GDPR in 2026: What's Changed and What You Need to Do

The UK General Data Protection Regulation (UK GDPR), retained from EU law after Brexit and supplemented by the Data Protection Act 2018, continues to be the primary framework governing how UK businesses collect, store, and process personal data. While the core principles haven't changed since 2018, enforcement has matured, ICO guidance has been updated, and there are practical lessons learned that every SME should be aware of heading into 2026.

This article covers the key areas that UK SMEs need to focus on — not the theoretical aspects you'll find in a law firm's newsletter, but the practical, actionable steps that will keep your business compliant and reduce your risk.

UK GDPR vs EU GDPR: Where Things Stand

Since Brexit, the UK operates under its own UK GDPR — a retained version of the EU regulation that is largely identical. The UK has an adequacy decision from the EU (extended through June 2025 and periodically reviewed), which means personal data can still flow freely between the UK and EEA countries for now.

The UK Government's Data Protection and Digital Information Act (DPDI Act), which received Royal Assent in 2024, introduced some modifications to the UK GDPR framework. Key changes include:

• Legitimate interest clarification: The Act specifies certain processing activities that are considered to be in the legitimate interest of the controller, reducing ambiguity for businesses. This includes processing for the purposes of direct marketing to existing customers, processing for internal business administration, and certain types of data sharing within a corporate group.
• Subject Access Requests (SARs): Organisations can now refuse or charge a reasonable fee for SARs that are "vexatious or excessive" (previously "manifestly unfounded or excessive"). The threshold has been slightly lowered to reduce the burden on businesses facing weaponised SARs.
• Record keeping: The requirement to maintain a Record of Processing Activities (ROPA) has been relaxed for organisations that only process personal data occasionally and where the processing is unlikely to result in a risk to individuals. However, most businesses that process customer, employee, or client data regularly will still need to maintain one.
• Cookie consent: The Act narrows the scope of cookies requiring consent, allowing certain analytics and functionality cookies to be set without explicit opt-in, provided they don't pose a risk to individuals' privacy. However, marketing and tracking cookies still require consent.

What the ICO Is Focusing On

The Information Commissioner's Office (ICO) has been increasingly transparent about its enforcement priorities. Based on recent actions, published guidance, and strategic communications, here's what they're paying closest attention to:

1. Data Breach Reporting

Under UK GDPR, you must report qualifying personal data breaches to the ICO within 72 hours of becoming aware of them. A qualifying breach is one that poses a risk to individuals' rights and freedoms. The ICO has noted that many businesses still fail to report breaches within the required timeframe, or fail to report them at all.

Practical step: Ensure you have a documented breach response process. Know who is responsible for assessing a breach, who decides whether to report it, and have the ICO's breach reporting tool bookmarked. The 72-hour clock starts when you become aware — not when you've finished investigating.

2. International Data Transfers

If you use US-based cloud services (Microsoft, Google, AWS, Salesforce, HubSpot, Mailchimp, etc.), you're transferring personal data outside the UK. The UK has recognised the US as an adequate destination under the UK-US Data Bridge (the UK equivalent of the EU-US Data Privacy Framework), which provides a legal mechanism for these transfers — but only where the US recipients are certified under the framework.

Practical step: Check that your US-based service providers are certified under the relevant data privacy framework. Most major providers are, but you should verify rather than assume. Document this in your records of processing activities.

3. Marketing Consent (PECR)

The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and govern electronic marketing — emails, texts, and automated calls. The ICO has consistently been active in this area, issuing fines for unsolicited marketing communications. The rules are straightforward: for B2C marketing, you need explicit opt-in consent. For B2B marketing, a "soft opt-in" applies if there's an existing customer relationship and you offer an opt-out, but cold B2B email marketing without consent is not compliant.

Practical step: Audit your marketing lists. Remove anyone who hasn't explicitly opted in (B2C) or doesn't have a qualifying existing relationship (B2B). Ensure every marketing email has a clear, working unsubscribe link.

4. Employee Data

Employers hold significant volumes of personal data about their staff — payroll details, health information, performance reviews, monitoring data. The ICO has published updated employment practices guidance covering employee monitoring, particularly relevant in the hybrid working era. Remote monitoring tools, keystroke logging, screenshot capture, and location tracking all require careful justification under data protection law.

Practical step: If you use any employee monitoring tools, conduct a Data Protection Impact Assessment (DPIA) before deployment. Inform employees what you monitor, why, and how long data is retained. Monitoring must be proportionate — blanket keystroke logging of all employees is unlikely to be justifiable.

The ICO's Approach to SMEs

The ICO has generally taken a measured approach to SME enforcement, focusing fines and formal actions on larger organisations, repeat offenders, and egregious cases. For genuine first-time compliance issues in small businesses, the ICO typically provides advice, guidance, and warnings before escalating to enforcement action.

However, this doesn't mean SMEs can ignore their obligations. The ICO has fined small businesses and sole traders, particularly for:

• Sending bulk marketing emails without consent (PECR violations)
• Failing to register with the ICO (a legal requirement for most businesses that process personal data — annual fee is £40-£2,900 depending on size and turnover)
• Failing to respond to Subject Access Requests within the one-month deadline
• Data breaches resulting from basic security failures (no encryption, weak passwords, no access controls)

Practical GDPR Compliance Checklist for SMEs

Here are the concrete steps every UK SME should take to maintain compliance:

1. Register with the ICO: Most businesses that process personal data must pay the data protection fee. Check the ICO's self-assessment tool to determine your fee tier and ensure your registration is current.
2. Maintain a Record of Processing Activities: Document what personal data you collect, why, how long you keep it, who you share it with, and what legal basis you rely on. This doesn't need to be complex — a spreadsheet is fine for most SMEs.
3. Update your privacy notice: Your website privacy policy must accurately reflect your current data processing activities. Review it whenever you add a new service, tool, or data processing activity.
4. Implement data retention schedules: Don't keep personal data longer than necessary. Define retention periods for each category of data (customer records, employee files, financial data) and delete data when it's no longer needed.
5. Secure personal data: Implement appropriate technical and organisational measures — encryption for data at rest and in transit, access controls, strong passwords/MFA, regular security updates, and staff training.
6. Have a breach response plan: Know what constitutes a breach, who assesses it, and how to report to the ICO if required. Include template communications for notifying affected individuals if necessary.
7. Review third-party processors: Ensure you have Data Processing Agreements (DPAs) in place with any third party that processes personal data on your behalf (payroll providers, CRM vendors, email marketing platforms, cloud hosting providers). Most SaaS providers have standard DPAs available.
8. Handle SARs promptly: Have a process for receiving, verifying, and responding to Subject Access Requests within one calendar month. Know how to verify the requester's identity and what exemptions may apply.
9. Train your staff: Staff handling personal data should understand the basics: what personal data is, how to handle it securely, how to recognise a breach, and who to report concerns to. Annual refresher training is good practice.
10. Review and repeat: GDPR compliance isn't a one-time project — it's an ongoing process. Review your data processing activities, privacy notices, and security measures at least annually.

The Cost of Getting It Wrong

While the maximum fines under UK GDPR are £17.5 million or 4% of global turnover (whichever is greater), these headline figures apply to the most serious violations by large organisations. For SMEs, the realistic consequences of non-compliance include:

• ICO fines: Typically £5,000–£100,000 for SMEs, though potentially higher for serious failures
• Enforcement notices: The ICO can issue binding orders requiring you to change your data processing practices
• Reputational damage: ICO enforcement actions are published publicly. Clients, especially in B2B, will check
• Loss of business: Increasingly, enterprise clients require demonstrable GDPR compliance from their suppliers. Non-compliance means you fail the procurement process before the conversation starts
• Compensation claims: Individuals can claim compensation for distress caused by data protection failures — and no-win-no-fee law firms actively advertise for data breach claims

Summary

UK GDPR compliance in 2026 is fundamentally about the same things it's been about since 2018: knowing what personal data you hold, protecting it properly, being transparent about how you use it, and respecting individuals' rights. The DPDI Act has made some practical improvements for businesses, but the core obligations remain.

For most SMEs, the biggest risks are the basics: failing to register with the ICO, not having a breach response plan, sending marketing emails without consent, and neglecting security fundamentals. Get these right, and you'll be well ahead of most of your peers.