What UK GDPR Means for Your IT Infrastructure in 2026

On 5 February 2026, the most significant reform of UK data protection law since Brexit came into force. The Data (Use and Access) Act 2025 amended the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. For most small and medium-sized businesses across London and Essex, the headlines focused on lawful bases and automated decisions. The reality on the ground is different. UK GDPR has always been an IT infrastructure problem first and a legal one second.

If your systems cannot evidence who accessed personal data and when, you cannot demonstrate accountability under Article 5(2). If your backups are not encrypted, you cannot meet the security requirements in Article 32. If a Subject Access Request lands in your inbox and your IT estate is fragmented across half a dozen platforms, the 30 day clock starts ticking against you.

This post explains what UK GDPR actually requires of your IT infrastructure in 2026, what the 2025 Act changed, and how to evidence compliance without the kind of expensive overhead that catches most SMEs off guard.

What is the UK GDPR and what changed in 2026?

The UK GDPR is the United Kingdom's version of the General Data Protection Regulation, retained in domestic law after Brexit. It sits alongside the Data Protection Act 2018, which fills in UK-specific exemptions, and the Privacy and Electronic Communications Regulations (PECR), which govern direct marketing and cookies. Together, these three instruments form the backbone of UK data protection law.

The Data (Use and Access) Act 2025, often shortened to DUAA, received Royal Assent on 19 June 2025. The bulk of its data protection provisions commenced on 5 February 2026 under SI 2026/82. The Act does not replace the UK GDPR. It amends it.

Four changes matter most for SMEs.

PECR fines now align with UK GDPR

The maximum penalty under PECR rose from £500,000 to £17.5 million or 4 per cent of global turnover, whichever is higher. Any business running outbound marketing through calls, texts or email now sits in the same penalty band as a serious data breach.

A seventh lawful basis for processing

Recognised legitimate interest (RLI) was added to Article 6, removing the need for a Legitimate Interests Assessment in five narrow public interest scenarios such as safeguarding national security and responding to emergencies. The ICO published final guidance on RLI on 23 March 2026.

New rules on automated decision making

Article 22A now governs solely automated decisions that produce legal or significant effects on individuals. The ICO published updated draft guidance on 31 March 2026, explicitly covering both in-house tools and third-party vendor solutions.

Changes to Subject Access Requests

The DUAA introduced a statutory reasonable and proportionate search standard, alongside a stop the clock provision when more information is required from the requester. These are operational changes that depend entirely on how well your IT systems are organised. From 19 June 2026, individuals also gain the right to complain directly to the data controller before approaching the ICO.

Why UK GDPR is an IT infrastructure problem first

Article 32 of the UK GDPR is titled Security of processing. It requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Article lists four specific examples: pseudonymisation and encryption, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore the availability of and access to personal data in the event of an incident, and a process for regularly testing the effectiveness of those measures.

Every one of those obligations lands on the IT estate. Legal teams can write the policies, but it is your IT infrastructure that has to back them up. The ICO has consistently fined organisations whose paperwork was in order but whose systems failed in practice. Encryption that was never enforced, MFA that was optional, backups that were never tested, audit logs that did not retain long enough to investigate an incident. These are not legal failures. They are configuration failures.

The IT infrastructure controls UK GDPR actually requires

Eight technical areas determine whether your IT estate meets UK GDPR in 2026. This is the part most SME owners under-invest in and most ICO enforcement actions punish.

1. Access control and identity management

Every system that processes personal data should enforce role-based access. Staff should only see what they need for their job. Joiners, movers and leavers should be onboarded and offboarded through a defined process, not on the day of the request. Shared accounts should be eliminated. Privileged accounts should be separated from standard user accounts and reviewed at least quarterly.

2. Multi-factor authentication

MFA is no longer optional under any reasonable interpretation of Article 32. Cyber Essentials has required MFA for cloud services since 2022, and the v3.3 update in April 2026 strengthens this further. For any system containing personal data, MFA should be enforced on every account, with phishing resistant methods preferred over SMS where possible.

3. Encryption at rest and in transit

Personal data on laptops, servers, backups and removable media should be encrypted at rest. BitLocker for Windows endpoints, FileVault for Macs, native disk encryption for cloud storage. Data moving between systems should use TLS 1.2 or higher. Where data is held by a third party, the data processing agreement should specify the encryption standards in use.

4. Backup and disaster recovery

The 3-2-1 backup rule applies: three copies of your data, on two different media types, with one stored offsite or in immutable cloud storage. Backups should be tested by restoring real data to a separate environment. A backup that has never been restored is not a backup, it is a hope. Article 32 explicitly requires the ability to restore personal data in a timely manner following a physical or technical incident.

5. Monitoring, audit logs and detection

You cannot demonstrate accountability under Article 5(2) without logs. Every system that processes personal data should retain audit logs for a defined period, typically twelve months, capturing logins, data access, configuration changes and administrative actions. SIEM tools or managed detection services are appropriate for larger or higher risk environments. For most SMEs, native Microsoft 365 audit logging extended through Microsoft Purview is the most common starting point.

6. Patch management and vulnerability scanning

Operating systems, browsers, productivity software and third-party applications should all be on a defined patch cycle. The Cyber Essentials v3.3 update from April 2026 tightens this to 14 days for high risk vulnerabilities. Quarterly vulnerability scans of internet-facing systems are a sensible minimum. The ICO has fined organisations specifically for delayed patching that led to data breaches.

7. Endpoint security and mobile device management

Every laptop, phone and tablet that handles personal data needs endpoint protection, an enforced screen lock, full-disk encryption and the ability to be wiped remotely if lost. Microsoft Intune or a comparable MDM tool is the standard route for SMEs running Microsoft 365.

8. Data residency and cloud configuration

UK GDPR imposes restrictions on international data transfers. If your systems are hosted in cloud regions outside the UK or EEA, you need to evidence the legal mechanism that permits the transfer. The simplest approach for most SMEs is to insist on UK or EEA data residency in your cloud configuration. With US-based providers, the CLOUD Act creates a grey area that has driven growing UK SME interest in sovereign cloud arrangements.

The DUAA changes that directly affect your IT systems

Three of the 2026 changes touch the IT estate specifically.

The new PECR fine band means that marketing automation tools, CRM systems and email platforms now sit in a higher risk category. Configuration matters. Soft opt-in rules under PECR only apply to existing customers for similar products. If your marketing platform is sending campaigns to lists that have not been properly consented, the cost of getting this wrong is now in the same band as a serious cyber breach.

Article 22A on automated decision making applies to any system that makes solely automated decisions with legal or significant effects on individuals. For an SME, this typically means automated credit checking, automated CV screening, or any AI-driven decisioning tool used in HR or customer onboarding. The ICO guidance covers both in-house tools and third-party vendor solutions, so SaaS systems used by your team are in scope.

The SAR changes affect how you respond to a request. The new statutory reasonable and proportionate search standard means you are not expected to scour every system in your estate for a single mention of an individual's name. The standard only protects you, however, if you can demonstrate that your search was structured and methodical. That demands a data map. Without one, you have nothing to evidence what was searched and why.

Recent ICO enforcement against UK SMEs

ICO enforcement through 2025 and into 2026 made one thing clear. The regulator has moved past polite warnings for basic failures and is now fining smaller organisations meaningful sums when systems were not in order.

Common themes from the last twelve months of enforcement include unencrypted laptops left in cars and offices, weak or absent MFA on cloud platforms holding customer data, unmonitored phishing emails that led to mailbox compromise, contractors and ex-staff still able to access systems weeks after leaving, and unpatched systems exploited through publicly disclosed vulnerabilities.

Each of these is an IT control failure, not a legal one. Each is preventable with the right managed IT setup.

Your UK GDPR IT infrastructure checklist

Use this as a starting point for an internal review or a conversation with your IT support provider. If the answer to any of these is no or unsure, that is a gap worth closing.

• Every account with access to personal data has MFA enforced

• Role-based access is in place and reviewed at least twice a year

• A documented joiners, movers and leavers process exists and is followed

• All endpoints have full-disk encryption enforced through policy, not trust

• Backups follow the 3-2-1 rule and are tested through actual restores

• Audit logs are retained for at least twelve months across all systems holding personal data

• A defined patch cycle is in place with critical patches applied within 14 days

• All cloud systems are configured for UK or EEA data residency where possible

• A data map exists that lists every system holding personal data, what it holds and where it sits

• A documented incident response plan exists and has been tested at least once

How AIS Technology supports SMEs with UK GDPR compliance

AIS Technology delivers managed IT support and cybersecurity solutions to small and medium-sized businesses across London and Essex. Our work for finance and consultancy specialists routinely covers the IT infrastructure that sits behind a defensible GDPR posture: access controls, encryption, MFA enforcement, audit logging, backup and disaster recovery, patch management, endpoint security, and cloud configuration.

Where appropriate, we also support clients with Cyber Essentials certification, which significantly strengthens any GDPR compliance position, and with the development of a business continuity plan that meets Article 32's restoration requirements. For regulated firms, we offer dedicated IT support for financial services that aligns the IT estate with both UK GDPR and sector specific operational resilience expectations.

Frequently asked questions

Does UK GDPR apply to small businesses?

Yes. UK GDPR applies to any organisation that processes personal data of people in the UK, regardless of headcount or turnover. The only size-based relief is a narrow exemption under Article 30(5) for record keeping by organisations with fewer than 250 staff that do not process special category data and where processing is occasional. Paying the annual ICO data protection fee is a separate registration duty under the 2018 Charges Regulations and is not in itself GDPR compliance.

What changed under the Data (Use and Access) Act 2025?

The DUAA amended the UK GDPR, the Data Protection Act 2018 and PECR. The most significant changes for SMEs are the new £17.5 million maximum PECR fine, the introduction of recognised legitimate interest as a seventh lawful basis, new rules on automated decision making under Article 22A, and updated Subject Access Request rules with a statutory reasonable and proportionate search standard. From 19 June 2026, individuals also gain the right to complain directly to the data controller before approaching the ICO.

What are the maximum fines under UK GDPR?

Two tiers apply. Lower tier infringements carry a maximum fine of £8.7 million or 2 per cent of global turnover, whichever is higher. Higher tier infringements, including breaches of the data protection principles or the rights of individuals, carry a maximum of £17.5 million or 4 per cent of global turnover. Following the 2025 Act, PECR fines for marketing breaches now sit in the higher tier.

How quickly do I need to report a data breach to the ICO?

Within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals. If reporting is delayed, the notification must include the reasons for the delay. Affected individuals must be notified without undue delay where the risk to them is high.

Does UK GDPR require multi-factor authentication?

The UK GDPR does not name MFA specifically, but Article 32 requires technical measures appropriate to the risk. For any system containing personal data accessible over the internet, MFA is the baseline expectation. Cyber Essentials, the UK government's recommended security baseline, has required MFA for cloud services since 2022, and the v3.3 update from April 2026 strengthens this further.

What is a data processing agreement and when do I need one?

A data processing agreement (DPA) is a contract required under Article 28 whenever you use a third party to process personal data on your behalf. This includes cloud storage, email platforms, CRMs, payroll providers, and most SaaS tools. Reputable providers offer a DPA as standard. If a vendor cannot provide one, you should not be processing personal data through their platform.

How does UK GDPR apply to cloud data stored outside the UK?

International transfers of personal data outside the UK are restricted under Chapter V of the UK GDPR. The most common legal mechanisms are an adequacy decision, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses. For most SMEs, the simplest route is to configure cloud services for UK or EEA data residency at the point of provisioning, and to insist on a written data processing agreement that specifies the storage location.