The UK Market: A legal guide for business entry & growth
Data protection
Data protection: The essentials at a glance
The key data protection legislation in the UK is the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 These rules apply whether you’re based in the UK or simply targeting UK customers.
The UK requirements are very similar to those of the EU regime, but there are some changes afoot. The Data (Use and Access) Act 2024 (DUA Act) received Royal Assent on 19 June 2025, simplifying some obligations and reducing the burden of compliance in certain areas.
You can’t process personal data without a valid lawful basis. The UK GDPR sets out six options:
- Consent – Necessary for performance of a contract.
- Compliance with the law.
- Protection of someone’s life.
- Performing a task in the public interest.
- Legitimate interests of the organisation or third parties
Sensitive data, such as racial or ethnic origin, political or religious opinions and health data gets greater protection. You can only process this type of information if you meet one of several specific conditions.
Tip: The UK’s privacy regulator, the Information Commissioner’s Office (ICO), has published a handy guide to lawful basis to help you choose the right option.
UK GDPR sets out seven core data protection principles. These aren’t just a box-ticking exercise – they are the foundation of good data protection practice:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security).
- Accountability.
Failure to comply with the legislation can lead to substantial fines of up to £17.5 million or 4% of an organisation’s total worldwide annual turnover, whichever is higher. More information is available on the ICO’s website: Data protection principles - guidance and resources.
Both controllers (those deciding how and why data is used) and processors (those acting on a controller’s instructions) have responsibilities. Controllers must have binding contracts in place with processors, and those contracts have compulsory provisions as set out in UK GDPR.
If you’re unsure what your role is, the ICO has clear guidance for both controllers and processors.
See: What does it mean if you are a controller? | ICO and What does it mean if you are a processor? | ICO.
Under UK GDPR, individuals have various rights relating to their personal data, such as:
- The right to be informed about how their data is being used.
- The right to access their personal data.
- The right to request data processing restrictions.
You need to make sure these rights are exercised effectively. The ICO’s guide to individual rights offers practical guidance.
Since personal data transferred out of the UK may lose the protection of UK legislation, UK GDPR has rules about international transfers. These include:
- Making sure transfers are covered by UK ‘adequacy regulations’ (where the recipient country or territory provides ‘adequate protection’.
- Using appropriate safeguards, such as binding corporate rules or standard data protection clauses.
- Applying for one of the eight exceptions listed in the UK GDPR (including whether the transfer is necessary for the performance of a contract).
The EU GDPR adequacy decision allows personal data to be transferred from the EU into the UK. This EU decision is set to expire in December 2025 (following an extension from June 2025), to allow for consideration of the changes made by the newly enacted DUA Act.
Key contacts
A legal guide for business entry & growth
The UK market guide
This guide provides an overview of the relevant legal considerations when setting up in the UK and explains how our expert team supports you throughout each stage of your expansion journey.
Structure & tax
Explore the best legal and tax structures for entering the UK market. Learn how to minimise risk, ensure compliance and choose the right setup - through subsidiaries, branches or joint ventures.
Commercial contracts
Understand how English contract law supports flexible, enforceable agreements. Discover key principles, common pitfalls and how we draft commercial contracts that protect your interests.
Regulatory Compliance
Understand the UK’s regulatory landscape and how it affects your business. This section covers key areas - helping you manage risk, meet legal obligations and operate confidently across sectors.
Banking & Finance
Navigate the UK’s dynamic finance landscape with expert guidance. Learn how to structure deals, access funding and leverage ESG-linked instruments to support long-term investment strategies.
Leasing Real Estate
Practical insights into UK leasing laws across jurisdictions. Understand registration, energy standards and tenant protections to make informed decisions when leasing in commercial property.
Employment & Pensions
Ensure compliance with UK employment law. Learn how to structure contracts, manage statutory rights while staying ahead of upcoming legal reforms and pension obligations.
Business Immigration
Explore UK immigration routes for business expansion. Understand visa options, sponsorship requirements and compliance risks to ensure smooth relocation and legal planning for personnel.
Data Protection
Stay compliant with UK GDPR and the new Data Use and Access Act. Learn how to manage personal data, lawful bases, international transfers and individual rights with confidence and clarity.
Intellectual Property
Protect and monetise your innovations with UK IP law. Explore patents, trade marks, copyright and design rights - learn how to enforce, license and leverage IP for commercial advantage.
Franchise Laws
Understand the legal framework for franchising in the UK. Learn how to structure agreements, manage IP, comply with competition law and support franchisees while protecting your brand and business.
International Trade
Navigate the UK’s post-Brexit trade landscape. Discover how to manage tariffs, export controls, and trade remedies to protect your supply chain and maximise global opportunities.