The UK’s personal data protection legislation continues to evolve independently of the EU GDPR. This ATC Briefing on UK GDPR and data privacy brings you the latest information on legislation and UK-specific personal data guidance and resources.

UK Data Privacy Legislation

The UK’s data protection legislation controls how personal information is used by organisations. Its provisions for the protection of personal data are governed by:

• UK Data Protection Act 2018
• UK General Data Protection Regulation (UK GDPR)
• The Privacy and Electronic Communications Regulations 2003
• NEW! Data (Use and Access) Act 2025

The new Data (Use and Access) Act 2025 (DUAA) amends the UK GDPR and, for organisations, primarily concerns research provisions, privacy notices, automated decision-making and cookie rules. Its first provisions came into force in August 2025, and the changes will be phased in by June 2026. DUAA guidance for organisations will be updated during the course of 2025-26.

ICO UK GDPR Guidance

ICO, the Information Commissioner’s Office, is the UK’s data privacy regulator and the main source for information, guidance, and templates on UK GDPR.

Good starting points for making the most out of ICO guidance include:

• UK GDPR guidance and resources
• Advice for small and medium organisations
• Data protection compliance assessment tool for small businesses

UK GDPR Documentation & Templates

As you are implementing and reviewing personal data protection measures within your business, it’s worth making use of ready-made documentation checklists and templates to ensure that you capture all required information, processes and data.

The ICO’s checklists and templates are scattered across their site and we recommend searching for different templates using the search function. The most useful template resources include:

• UK GDPR templates for data processing
• Information and tools on creating privacy notices

There are also a number of commercial providers with UK GDPR and other global data protection templates and documentation generators. One of the more useful ones is Termly.

UK GDPR & Marketing

The rights and wrongs of direct marketing remains a question for many organisations. In the UK, you must comply with the Privacy and Electronic Communications Regulations (PECR) when sending direct marketing messages. Where these activities involve the use of personal information, you must also comply with the UK GDPR.

This ICO guidance will get you started:

• Guidance on direct marketing and data protection
• What are PECR?
• ICO direct marketing advice generator

UK GDPR & International Transfers

The UK GDPR primarily applies to data controllers and processors located in the UK who process UK-based people’s personal data who risk losing the protection of UK data protection laws if their personal data is transferred outside the UK.

The ICO’s guidance on UK GDPR and international transfers includes checklists and templates to ensure safe and secure data transfers.

Start here:

• A guide to international transfers
• International data transfer agreement and guidance

For international transfers to the US, the UK-US data bridge is an extension of the EU-US Data Privacy Framework – an opt-in certification scheme which enables certified US companies to receive personal data from the UK.