, or the UK General Data Protection Regulation, is essentially the EU GDPR as it was at the end of the Brexit transition period, retained in UK law. It works alongside the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) to set the framework for our obligation to be a good steward of the personal data we process about others. It also gives rights to data subjects to hold us accountable for our compliance. The Data (Use and Access) Act 2025 will, over a transitional period, make various changes to data protection law. For simplicity we refer below to the general suite of data protection legislation as '.
For the most part and with a little care, you can ensure you are compliant with , as it seeks to enforce ways of working that have been standard practice in law firms for years. However, there are some points that go further and therefore do require particular action. is enforced by the Information Commissioner's Office (ICO), soon to become the Information Commission, which has produced reams of guidance. For further details, you should take a look at this. The summary set out below is deliberately not a full explanation of the rules; rather, it highlights the key actions you must take to comply. (In the Isle of Man the rules do differ a little, but compliance with is more onerous and thus accepted by the Information Commissioner in the Isle of Man.)
Failure to comply could lead to liability for the firm and for you personally. If you have any concerns that you might have breached , then contact the Corporate Counsel.