Skip to content
RegSpace
Book a demo
EU/UK regulation: General Data Protection Regulation (EU) 2016/679 and the UK GDPR / Data Protection Act 2018

GDPR and UK GDPR Compliance, Tracked and Mapped to Your Policies

Stay on top of EU GDPR (2016/679), the UK GDPR and the Data Protection Act 2018, including the Data (Use and Access) Act 2025 changes. RegSpace monitors the regulators, scores your policies against the law, and keeps your RoPA, DPIA and risk registers in one place.

Book a demoSee pricing

What is GDPR?

The General Data Protection Regulation (EU) 2016/679 is the European Union's data protection law, in force since 25 May 2018, governing how organisations process the personal data of individuals in the EU. After Brexit the UK retained an equivalent regime, the UK GDPR, sitting alongside the Data Protection Act 2018 and enforced by the Information Commissioner's Office (ICO). The two frameworks share the same core principles and structure but are now diverging: the UK Data (Use and Access) Act 2025 amends the UK GDPR, the DPA 2018 and PECR with changes phasing in through 2026.

Who does GDPR apply to?

GDPR and UK GDPR reach far beyond EU and UK borders. They apply to controllers and processors handling personal data, including organisations outside Europe that target or monitor people in the EU or UK.

  • Controllers established in the EU or UK that determine the purposes and means of processing personal data
  • Processors (including SaaS, hosting and outsourcing vendors) acting on a controller's instructions, who carry direct GDPR obligations
  • Non-EU/UK organisations that offer goods or services to, or monitor the behaviour of, individuals in the EU or UK (extra-territorial scope, Art 3)
  • Organisations whose core activities involve large-scale or special-category processing, which may need to appoint a Data Protection Officer (Art 37)
  • Vendors and sub-processors in the supply chain, who inherit flow-down contractual and security duties via data processing agreements (Art 28)
  • Marketing, analytics and adtech operators who must also reconcile GDPR with the ePrivacy / PECR cookie and direct-marketing rules

Key GDPR obligations

Lawful basis and the data protection principles

Every processing activity needs a lawful basis under Article 6 (consent, contract, legal obligation, vital interests, public task or legitimate interests), with extra conditions under Article 9 for special-category data. Processing must also satisfy the Article 5 principles, including purpose limitation, data minimisation, accuracy and accountability.

Data subject rights

Individuals can exercise rights of access, rectification, erasure, restriction, portability and objection (Arts 12 to 22), generally within one month. The UK regime is moving to a 'reasonable and proportionate' search standard and a 'stop the clock' rule for clarifying requests under the Data (Use and Access) Act 2025.

Records of Processing Activities (RoPA, Art 30)

Controllers and processors must maintain written records of their processing activities, covering purposes, categories of data and data subjects, recipients, transfers, retention and security measures. This RoPA is the backbone an auditor or regulator will ask for first.

Security of processing (Art 32)

Implement appropriate technical and organisational measures proportionate to the risk, such as encryption, pseudonymisation, resilience and a process for regularly testing and evaluating those controls.

Personal data breach notification (Arts 33 and 34)

Notify the supervisory authority (the ICO in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of a breach likely to risk individuals' rights, and notify affected individuals directly where the risk is high.

Data Protection Impact Assessments (DPIA, Art 35)

Carry out a DPIA before processing that is likely to result in a high risk to individuals, for example large-scale special-category processing, systematic monitoring or new technologies, and consult the supervisory authority where residual high risk remains (Art 36).

Accountability, transfers and governance

Demonstrate compliance through documented policies, privacy notices (Arts 13 and 14), processor contracts (Art 28), a lawful transfer mechanism for international transfers (Chapter V), and, where required, a Data Protection Officer (Art 37).

Key dates

  • 25 May 2018
    EU GDPR (2016/679) became applicable across the EU, replacing the 1995 Data Protection Directive.
  • 1 January 2021
    End of the Brexit transition period; the UK GDPR and Data Protection Act 2018 became the standalone UK regime, enforced by the ICO.
  • 19 June 2025
    The UK Data (Use and Access) Act 2025 received Royal Assent, amending the UK GDPR, DPA 2018 and PECR. Most substantive duties commence later via regulations rather than on assent.
  • 5 February 2026
    Main UK data-protection package commences (SI 2026/82): recognised legitimate interests, the new Article 22A to 22D automated-decision regime, the DSAR 'reasonable and proportionate' and 'stop the clock' changes, PECR cookie-consent exemptions, the charity soft opt-in, and higher PECR fines aligned to UK GDPR levels.
  • 19 June 2026
    Deferred UK duty to facilitate and handle data-protection complaints (DPA 2018 s.164A, inserted by DUAA s.103), with Article 12 signposting of that internal complaint route.

How RegSpace helps with GDPR

Draft, source-linked intelligence for your team to review. Not legal advice.

Watcher

Weekly-monitors the regulators and legislative trackers that touch you (including the ICO, EU bodies and the Data (Use and Access) Act 2025 commencement timeline) and drafts a source-linked digest of what changed. Where a change hits a policy you have published, it produces a DOCX redline in track changes for your counsel to review.

Assessor

Scores your uploaded privacy notice, data protection policy, RoPA and related documents against the GDPR and UK GDPR corpus, showing exactly which obligations are covered, partial or missing with an overall gap score, so you can prioritise remediation.

GRC Workspace

Gives you the registers GDPR expects in one place: a RoPA / processing-activities register, a risk register with a 5x5 matrix, a controls library, incidents, DPIAs, cookies, assets and vendors, plus a review and approval workflow, tickets and dashboards.

Privacy Inspector toolkit

Scores vendor and third-party risk for your processors and sub-processors and reconciles your published privacy notice against what your registers actually record, surfacing mismatches before an auditor or data subject does.

Profiler

Builds your compliance profile by crawling your website and classifying the policies it finds, then hands it to your counsel to review and edit, so your GDPR programme starts from an accurate picture of what you have published.

GDPR FAQ

Who does GDPR apply to?

GDPR applies to controllers and processors that process the personal data of individuals in the EU. Through its extra-territorial scope (Art 3), it also catches organisations outside the EU that offer goods or services to, or monitor the behaviour of, people in the EU. The UK GDPR applies the same logic to individuals in the UK.

What is the difference between EU GDPR and UK GDPR?

They share the same core principles and structure. After Brexit the UK retained GDPR as the UK GDPR, sitting alongside the Data Protection Act 2018 and enforced by the ICO. The two are now diverging: the UK Data (Use and Access) Act 2025 amends the UK GDPR, DPA 2018 and PECR, with most changes phasing in during 2026.

What is a RoPA and is it mandatory?

A Record of Processing Activities (Article 30) is a written record of your processing, covering purposes, data and data-subject categories, recipients, transfers, retention and security measures. Controllers and processors generally must maintain one; it is usually the first document a regulator or auditor asks to see. RegSpace provides a RoPA register inside the GRC Workspace.

What is the GDPR breach notification deadline?

You must notify the supervisory authority (the ICO in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals (Art 33). Where the risk to individuals is high, you must also notify the affected individuals directly without undue delay (Art 34).

When is a DPIA required under GDPR?

A Data Protection Impact Assessment (Article 35) is required before processing likely to result in a high risk to individuals, such as large-scale processing of special-category data, systematic monitoring of a public area, or use of new technologies. If a high residual risk remains after mitigation, you must consult the supervisory authority before processing (Art 36).

How does the UK Data (Use and Access) Act 2025 change GDPR?

It amends the UK GDPR, DPA 2018 and PECR rather than replacing them. Key changes commencing 5 February 2026 (SI 2026/82) include recognised legitimate interests, the new Article 22A to 22D automated-decision regime, 'reasonable and proportionate' DSAR searches with a 'stop the clock' rule, PECR cookie-consent exemptions and higher PECR fines. A new complaints-handling duty (DPA 2018 s.164A) is deferred to 19 June 2026.

Does RegSpace make my organisation GDPR compliant?

No. RegSpace produces draft regulatory intelligence, gap analysis and register tooling for your qualified counsel to review. Every digest item is source-linked. RegSpace does not provide legal advice, does not form a lawyer-client relationship, does not file anything with a regulator, and does not guarantee compliance or replace your legal team.

Stay ahead of GDPR changes, automatically.

RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.

Book a demo