Marketing compliance: PECR and UK GDPR
- 7 steps
UK Act of Parliament
2018
United Kingdom
Data Protection Act 2018
At a glance
Enforced by
ICO, SRA, LSB, RQIA, Forestry Commission
What's here
87 compliance obligations, 140 practical guides across 6 topics · 36 journeys · 9 statutory instruments
Penalty landscape
54 of 87 obligations carry a fine up to £17,500,000. 12 carry different penalties and 21 have no criminal penalty — flagged in the list below.
Who this Act binds
Business-side actors with duties under this Act, ranked by how often they appear.
- Data Controller 46
- Any Person 17
- Director or Officer 1
- Contractor 1
Plus 22 non-business duties on Crown ministers, regulators, local authorities or tribunals — shown collapsed under each section below.
Step-by-step journeys using this legislation
Walkthroughs that take you from a real business situation to compliance.
Comply with the Online Safety Act from scratch
- 3 steps
Respond to a data breach
- 5 steps
Data breach 72-hour checklist
- 3 steps
Start using AI responsibly in your business
- 7 steps
AI compliance quick check
- 9 steps
Relevant guidance
Practical guides for businesses affected by this Act, ordered by how closely they engage with it.
Direct — cites this Act
25 guidesAI Regulation Framework
Approvals and registrations you need before trading
Carry out a data protection impact assessment (DPIA)
Cookie consent: comply with PECR requirements
Cryptoasset Business Regulation
Data protection and CCTV for hospitality businesses
Data protection annual compliance checklist
Data protection for businesses
Supporting — topic alignment
98 guidesMentioned in related content
17 guides- AI compliance checklist
- AI compliance for financial services firms
- AI medical device compliance
- AI transparency and explainability obligations
- Age verification for online services
- Annual retail compliance checklist
- Assess your AI compliance obligations
- Children's safety duties under the Online Safety Act
- Conduct a children's access assessment
- Electronic marketing rules (PECR)
Other Acts binding the same actors
For each actor bound by this Act, the other UK Acts that bind them most often. Useful for understanding the full compliance landscape facing each role.
Data Controllers also bound by 7 other Acts (top 5 shown)
- UK GDPR (retained EU law) 2016 336 duties
- Privacy and Electronic Communications Regulations 2003 2003 5 duties
- Human Medicines Regulations 2012 2012 1 duty
- Data Protection (Charges and Information) Regulations 2018 2018 1 duty
- The Waste and Contaminated Land (Northern Ireland) Order 1997 1997 1 duty
Any Person also bound by 749 other Acts (top 5 shown)
- Human Medicines Regulations 2012 2012 110 duties
- Licensing Act 2003 2003 105 duties
- Merchant Shipping Act 1995 1995 97 duties
- Road Traffic Act 1988 1988 95 duties
- Air Navigation Order 2016 2016 86 duties
Directors and Officers also bound by 224 other Acts (top 5 shown)
- Insolvency (England and Wales) Rules 2016 2016 75 duties
- Companies Act 2006 2006 63 duties
- Insolvency Act 1986 1986 46 duties
- CCBSA 2014 2014 22 duties
- CAICEA 2004 2004 18 duties
Contractors also bound by 56 other Acts (top 5 shown)
- Construction (Design and Management) Regulations 2015 2015 360 duties
- The Income Tax (Sub-contractors in the Construction Industry) Regulations 1993 1993 19 duties
- Building Regulations (Northern Ireland) 2000 2000 17 duties
- Building Regulations (Northern Ireland) 2012 2012 15 duties
- Work in Compressed Air Regulations 1996 1996 14 duties
What this Act requires
Sections that create concrete duties on businesses or carry penalties. Procedural and definitional sections are folded into the “Browse other sections” expander at the bottom of each group. Click any section title to read the source text on legislation.gov.uk.
Part 1 — Preliminary
Protection of personal data
Fine up to £17,500,000- Process personal data lawfully, fairly, and transparently Data Controller
Browse 2 other sections in this Part — procedural / definitional / commencement
Part 2 — General processing
Obligations of credit reference agencies
Fine up to £17,500,000- Include specific legal rights statement when responding to data requests Data Controller
Browse 19 other sections in this Part — procedural / definitional / commencement
Lawfulness of processing: public interest etc
Processing in reliance on relevant international law
Special categories of personal data and criminal convictions etc data
Special categories of personal data etc: supplementary
Limits on fees that may be charged by controllers
Power to make further exemptions etc by regulations
Transfers based on adequacy regulations
Transfers based on adequacy regulations: review etc
Standard data protection clauses
Transfers of personal data to third countries etc : public interest
Processing for archiving, research and statistical purposes: safeguards
Definitions
Application of the GDPR to processing to which this Chapter applies
Power to make provision in consequence of regulations related to the GDPR
Manual unstructured data held by FOI public authorities
Manual unstructured data used in longstanding historical research
National security and defence exemption
National security: certificate
National security and defence: modifications to Articles 9 and 32 of the UK GDPR
Part 3 — Law enforcement processing
Overview and general duty of controller
Fine up to £17,500,000- Comply with data protection principles and prove it Data Controller
The second data protection principle
Fine up to £17,500,000- Use law enforcement data only for specified and compatible purposes Data Controller
The third data protection principle
Fine up to £17,500,000- Ensure law enforcement data is adequate, relevant, and not excessive Any Person
The fourth data protection principle
Fine up to £17,500,000- Maintain accurate law enforcement data and verify its quality Data Controller
The fifth data protection principle
Fine up to £17,500,000- Establish data retention limits and review periods for law enforcement data Any Person
The sixth data protection principle
Fine up to £17,500,000- Secure personal data against loss or unauthorized access Any Person
Safeguards: archiving
Fine up to £17,500,000- Do not use archived law enforcement data to make decisions about individuals Data Controller
Safeguards: sensitive processing
Fine up to £17,500,000- Maintain and review a policy for sensitive data processing Data Controller
Right to rectification
Fine up to £17,500,000- Correct or complete inaccurate personal data upon request Data Controller
Right to erasure or restriction of processing
Fine up to £17,500,000- Erase or restrict processing of personal data Data Controller
Rights under section 46 or 47: supplementary
Fine up to £17,500,000- Respond to data rectification, erasure, or restriction requests Data Controller
Restrictions on automated decision-making based on sensitive processing
Fine up to £17,500,000- Do not make significant decisions using only automated sensitive data processing Data Controller
Safeguards for automated decision-making
Fine up to £17,500,000- Provide safeguards for automated decision-making Data Controller
Exercise of rights through the Commissioner
Other duties (1) — Crown / regulator
- ICO must verify if a business's refusal of data rights was lawful Statutory regulator
Form of provision of information etc
Fine up to £17,500,000- Provide personal data in a clear, accessible, and free format Data Controller
Manifestly unfounded or excessive requests by the data subject
Fine up to £17,500,000- Handling unfounded or excessive data subject requests Data Controller
General obligations of the controller
Fine up to £17,500,000- Implement and demonstrate data protection compliance measures Data Controller
Data protection by design and default
Fine up to £17,500,000- Build data protection into your systems and processes by default Data Controller
Joint controllers
Fine up to £17,500,000- Create a formal agreement and contact point with joint data controllers Data Controller
Processors
Fine up to £17,500,000- Use only compliant data processors and maintain written contracts Data Controller
Processing under the authority of the controller or processor
Fine up to £17,500,000- Only process personal data on instructions or for legal duties Data Controller
Records of processing activities
Fine up to £17,500,000- Maintain records of your data processing activities Data Controller
Logging
Fine up to £17,500,000- Maintain and share automated logs of data processing operations Data Controller
Co-operation with the Commissioner
Fine up to £17,500,000- Co-operate with the Information Commissioner's Office (ICO) Data Controller
Data protection impact assessment
Fine up to £17,500,000- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing Data Controller
Prior consultation with the Commissioner
Fine up to £17,500,000- Consult the ICO before high-risk data processing Data Controller
Security of processing
Fine up to £17,500,000- Implement appropriate security measures for personal data Data Controller
Designation of a data protection officer
Fine up to £17,500,000- Appoint a Data Protection Officer and notify the ICO Data Controller
Position of data protection officer
Fine up to £17,500,000- Support and protect your Data Protection Officer (DPO) Data Controller
Tasks of data protection officer
Fine up to £17,500,000- Ensure your Data Protection Officer performs their statutory tasks Data Controller
General principles for transfers of personal data
Fine up to £17,500,000- Verify legal conditions before transferring law enforcement data abroad Data Controller
Transfers approved by regulations: monitoring
Other duties (1) — Crown / regulator
- Secretary of State must monitor and update approved data transfer lists Crown / Minister / Government department
Subsequent transfers
Fine up to £17,500,000- Control further transfers of law enforcement data abroad Data Controller
Special processing restrictions
Fine up to £17,500,000- Notify international data recipients of UK processing restrictions Data Controller
Browse 31 other sections in this Part — procedural / definitional / commencement
Processing to which this Part applies
Meaning of “competent authority”
“The law enforcement purposes”
Meaning of “controller” and “processor”
Other definitions
The first data protection principle
Further provision about sensitive processing
Overview and scope
... Controller's general duties
Right of access by the data subject
Exemption from sections 44 and 45: legal professional privilege
Right not to be subject to automated decision-making
Automated decision-making authorised by law: safeguards
Automated processing and significant decisions
Further provision about automated decision-making
Meaning of “applicable time period”
Overview and scope
Notification of a personal data breach to the Commissioner
Communication of a personal data breach to the data subject
Codes of conduct
Overview and interpretation
Transfers on the basis of an adequacy decision
Transfers based on adequacy regulations
Transfers approved by regulations
The data protection test
Transfers subject to appropriate safeguards
Transfers based on special circumstances
Additional conditions for transfers in reliance on section 73(4)(b)
National security exemption
National security: certificate
Reporting of infringements
Part 4 — Intelligence services processing
Records of designation notices
Other duties (1) — Crown / regulator
- Secretary of State must notify ICO of designation notices Crown / Minister / Government department
The second data protection principle
Fine up to £17,500,000- Collect and process personal data only for specific, lawful purposes Data Controller
The third data protection principle
Fine up to £17,500,000- Ensure personal data is adequate, relevant, and not excessive Any Person
The fourth data protection principle
Fine up to £17,500,000- Keep all personal data accurate and up to date Any Person
The fifth data protection principle
Fine up to £17,500,000- Keep personal data only for as long as necessary Any Person
The sixth data protection principle
Fine up to £17,500,000- Implement appropriate security measures to protect personal data Any Person
Right of access
Fine up to £17,500,000- Respond to personal data access requests Data Controller
Right of access: supplementary
Fine up to £17,500,000- Provide data subjects with copies of their personal data Data Controller
Right to information about decision-making
Fine up to £17,500,000- Explain the logic behind automated or data-driven decisions upon request Data Controller
Rights to rectification and erasure
Amended 1 timeOverview
Amended 1 timeGeneral obligations of the controller
Fine up to £17,500,000 Amended 2 times- Ensure and demonstrate that your data processing is legal Data Controller
Data protection by design
Fine up to £17,500,000 Amended 1 time- Assess privacy impacts and design data protection into your systems Data Controller
Joint controllers
Fine up to £17,500,000 Amended 2 times- Establish an agreement between joint data controllers Data Controller
Processors
Fine up to £17,500,000 Amended 1 time- Vet and monitor third-party data processors Data Controller
Processing under the authority of the controller or processor
Fine up to £17,500,000 Amended 1 time- Process personal data only on specific instructions or legal grounds Data Controller
Security of processing
Fine up to £17,500,000 Amended 1 time- Implement appropriate security measures to protect personal data Data Controller
Communication of a personal data breach
Amended 3 timesTransfers of personal data outside the United Kingdom
Fine up to £17,500,000 Amended 1 time- Restrict personal data transfers outside the UK Data Controller
National security
Amended 7 timesNational security: certificate
Amended 1 timeOther exemptions
Amended 1 timePower to make further exemptions
Amended 1 timeBrowse 15 other sections in this Part — procedural / definitional / commencement
Processing to which this Part applies
Designation of processing by a qualifying competent authority
Duration of designation notice
Review and withdrawal of designation notice
Appeal against designation notice
Meaning of “controller” and “processor”
Other definitions
Overview
The first data protection principle
Further provision about sensitive processing
Overview
Right to information
Right not to be subject to automated decision-making
Right to intervene in automated decision-making
Right to object to processing
Part 5 — The Information Commissioner
The Information Commissioner
Amended 1 timeThe Information Commission
Amended 1 timeGeneral functions under the UK GDPR and safeguards
Amended 16 timesOther general functions
Amended 10 timesCompetence in relation to courts etc
Amended 4 timesCo-operation between parties to the Data Protection Convention
Amended 6 timesInspection of personal data in accordance with international obligations
2 years imprisonment Amended 4 times- Obstruct or fail to assist the ICO’s inspection powers Any Person
Standard clauses for transfers to third countries etc
Amended 4 timesFurther international role
Amended 9 timesPrincipal objective
Amended 9 timesDuties in relation to functions under the data protection legislation
Amended 9 timesOther duties (1) — Crown / regulator
- ICO must consider innovation and competition when enforcing data laws Statutory regulator
Strategy
Amended 9 timesOther duties (1) — Crown / regulator
- Information Commissioner must publish a data protection strategy Statutory regulator
Duty to consult other regulators
Amended 9 timesData-sharing code
Amended 2 timesOther duties (1) — Crown / regulator
- ICO must produce and maintain a data-sharing code of practice Statutory regulator
Direct marketing code
Fine up to £17,500,000 Amended 2 timesOther duties (1) — Crown / regulator
- ICO must produce and maintain a direct marketing code of practice Statutory regulator
Age-appropriate design code
Amended 3 timesData protection and journalism code
Amended 3 timesOther duties (1) — Crown / regulator
- ICO must produce and maintain a data protection and journalism code Statutory regulator
Other codes of practice
Amended 3 timesOther duties (1) — Crown / regulator
- ICO must prepare codes of practice on personal data processing Statutory regulator
Panels to consider codes of practice
Amended 3 timesImpact assessments for codes of practice
Amended 3 timesOther duties (1) — Crown / regulator
- ICO must conduct impact assessments for codes of practice Statutory regulator
Approval of codes prepared under sections 121 to 124A
Amended 12 timesPublication and review of codes issued under section 125(4)
Amended 2 timesOther duties (1) — Crown / regulator
- Information Commissioner must publish and review codes of practice Statutory regulator
Effect of codes issued under section 125(4)
Amended 2 timesOther codes of practice
Amended 2 timesConsensual audits
Amended 5 timesRecords of national security certificates
Amended 3 timesOther duties (1) — Crown / regulator
- ICO must maintain a public record of national security certificates Statutory regulator
Disclosure of information to the Commissioner
Amended 2 timesConfidentiality of information
Unlimited fine Amended 4 times- Unlawfully disclosing information held by the ICO Contractor
Guidance about privileged communications
Amended 1 timeOther duties (1) — Crown / regulator
- ICO must publish guidance on handling legally privileged information Statutory regulator
Fees for services
Amended 2 timesManifestly unfounded or excessive requests by data subjects etc
Amended 13 timesGuidance about fees
Amended 5 timesOther duties (1) — Crown / regulator
- ICO must publish guidance on fees and consult the Secretary of State Statutory regulator
Charges payable to the Commissioner by controllers
Amended 4 timesRegulations under section 137: supplementary
Amended 2 timesReporting to Parliament
Amended 9 timesOther duties (1) — Crown / regulator
- Information Commissioner must report annually to Parliament Statutory regulator
Analysis of performance
Amended 9 timesOther duties (1) — Crown / regulator
- ICO must publish an annual analysis of its own performance Statutory regulator
Publication by the Commissioner
Amended 3 timesOther duties (1) — Crown / regulator
- Information Commissioner must publish required documents appropriately Statutory regulator
Notices from the Commissioner
Amended 3 timesPart 6 — Enforcement
Information notices
Amended 20 timesInformation notices: restrictions
Amended 9 timesFalse statements made in response to information notices
Unlimited fine Amended 2 times- Make false statement in response to an information notice Any Person
Information orders
Amended 9 timesAssessment notices
Amended 16 timesAssessment notices: approval of person to prepare report etc
Fine up to £17,500,000 Amended 16 times- Nominate a person to prepare an assessment report Data Controller
Assessment notices: restrictions
Amended 5 timesDestroying or falsifying information and documents etc
2 years imprisonment Amended 7 times- Destroy or falsify information after an ICO notice Any Person
Interview notices
Amended 7 timesInterview notices: restrictions
Amended 7 timesFalse statements made in response to interview notices
2 years imprisonment Amended 7 times- Make false statement in response to interview notice Any Person
Enforcement notices
Amended 19 timesEnforcement notices: supplementary
Amended 6 timesEnforcement notices: rectification and erasure of personal data etc
Amended 8 timesEnforcement notices: restrictions
Amended 5 timesEnforcement notices: cancellation and variation
Amended 4 timesPowers of entry and inspection
Amended 2 timesPenalty notices
Fine up to £17,500,000 Amended 14 times- Breach of data protection laws or ICO notices Data Controller
Penalty notices: restrictions
Amended 4 timesMaximum amount of penalty
Amended 10 timesFixed penalties for non-compliance with charges regulations
Amended 3 timesOther duties (1) — Crown / regulator
- Information Commissioner must publish fixed penalty amounts for fee failures Statutory regulator
Amount of penalties: supplementary
Amended 4 timesGuidance about regulatory action
Amended 16 timesOther duties (1) — Crown / regulator
- ICO must publish guidance on its regulatory and enforcement powers Statutory regulator
Approval of first guidance about regulatory action
Amended 6 timesAnnual report on regulatory action
Amended 6 timesRights of appeal
Amended 3 timesDetermination of appeals
Amended 4 timesApplications in respect of urgent notices
Amended 4 timesComplaints by data subjects to controllers
Fine up to £17,500,000 Amended 4 times- Establish and manage a formal data protection complaint process Data Controller
Controllers to notify the Commissioner of the number of complaints
Amended 4 timesComplaints by data subjects
Amended 8 timesOrders to progress complaints
Amended 3 timesCompliance orders
Amended 2 timesCompensation for contravention of the UK GDPR
Amended 3 timesCompensation for contravention of other data protection legislation
Amended 2 timesUnlawful obtaining etc of personal data
2 years imprisonment Amended 3 times- Unlawfully obtain, retain, disclose or sell personal data Any Person
Re-identification of de-identified personal data
2 years imprisonment Amended 4 times- Re‑identify de‑identified personal data without consent Any Person
Re-identification: effectiveness testing conditions
Amended 2 timesAlteration etc of personal data to prevent disclosure to data subject
2 years imprisonment Amended 3 times- Alter data to block a data subject’s access request Data Controller
The special purposes
Amended 5 timesProvision of assistance in special purposes proceedings
Amended 2 timesStaying special purposes proceedings
Amended 2 timesGuidance about how to seek redress against media organisations
Amended 5 timesReview of processing of personal data for the purposes of journalism
Amended 5 timesEffectiveness of the media's dispute resolution procedures
Other duties (1) — Crown / regulator
- Secretary of State must report on media data protection dispute resolution Crown / Minister / Government department
Jurisdiction
Amended 4 timesProcedure in connection with subject access requests
Amended 4 timesInterpretation of Part 6
Amended 4 timesPart 7 — Supplementary and final provision
Regulations and consultation
Amended 14 timesPower to reflect changes to the Data Protection Convention
Amended 5 timesProtection of prohibitions and restrictions etc on processing: relevant enactments
Amended 5 timesProtection of prohibitions and restrictions etc on processing: other enactments
Amended 5 timesProhibition of requirement to produce relevant records
2 years imprisonment Amended 4 times- Require a relevant record from another person Any Person
Avoidance of certain contractual terms relating to health records
Amended 3 timesProtection of data subject’s rights
Amended 8 timesProtection of data subject’s rights: further provision
Amended 8 timesRepresentation of data subjects with their authority
Amended 17 timesRepresentation of data subjects with their authority: collective proceedings
Amended 2 timesDuty to review provision for representation of data subjects
Amended 5 timesPost-review powers to make provision about representation of data subjects
Amended 2 timesFramework for Data Processing by Government
Amended 2 timesApproval of the Framework
Amended 2 timesPublication and review of the Framework
Amended 1 timeOther duties (1) — Crown / regulator
- Secretary of State must publish and review the Data Processing Framework Crown / Minister / Government department
Effect of the Framework
Fine up to £17,500,000 Amended 2 times- Follow official guidance when processing personal data Any Person
Reserve forces: data-sharing by HMRC
2 years imprisonment Amended 1 time- Unlawfully disclose reserve force member contact details Any Person
Penalties for offences
Unlimited fine Amended 3 times- Commit certain data‑protection offences Any Person
Prosecution
Amended 4 timesLiability of directors etc
Unlimited fine Amended 1 time- Be liable as director for a data protection offence Director or Officer
Recordable offences
Amended 2 timesGuidance about PACE codes of practice
Amended 2 timesOther duties (1) — Crown / regulator
- ICO must publish guidance on police and criminal evidence codes Statutory regulator
Disclosure of information to the Tribunal
Amended 2 timesProceedings in the First-tier Tribunal: contempt
Amended 3 timesTribunal Procedure Rules
Amended 3 timesMeaning of “health professional” and “social work professional”
Amended 6 timesGeneral interpretation
Amended 18 timesIndex of defined expressions
Amended 17 timesTerritorial application of this Act
Amended 10 timesChildren in Scotland
Amended 1 timeApplication to the Crown
Amended 9 timesApplication to Parliament
Amended 2 timesMinor and consequential provision
Amended 1 timeTransitional provision
Amended 4 timesExtent
Amended 2 timesBrowse 2 other sections in this Part — procedural / definitional / commencement
Commencement
Short title
Schedules
Browse 10 other Schedules — structural / supplementary
Exemptions etc from the UK GDPR : disclosure prohibited or restricted by an enactment
Accreditation of certification providers: reviews and appeals
The applied GDPR and the applied Chapter 2
Competent authorities
Conditions for processing under Part 4
Co-operation and mutual assistance
Powers of entry and inspection
Review of processing of personal data for the purposes of journalism
Transitional provision etc
The Information Commission
Other sections — not classified into a Part
These sections exist in the Act but the contents-of-Parts walker did not place them under a Part. Likely amendments or sections inserted out of the original Part structure.
Browse 1 other unclassified section
Processing in reliance on relevant international law
Official guidance
Authoritative sources published by regulators or government explaining this legislation.
- Ofcom: telecoms regulation (opens in a new tab) from Ofcom Detailed Guidance
- HSE: workplace transport (opens in a new tab) from HSE Detailed Guidance
- HSE: waste and recycling (opens in a new tab) from HSE Detailed Guidance
- HSE: veterinary risks (opens in a new tab) from HSE Detailed Guidance
- HSE: managing crowds safely (opens in a new tab) from HSE Detailed Guidance
- ICO: video surveillance (including CCTV) (opens in a new tab) from ICO Detailed Guidance
- HSE: lone working (opens in a new tab) from HSE Detailed Guidance
- ICO: research and statistics (opens in a new tab) from ICO Detailed Guidance
- HSE: managing health and safety (opens in a new tab) from HSE Detailed Guidance
- ICO: lawful basis for processing (opens in a new tab) from ICO Detailed Guidance
- ... and 170 more
Enforcement and responsible bodies
The regulators that administer or enforce this legislation.
ICO
PrimaryInformation Commissioner's Office
Data protection, freedom of information, privacy and electronic communications regulation. Enforces UK GDPR and Data Protection Act 2018. Issues fines for breaches. …
Solicitors Regulation Authority
Regulates solicitors and law firms in England and Wales. Sets standards, authorises firms, investigates misconduct, and can impose sanctions including fines and …
Legal Services Board
Oversight regulator for legal services in England and Wales. Supervises approved regulators including SRA, Bar Standards Board, and CILEx. Ensures regulation serves …
Regulation and Quality Improvement Authority
Independent regulator for health and social care services in Northern Ireland. Registers and inspects hospitals, care homes, dental practices, and other care …
Government department responsible for protecting, expanding, and promoting the sustainable management of woodlands in England. Issues felling licences, administers woodland creation grants, …
Connected legislation
9 statutory instruments
These instruments amend, apply, or refer to this Act. They may not all create direct business obligations.
Secondary legislation (9)
- The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 2022
- The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 2024
- The Data Protection Act 2018 (Commencement No. 2) Regulations 2019 2019
- The Data Protection Act 2018 (Commencement No. 3) Regulations 2019 2019
- The Data Protection Act 2018 (Transitional Provision) Regulations 2023 2023
- The Data Protection (Charges and Information) (Amendment) Regulations 2019 2019
- The Data Protection (Charges and Information) (Amendment) Regulations 2025 2025
- The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 2023
- The Privacy and Electronic Communications (Amendment) Regulations 2018 2018
Explore more
Browse legislation
Find other UK business legislation with related guidance.
Regulators
Learn more about the bodies that enforce this legislation.