. This means if you can identify an individual either directly or indirectly, the UK GDPR will apply – even if they are acting in a professional capacity. Consequently, organisations may need to consider the UK GDPR if they are emailing employees at a corporate body who have personal corporate email addresses (e.g. [email protected]).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Please see section 13 above. Direct electronic marketing is governed in the UK by both the UK GDPR and PECR.
Consent is required before sending emails to individual subscribers (unless the PECR 'soft opt-in' set out below applies). Where PECR requires consent, that consent must meet the UK GDPR standards (including that the consent is a positive action from the individual, freely given, specific and informed, an unambiguous indication and capable of verification).
PECR – soft opt-in
For individual subscribers without prior consent to send marketing, organisations can only send email marketing where the organisation collected the individual's contact details, in the course of a sale or negotiation of a sale of a product or a service, the organisation is marketing similar products and services and the organisation gave them a simple way to refuse or opt out both when it first collected their details and in every subsequent message sent.
The DUAA 2025 introduces a welcomed change which will allow charities to benefit from the soft opt-in, where the sole purpose of the direct marketing is to further the charity's purpose, the individual's contact details were obtained in the course of the individual expressing an interest in the charity, or offering or providing support to further the charity's purpose, and the individual is given a way to opt out of the use of their contact details at the time their contact details were collected and in every subsequent communication (section 114) (from a date to be appointed).
What rules specifically deal with cookies?
PECR covers the use of cookies. Existing IC guidance on the use of cookies (see: Cookies and similar technologies | ICO) sets out how to comply with PECR and UK GDPR. In summary, this requires organisations to:
- state they use cookies;
- explain the purpose of and the duration of the cookies; and
- obtain consent to set cookies on a user’s device (unless the cookies are strictly necessary) and such consent must be to the UK GDPR standard ((including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
The website should not set any cookies until user consent has been obtained. In order for the consent to be valid the various purposes of the cookies must be broken down (for example whether cookies are analytics cookies or advertising cookies) and the user given the ability to choose whether to agree or reject to the use of cookies. Only cookies that are strictly necessary for provision of the service (such as a cookie to remember the goods a user wishes to purchase when they add goods to their basket or go to checkout) may be pre-enabled. Organisations must make it as easy to reject non-essential cookies as it is to accept them. Information provided to the user about cookies should be clear and comprehensive. The website must also allow the consent to be withdrawn by the user at any time and information should be provided to the user on how cookies that have already been set can be removed.
Organisations are required to prepare a cookie policy outlining what cookies the website collects and if any cookies are strictly necessary for it to operate. The IC recommends that all organisations undertake a 'cookie audit' to understand better the cookies their websites use and the reasons why. Following such audits, organisations should review their practices and policies in line with the IC guidance.
The DUAA 2025 simplifies the rules on using cookies. It removes the requirement to obtain consent for use of some non-essential cookies (for example cookies used to collect statistical information and for the purposes of website appearance) provided that the organisation gives users clear and comprehensive information and a mechanism to opt-out. The DUAA 2025 also provides a non-exhaustive list of examples of 'strictly necessary' cookies which do not require consent, including those used to protect information provided in connection with, or relating to, the provision of the service requested, to ensure the security of the terminal equipment of the subscriber or user is not adversely affected by the provision of the service requested, and to prevent or detect fraud in connection with the provision of the service requested. The DUAA 2025 clarifies that references to storing information, or gaining access to information stored in the terminal equipment of a subscriber or user, includes 'instigating the storage or access' and 'collecting or monitoring information automatically emitted by terminal equipment' (Section 112 and schedule 12 of DUAA 2025) (from a date to be appointed).
The IC published draft guidance on the use of storage and access technologies in December 2024 which was updated in July 2025 to reflect the changes made to PECR by the DUAA 2025. A new chapter has been added to explain the new exceptions under the DUAA 2025. The guidance has not yet been finalised and a consultation on the new chapter is open until 26 September 2025 (see: Guidance on the use of storage and access technologies | ICO). The IC plans to withdraw the previous version of its guidance on the use of cookies and similar technologies when the new draft guidance is finalised after the consultation.
Sections 109, parts of 110, 111 and 113 which amend and clarify PECR came into effect on 20 August 2025.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The IC has the power to issue a monetary penalty for infringements of provisions of the UK GDPR and for infringements of certain provisions of the DPA 2018.
There are two levels of penalty.
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights a data subject may have or in relation to any transfers of data to third countries.
If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Currently, the IC may also issue fines of up to £500,000 for non-compliance with direct marketing laws. However, this is set to change under the DUAA 2025 which increases the maximum fines under PECR to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year whichever is higher, to align with UK GDPR and the DPA 2018 (section 115(5) and schedule 13 DUAA 2025) (from a date to be appointed).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the UK are generally required under article 27 of the UK GDPR to designate a representative in the UK where their activities fall within the territorial scope of the UK data protection regime under article 3, specifically if they involve processing personal data of data subjects within the UK in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the UK.
The minimum age a data subject must reach in order to give valid consent to the processing of their own personal data is 13 in the UK.
Under DUAA 2025 providers of online services that are likely to be accessed by children must consider data protection by design requirements taking into account the children's higher protection matters when assessing what are appropriate technical and organisational measures (section 81).
What upcoming data protection developments should multinational organisations be aware of?
As outlined in Question 1, changes under the DUAA 2025 will be implemented in four stages by secondary legislation, over the next year. The first set of changes (set out in the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 (SI 2025/904)) took effect from 20 August 2025 (and includes matters identified above and other changes to minor provisions about data protection).
Organisations are advised to keep up to date with changes as they take effect and to refer to new IC guidance (as and when it becomes available). The IC has published a list of guidance in development (see: Our plans for new and updated guidance | ICO) as well as a helpful summary of changes to data protection law (see: The Data Use and Access Act 2025 (DUAA) - summary of the changes to data protection law | ICO).
While the DUAA 2025 is expected to ease compliance, the benefit to organisations operating in both the UK and the EU will be limited, as they will still need to comply with EU GDPR.