Data Protection & GDPR
Beta v0.2UK GDPR · DPA 2018 · PECR · DUAA 2025-aware
Cited answers across UK GDPR (retained EU regulation 2016/679), DPA 2018, PECR 2003, NIS Regs 2018, and the Data (Use and Access) Act 2025 (which amended substantial portions with effect from 5 February 2026). Every answer surfaces dua_amended and under_revision flags so you know when ICO or EDPB guidance is mid-review.
1,152
Sections Indexed
100%
Embedded
Beta · dev-ready
Status
15 May
Last Pipeline Run
About this specialist
The Data Protection specialist provides cited answers to data protection queries by searching indexed UK legislation and regulatory guidance. It covers the complete UK data protection framework: lawful basis analysis, subject access requests, data breach obligations, international transfers, DPIA requirements, and PECR cookie and direct marketing rules. Designed for DPOs, in-house compliance teams, marketing teams, and IT directors.
Every response includes precise Article or section references with direct links to legislation.gov.uk and ICO guidance. The specialist tracks DUAA 2025 amendments via a 61-entry enumeration table, flagging dua_amended: true on every provision touched by the Data (Use and Access) Act 2025. The full primary legislation corpus (UK GDPR 213 sections incl. DUAA-amended Arts 22A-D, DPA 2018 259, PECR 51, NIS Regs 30, DUAA 144), 11 ICO P1 guidance hubs (245 sections), international transfer tools (14 adequacy SIs + IDTA + Addendum + TRA + Data Bridge factsheets, 120 sections), 66 ICO enforcement records, and 24 EDPB Guidelines are now ingested and embedded at 100% on dev. This specialist is dev-ready and pending promotion to the production API. Find Case Law records remain gated on Transactional Licence CAS-331091-J2V2X9 (applied 14 May 2026).
Data Sources
5 primary instruments (697 sections) + 11 ICO P1 hubs (245) + Int'l transfers (120) + 66 enforcement + 24 EDPB · 1,152 total · 100% embedded · Dev-readyDUAA 2025 commencement in progress
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025; Commencement No. 6 SI brought the bulk of Part 5 (UK GDPR, DPA 2018, PECR amendments) into force on 5 February 2026. Stage 4 (complaints and governance) is expected mid-2026. The specialist tracks DUAA-touched provisions via a 61-entry enumeration table and flags dua_amended: true on every affected chunk.
| Source | Status | |
|---|---|---|
Primary Legislation (legislation.gov.uk · OGL v3) | ||
Data Protection Act 2018 ukpga/2018/12 · 259 sections |
Loaded | |
UK GDPR (retained EU Reg 2016/679: 99 Articles + 173 Recitals) DUAA-amended Arts 22A–D, 45A–C, 49A, 84A–D included |
Loaded | |
PECR 2003 (SI 2003/2426) Cookie consent, email marketing, direct marketing |
Loaded | |
NIS Regulations 2018 (SI 2018/506) Network and information security obligations |
Loaded | |
Data (Use and Access) Act 2025 (ukpga/2025/18) DUAA amendments in force 5 Feb 2026 |
Loaded | |
Age Appropriate Design Code (Children's Code: 15 standards) ICO statutory code for digital services |
Queued | |
Adequacy SIs under s17A DPA 2018 14 SIs: EEA, Gibraltar, Israel, Jersey, Isle of Man, NZ, Korea, US Data Bridge + others |
Loaded | |
ICO Guidance Library (P1: bi-weekly during DUAA window) | ||
Lawful basis hub (all 6 bases + special category + criminal offence + biometric) |
Loaded | |
Subject Access Requests |
Loaded | |
Personal data breaches (72hr notification) |
Loaded | |
International transfers (IDTA, Addendum, TRA, adequacy) |
Loaded | |
DPIA |
Loaded | |
PECR + cookies + direct marketing |
Loaded | |
Direct Marketing Code of Practice |
Loaded | |
DPO |
Loaded | |
Documentation / ROPA |
Loaded | |
AI and data protection |
Loaded | |
Legitimate interests (LIA template) |
Loaded | |
ICO Guidance Library (P2) | ||
Individual rights (all 8 rights) |
Queued | |
Employment |
Queued | |
Special category data |
Queued | |
Children's Code + Children's information |
Queued | |
Anonymisation and pseudonymisation |
Queued | |
Accountability framework |
Queued | |
Exemptions |
Queued | |
Information Commissioner's Opinions |
Queued | |
ICO Enforcement Decisions (worked examples) | ||
Enforcement decisions over 24 months (MPN / reprimand / enforcement notice / undertaking) |
Loaded | |
PSNI £750k (2024) |
Loaded | |
Advanced Computer Software Group £3m (2024) |
Loaded | |
TikTok £12.7m (2023, UT appeal May 2026) |
Loaded | |
Clearview AI £7.55m (FTT 2023, [2025] UKUT 319 AAC remit) |
Loaded | |
Post Office reprimand (Dec 2025) |
Loaded | |
International Transfers (toolkits: ICO OGL) | ||
IDTA v.A.1.0 (mandatory for new contracts from 21 Sep 2022) |
Loaded | |
Addendum to EU SCCs v.B.1.0 |
Loaded | |
Transfer Risk Assessment (TRA) tool |
Loaded | |
ICO Opinion on UK-US Data Bridge (effective 12 Oct 2023) + Data Bridge factsheets |
Loaded | |
EU→UK adequacy (renewed 19 Dec 2025, valid to 27 Dec 2031) |
Loaded | |
Current UK adequacy regulations (EEA, Gibraltar, Israel, Jersey, Isle of Man Feb 2025, NZ, Korea + others) |
Loaded | |
EDPB Guidelines (persuasive, not binding under UK regime) | ||
WP242 portability, WP243 DPOs, WP248 DPIA, WP251 ADM/profiling (WP29 endorsed 25 May 2018) |
Loaded | |
Guidelines 5/2020 consent, 7/2020 controller/processor, 1/2024 legitimate interests, 01/2025 pseudonymisation, 9/2022 breach notification |
Loaded | |
Recommendations 01/2020 (supplementary measures), Guidelines 07/2022 (certification) |
Loaded | |
Find Case Law: Data Protection (LICENCE GATED) | ||
Lloyd v Google LLC [2021] UKSC 50 |
Licence pending | |
Various Claimants v Wm Morrison Supermarkets [2020] UKSC 12 |
Licence pending | |
NT1 & NT2 v Google LLC [2018] EWHC 799 (QB) |
Licence pending | |
Bridges v South Wales Police [2020] EWCA Civ 1058 |
Licence pending | |
Killock & Veale v ICO [2021] UKUT 299 (AAC) |
Licence pending | |
Experian v ICO [2023] UKFTT 132 (GRC) |
Licence pending | |
Clearview AI v ICO [2025] UKUT 319 (AAC) |
Licence pending | |
Full FTT GRC / UT AAC / EWCA / EWHC / UKSC corpus |
Licence pending | |
5 primary instruments (697 sections) + 11 ICO P1 guidance hubs (245 sections) + 14 adequacy SIs + IDTA/Addendum/TRA + Data Bridge (120 sections) + 66 ICO enforcement records + 24 EDPB Guidelines · 1,152 sections total · 100% embedded · ICO P2 hubs queued · Find Case Law pending Transactional Licence CAS-331091-J2V2X9 (applied 14 May 2026, ETA ~5 weeks) · Last ingest 2026-05-15 · Dev-ready, pending prod promotion
See it in action
Real examples of cited answers from the Data Protection specialist.
We received a Subject Access Request on 10 April 2026. What’s our deadline?
1 month from receipt under Art 12(3) UK GDPR, so by 10 May 2026. However, you can pause the clock while reasonable identity verification is outstanding under the DUAA 2025 amendment to Art 12 (in force 5 Feb 2026, applies to SARs received from 1 Jan 2024 under DUAA transitional provisions). Send the ID request promptly; the pause runs until verification is provided.
UK GDPR Art 12 (DUAA-amended)Do we still need consent for Google Analytics 4 cookies as of May 2026?
Depends on configuration. DUAA 2025 introduced new low-intrusion exemptions to PECR reg 6 (effective 5 Feb 2026). A theme/preference cookie qualifies: no consent, but clear notice + opt-out required. GA4 qualifies only if first-party, IP-anonymised, no cross-site profiling. Default GA4 with advertising integrations still requires UK-GDPR-standard consent.
Note: ICO cookies guidance still carries an under-revision banner as of May 2026.
PECR reg 6 (DUAA-amended)What was the outcome in Lloyd v Google LLC?
Case Law from Find Case Law is not yet available for this specialist. Our Transactional Licence application (reference CAS-331091-J2V2X9) was submitted on 14 May 2026 and is awaiting approval (~5 weeks). Once granted, priority data-protection cases, including Lloyd v Google LLC [2021] UKSC 50, will be ingested and citable directly.
For now, refer to the National Archives case law portal.
caselaw.nationalarchives.gov.ukWho uses this specialist
Data Protection Officers
Rapid cited answers on lawful basis, DPIA obligations, breach thresholds, and DUAA 2025 amendments without manual legislation review.
In-house Compliance Teams
DPA 2018 schedule conditions, special category obligations, ROPA requirements, and international transfer tool selection.
Marketing Teams
PECR cookie rules, direct marketing consent requirements, and DUAA 2025 low-intrusion exemptions, before campaigns go live.
IT Directors
72-hour breach notification obligations, NIS Regs security requirements, and DPIA triggers for new systems and processors.
API access & integration
The Data Protection specialist is available as an MCP tool within PrivateNode client workspaces. Queries are routed via the Node+ agent and return JSON responses with citations, amendment flags, and source links. The dua_amended field signals provisions touched by the Data (Use and Access) Act 2025; the under_revision flag surfaces ICO guidance pages with an active review banner.
Enterprise clients can access the specialist via REST API for integration into compliance workflows, contract review pipelines, and internal knowledge bases. Contact us to discuss your use case.
GDPR and DPA 2018 research, cited to the Article.
Cited answers across UK GDPR, DPA 2018, PECR, and the DUAA 2025 amendments. Built for DPOs, compliance teams, and in-house legal.