Domestic law (UK GDPR) meaning

This Checklist summarises guidance on pursuing a ‘UK GDPR claim’. It draws on the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), together with the Data Protection Act 2018 (DPA 2018) legislation. Where the EU has jurisdiction, proceedings are governed by the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR). UK data protection rules—most notably Assimilated Regulation (EU) 2016/679 (UK GDPR)—originate to a large extent from EEA data protection frameworks and, as a result, generally rest on comparable principles, although some provisions differ slightly in detail. In the UK, ‘assimilated law’ denotes retained EU law (REUL) that continues to have effect after the end of 2023 and remains in force, for example the UK GDPR legislation. Re-labelling REUL (and related terminology) as assimilated law signals a shift in its status and handling in UK law, in practice, meaning it is now generally construed by reference to ordinary domestic legal standards and principles...

Checklist This Checklist sets out the practical actions for creating, drafting and quality-checking a Participant Information Sheet (PIS) for UK clinical research. It describes what the PIS is for and how it works, and gives hands-on advice on the essential components, addressing content and presentation alongside layout, format and style. The Checklist also explains how the PIS should meet obligations under UK data protection law, including the transparency duties in the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). It is suitable for any study involving human participants, with particular emphasis on clinical trials of investigational medicinal products (CTIMPs). A clinical trial is a study in human subjects intended to identify or confirm the effects of an adverse reaction to a medicinal product. In the UK, such trials are governed by the Medicines for Human Use (Clinical Trials) Regulations 2004 (MHU(CT)R 2004), SI 2004/1031, which transposed EU Directive 2001/20/EC, the Clinical Trial Directive (CTD), into domestic law. These rules create a legal framework designed to...

This Checklist supports trustees in reviewing and adapting their working practices concerning the personal information they gather, handle and continue to retain about settlors, protectors, beneficiaries and other individuals associated with the trust. For a comprehensive introduction to Retained Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), drawing together key practical guidance, see the UK data protection law collection. ‘Assimilated law’ is the term now used for retained EU law (REUL) that remains in effect after the end of 2023. Re-classifying REUL (and related terminology) as assimilated law indicates a shift in its standing and treatment under UK law, meaning it is generally interpreted by reference to ordinary domestic law and principles. From 1 January 2024, REUL becomes ‘assimilated’ into domestic law because it is, in broad terms, divested of EU-derived interpretive effects, such as the supremacy of EU law, directly effective rights, and general principles that were previously preserved under the EU(W)A 2018. Understand duties and obligations under the UK GDPR The initial priority...

In this issue: Investigating criminal conduct Criminal procedure and evidence Proceeds of crime Bribery, corruption, sanctions and export controls Consumer protection and cartels Environmental offences Financial services and pensions offences Food safety and hygiene offences Fraud, forgery, tax and theft offences Health and safety and corporate manslaughter offences International Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information Investigating criminal conduct Home Office issues guidance on Economic Crime and Corporate Transparency Act The Home Office has released guidance on the information-sharing measures in the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023). It outlines provisions to help ensure businesses comply with the new measures, together with practical points for organisations, including arrangements for cross-sector sharing, obligations for law enforcement reporting, UK General Data Protection Regulation (GDPR) compliance, and customer redress. See: LNB News 04/10/2024 39. Criminal procedure and evidence...

In this issue: Data protection Confidential information Cybersecurity LexTalk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection Parliament considers Data Bill amendments in final legislative stages As of 8 May 2025, the Data (Use and Access) Bill is in its final parliamentary stage. Backed by the Department for Science, Innovation and Technology (DSIT), it brings wide reforms to data regulation, including new rules on customer data access, privacy standards, and establishing an Information Commission. The Bill also spans electronic trust services, biometric data retention, and information sharing for public services. Introduced in the House of Lords in the 2024–25 session, it has completed its first passage through both Houses. See: LNB News 08/05/2025 38. DSIT opens user engagement for 2026 UK Business Data Survey DSIT has launched a user engagement exercise for the 2026 UK Business Data Survey (UKBDS). The survey explores how businesses handle personal and non-personal...

In this issue: Key developments UK immigration control: how it works Family members under Part 8 and Appendix FM Challenging immigration decisions and enforcement Preventing illegal working Daily and weekly news alerts New and updated content Key developments Future developments—Immigration calendar Please note our Immigration calendar outlines significant upcoming developments for business immigration advisers. UK immigration control: how it works Statement of Changes HC 556 stops careworkers from bringing dependants and ends Ukraine Family Scheme On 19 February 2024, the Home Office published a Statement of Changes in the Immigration Rules, HC 556, accompanied by an Explanatory Memorandum (EM). It delivers expected amendments concerning dependants of careworkers and senior careworkers within the Skilled Worker/Health and Care visa pathway, and introduces several unexpected, immediate revisions to the Ukraine Schemes, notably closing the Ukraine Family Scheme from 3 pm on 19 February, with immediate effect. See: LNB News 19/02/2024 45...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide (Guide). This section covers negotiating clauses on erasure and handback of personal data once processing ends in agreements between controllers and processors that are subject to the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For an introduction to the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note uses a number of common abbreviations, which are defined separately in that introduction. As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion the costs and expenses of fulfilling these obligations between themselves there are notable similarities between the UK GDPR and the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), and the Guide concentrates on the position under the UK GDPR. For information about the background to the UK GDPR and its relationship with the EU GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Summary of...

Practice Note This Practice Note sets out leading judgments of the High Court, Court of Appeal and Supreme Court under the law of England and Wales, handed down since 2012, concerning compensation claims by data subjects for breaches of one or more of the following UK data protection laws: the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), together with related provisions of the Data Protection Act 2018 (DPA 2018) Assimilated law is the label given to retained EU law (REUL) that remains in force after the end of 2023, such as the UK GDPR. The re-categorisation of REUL (and associated terms) as assimilated law marks a change in its status and treatment under UK law, in that it is generally to be interpreted according to ordinary domestic law and principles. From 1 January 2024, REUL is ‘assimilated’ into domestic law because it is generally stripped of EU-derived interpretative effects (eg supremacy of EU law, directly effective rights, and...

ARCHIVED This archived Practice Note outlines the data protection regime in force before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). It is provided for background only and is not maintained. What is meant by image? Two forms of image are discussed in this Practice Note, both relevant to data protection: The likeness of a person’s physical features and the factual circumstances of their proximity (for example, a photograph or picture)—the ontic definition. How a person is conceived in the public mind—the ontological definition. For a comprehensive introduction to the GDPR, collating key practical guidance, see: UK data protection law collection. Data protection The aim of data protection law is to ensure that anyone processing personal data for purposes other than purely domestic ones is subject to regulation. The rationale for such regulation is outside the scope of this Practice Note. Under the DPA 1998, personal data are information relating to...

FORTHCOMING CHANGE On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, thereby transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect immediately on that same day. Parts 5 and 6 modify elements of UK data protection and ePrivacy law across the domestic framework, expressly covering the United Kingdom General Data Protection Regulation, the Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, as relevant measures. Some DUAA 2025 measures, addressing issues like handling data subject access requests and granting authority to make further regulations, also commenced straightaway on 19 June 2025 without delay. Other elements, relating to notices from the Information Commissioner and certain facets of law enforcement processing, take effect on 19 August 2025 (two months after Royal Assent was given). Most DUAA 2025 provisions depend on subsequent regulations (as statutory instruments) being made before they commence and, until then, remain dormant...