For early stage companies it may be difficult to know where to start to get up to speed with the various requirements of UK data protection law.
The following are key pieces of legislation which make up UK data protection law:
In June 2025, the Data (Use and Access) Act 2025 was also enacted, reforming certain provisions within the UK GDPR, DPA 2018 and PECR. These reforms are coming into force in phases though, and so a lot of the changes to data protection law haven’t happened yet.
Within this article we've summarised some of the important requirements under UK data protection law, to assist businesses with starting a ‘data protection to do list’. We have noted where a requirement is new or is changing under the Data (Use and Access) Act 2025.
If your company is a controller of personal data, you're required to provide individuals with a privacy notice explaining how their personal data is collected and processed. For most businesses this will include:
You should publish an internal data protection policy, outlining the rules and procedures for personnel to follow when accessing or processing personal data on behalf of the company.
A cookie consent banner should be implemented on your website to request consent from website users before deploying certain cookies.
Previously only strictly necessary cookies could be deployed without consent, however the Data (Use and Access) Act 2025 is due to increase the types of cookies that can be used without consent. Soon cookies that are used to collect information for statistical purposes and to improve the functionality of a website won’t need consent either.
Your website must also have a cookies policy which tells website users certain information about the cookies that you are using, including the name, purpose and duration of each cookie.
You must maintain one ROPA for processing activities where you are a controller, and a second for any processing activities where you are a processor (if applicable). Small and medium sized organisations with less than 250 employees do not have to document all processing activities, however they must document processing which: is not occasional; is likely to result in a risk to individuals; or involves special category or criminal offence data.
You must only retain personal data for as long as is necessary for the lawful purposes that you are processing it for. This is known as the storage limitation principle.
You should implement a data retention schedule which details agreed retention periods for different categories of data. Personal data must be securely deleted at the end of its agreed retention period to ensure that you comply with the storage limitation principle.
Your company must keep a register of all personal data breaches, whether or not you determine that the breach is reporting to the Information Commissioner's Office (ICO) or affected data subjects.
Unless exempt, all organisations that process personal data must register with the ICO and pay the data protection fee. The ICO has a self-assessment tool on its website which will help determine whether your business needs to register and pay the fee.
Companies are legally required to appoint a data protection officer if they are a public authority or if their core activities involve large scale, regular and systematic monitoring of individuals or consist of large scale processing of special category data, or criminal offence data.
If your company doesn’t meet this threshold, you should still select someone within the organisation to be responsible for overseeing data protection compliance.
Contracts between a controller and a processor must contain prescribed data processing provisions. These prescribed data processing provisions are set out in article 28 of the UK GDPR. It's important to review third party contracts to ensure that the necessary provisions are included.
When transferring personal data outside the UK, unless the location you are transferring it to has an adequacy decision, it's essential to implement appropriate safeguards to protect the personal data. These appropriate safeguards include standard approved contractual clauses, provided that you have completed a transfer risk assessment which confirms that the standard contractual clauses provide a sufficient level of protection in the circumstances.
You should therefore review all international transfers of personal data and ensure that appropriate safeguards are in place if necessary, and that all transfer risk assessments have been completed.
Where you are sending direct electronic marketing to consumers, for example by email or text, you must ensure that you have their consent. The exception to this is if you are able to rely on the soft opt-in because the individual is a previous customer or has expressed an interest in becoming a customer. You must meet all of the soft opt-in requirements to rely on it though.
Regardless of whether you are sending direct marketing to consumers or business contacts, you must always provide the option to unsubscribe or opt-out.
Organisations must facilitate individuals making complaints about the processing of their personal data. Once a complaint has been made the organisation must acknowledge it within 30 days, and respond in full without undue delay. One way that you can show you are facilitating individuals making data protection complaints, is to provide an electronic complaints form.
These legal obligations around the handling of data protection complaints are new under the Data (Use and Access) Act 2025 and are due to come into force in the summer of 2026.
Maintaining compliance with UK data protection law is an ongoing responsibility that requires active management, regular review and a culture of accountability. The above list of requirements is not exhaustive, however actioning each of the tasks outlined in this article will help your organisation on its journey to compliance with UK data protection law.
If you require further information, please contact our data protection team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
