GDPR, Still a Thing in 2025: What UK Marketers Need to Know

By Dianna Rowatt, Product and Compliance Director at Force24.

 

In my role, I’m constantly in conversation with marketers across the UK, helping them navigate the evolving landscape of GDPR and compliance. If you’ve ever looked into it, you’re likely familiar with the terms processor and controller. These aren’t just buzzwords—they define how organisations like ours, as one of the UK’s leading Marketing Automation platforms, handle personal data. 

As a marketer, you’re probably a controller too, meaning you determine the purposes and methods of data processing. That role comes with significant responsibility. Here’s how the Information Commissioner’s Office (ICO) defines these terms: 

Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. 

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. 

(Information Commissioner’s Office, 2023)

Since GDPR’s introduction—and its evolution into UK GDPR—we’ve prioritised supporting the marketing community. Whether you’re just starting out with compliance or are a seasoned pro, our appointed DPO and ISO 27001:2022 accreditation ensure we’re here to help you navigate the rules with confidence. 

In 2025, GDPR might still feel like a lingering shadow, but it continues to shape how we collect, store, and process data. The good news? While compliance can feel like a burden, it also strengthens customer trust and transparency, driving better marketing outcomes. 

 

This article covers: 

• Key updates to UK GDPR and their implications. 

• Changes to cookie policies and online tracking rules. 

• The evolving role of AI in data protection. 

• Practical steps to keep your marketing compliant in 2025. 

Let’s explore what UK marketers need to know to stay compliant, build trust, and thrive in this data-driven age. 

Section 1: UK GDPR in 2025 – Stricter Enforcement on Data Access Requests 

The UK General Data Protection Regulation (UK GDPR) remains central to how businesses handle data in 2025, and it’s still something we have to deal with every day. One of the biggest areas of focus this year is Data Subject Access Requests (DSARs) under Article 15 of UK GDPR, which gives individuals the right to access their personal data. The ICO has been clear that organisations need to respond to DSARs quickly—within a timeframe of 30 days – or risk facing hefty fines of up to £18 million or 4% of global turnover. 

For marketers, this means having processes in place that can handle data requests efficiently. Yes, it’s a bit of an administrative headache, but it’s also an opportunity to show customers that you’re serious about protecting their privacy. By making it easy for people to access their data through simple, transparent systems, you not only avoid fines but also build trust. 

UK GDPR also helpfully defines and regulates which lawful basis personal data can be processed. In essence there are six methods of which consent is just one of the options: 

1. Consent: The individual has given clear consent for the processing  

1. Contract: The processing is necessary for a contract or because the individual has asked for specific steps  

1. Legal obligation: The processing is necessary to comply with the law  

1. Vital interests: The processing is necessary to protect someone’s life  

1. Public task: The processing is necessary for a public task or official functions  

1. Legitimate interests: The processing is in the legitimate interests of the company or organisation 

It’s worthwhile noting that not all EU countries recognise legitimate interest, with some countries like Germany requiring double opt-in for marketing purposes. 

Section 2: The UK’s Data Protection and Digital Information Bill 

While UK GDPR is still the law of the land, the last Conservative government had introduced a Parliamentary bill to update the Privacy and Electronic Communication Regulations and UK GDPR, called the Data Protection and Digital Information Bill.  

The bill which would have removed the need to designate a Data Protection Officer, has now stalled following the general election. The new Labour Government’s 2024 manifesto reiterated the party’s support for developing the UK’s AI sector. Labour also wants to create a Regulatory Innovation Office that oversees other regulators and helps them to balance their mandates with a pro-innovation approach, including around key areas like AI safety. Expect more legislation soon… 

 

Section 3: Changes in Cookie Policies and Online Tracking 

Cookies continue to be a hot topic, especially with the ICO last year tightening enforcement around PECR -compliant cookie consent. Marketers now need to provide users with clear, upfront choices about cookies—no more sneaky pre-ticked boxes. This means you need to make sure your cookie consent banners are easy to understand and give users control over what data they’re sharing. 

While it might seem like just another hurdle, getting cookie consent right can actually improve trust. Customers are more likely to engage with your brand if they feel like you’re being honest about how you’re using their data. By being transparent and offering a clear explanation of why second- and third-party cookies are used, (websites don’t need consent for first-party cookies often know as essential cookies) you can maintain compliance and keep customers happy. 

 

Section 4: New Data Regulations Impacting UK Marketers 

As marketers, we’re not just dealing with UK GDPR anymore—regulations like the EU’s new ePrivacy Act are adding even more layers of complexity. The ePrivacy Act also focuses on IoT data, a sign of how data protection is evolving. The EU Artificial Intelligence Act is also set to impact marketing, especially if you’re using AI for things like customer segmentation or personalisation. 

Under Article 22 of UK GDPR, individuals have the right to not be subject to decisions made solely by automated systems, which includes AI-driven marketing. This means if your AI tools are making decisions about which customers receive certain content, you need to ensure those processes are transparent and have human oversight. You also need to make sure your customers know how their data is being used in these systems, and that you’re getting their consent where needed. 

 

Section 5: Practical Steps to Ensure UK GDPR Compliance in 2025 

UK GDPR compliance might still feel like a challenge, but there are practical steps you can take to make sure you’re staying on the right side of the law: 

Conduct Data Audits: Regularly check how personal data is being collected, processed, and stored. This helps you keep everything clean and compliant, and can highlight any potential gaps in your processes. 

Update Cookie Consent Mechanisms: Make sure your website’s cookie consent banners are compliant with the latest regulations. Users need to be able to easily manage their preferences, and you need to obtain consent before using non-essential cookies. 

Ensure AI Transparency: If you’re using AI for segmentation or personalisation, be clear about how it works and ensure there’s human oversight in your decision-making processes. Make sure you’re collecting customer consent before using their data in these systems. 

Document Compliance Efforts: Keep thorough records of your data protection activities, including DSAR management, consent records, and data processing agreements. This documentation will be crucial if you’re ever audited by the ICO. 

Monitor International Data Transfers: It is mandatory to use data transfer agreements if you’re transferring personal data between the UK and non-compliant countries based outside the EEA. For UK companies this would require an International Data Transfer Agreement (IDTA) or for those based in the EU’s Standard Contractual Clauses (SCCs). Failure to comply if the destination country does not meet Data Protection Adequacy, could result to one of the largest fines. 

 

UK GDPR might still feel like it haunts us, but it’s not going anywhere…

The good news is that by staying compliant, we’re also becoming better marketers. Transparency and accountability aren’t just legal boxes to tick—they help us build trust with our customers and create more meaningful engagement. As AI and data-driven marketing continue to evolve, staying on top of UK GDPR and related laws ensures we stay innovative while maintaining customer loyalty and brand reputation.