Every time your organisation issues a payslip, transcript, reference, statement, or certificate, you are processing personal data — and UK GDPR applies. That means the document you put your name on must be accurate, kept secure against unauthorised alteration, and your handling of it must be something you can demonstrate. In 2026 the rules also carry the imprint of the Data (Use and Access) Act 2025, which amends but does not replace UK GDPR.
This guide is for document issuers: it explains the obligations that bite hardest when you issue documents, what the 2025 reforms change, and where making your documents verifiable helps you meet them. It covers UK GDPR across England, Wales, Scotland and Northern Ireland, and is general information, not legal advice.
The UK data-protection landscape in 2026
UK data protection rests on two instruments working together: the UK GDPR, the retained version of the EU GDPR, and the Data Protection Act 2018. The regulator is the Information Commissioner's Office (ICO). Breaches of UK GDPR can attract fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
What is new is the Data (Use and Access) Act 2025 (DUAA), which became law on 19 June 2025 and is being phased in between June 2025 and June 2026, with most key provisions taking effect on 5 February 2026. Crucially, the DUAA amends rather than replaces UK GDPR, the DPA 2018, and PECR — so the core regime you already know still stands.
What the DUAA 2025 changes (and doesn't)
The 2025 reforms are targeted amendments rather than a rebuild.
| Change | What it means |
|---|
| New 7th lawful basis: Recognised Legitimate Interests | A category of legitimate interests (e.g. crime prevention, safeguarding, emergency response) needing no balancing test — though the necessity test still applies. |
|---|
| ICO becomes the Information Commission | The regulator is restructured into a statutory body with stronger powers, including compelling witnesses to interviews and requiring technical reports. |
|---|
| Children's services design rules | Formalises the ICO's Children's Code: services likely accessed by children must account for their needs by design. |
|---|
| DSAR searches reasonable and proportionate | Codifies that the search you must run in response to a subject access request is proportionate. |
|---|
| International transfers | A new not materially lower data-protection test for transfer risk assessments; existing valid transfer mechanisms remain effective. |
|---|
| Higher PECR fines | PECR penalties raised to £17.5m or 4% of turnover, matching UK GDPR. |
|---|
| New right to complain to controllers | Data subjects gain a statutory right to complain directly to controllers, from 19 June 2026. |
|---|
The ICO's own framing is that the DUAA mostly creates opportunities to do things differently, rather than forcing a wholesale rebuild — but it does warrant targeted updates to documentation and governance.
Issuing a document is processing personal data
It is easy to think of GDPR as being about databases and sign-up forms. But a document is personal data in motion. A payslip carries earnings and identifiers; a transcript carries academic records; a reference carries opinions about a named individual; a bank statement carries financial behaviour. When you create, sign, send, store, or verify any of these, you are processing personal data — and the issuer is the controller, or a processor, for that activity. The principles below apply to that document just as they apply to your CRM.
The obligations that bite hardest for document issuers
UK GDPR is built on the Article 5 principles. Through an issuer's lens, five of them land directly on the documents you send out: accuracy, integrity and security, accountability, data minimisation, and the breach-notification duty. The next sections take each in turn.
Accuracy — the document must be correct
UK GDPR requires personal data to be accurate and, where necessary, kept up to date. For an issuer, that means the document you release must correctly state what it purports to — and that you can stand behind it. A verification mechanism that confirms a document is the genuine, unaltered version you issued directly supports the accuracy principle.
Integrity and security — protect against alteration
The security principle requires appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss or damage — which includes protecting an issued document against alteration. A document that anyone can quietly edit after issuance is a weak control. Tamper-evidence — the ability to show a document has not changed since you issued it — is a direct, demonstrable security measure.
Accountability — you must be able to demonstrate it
This is the principle issuers most often overlook. UK GDPR does not just require compliance — it requires you to be able to demonstrate it. If a document is disputed, breached, or investigated, can you show what you issued, to whom, when, and that it was protected? A verifiable issuance trail turns we are careful into evidence you can produce.
Data minimisation — verify without over-exposing
You should process only the personal data you need for the purpose. Verification raises a subtle minimisation point: confirming a document is authentic should not require broadcasting all of its contents. A proof mechanism that confirms authenticity and integrity without over-exposing the underlying personal data supports minimisation rather than working against it.
Breach notification — the 72-hour clock
A personal data breach must be reported to the ICO within 72 hours where it meets the threshold. An issued document that is tampered with, intercepted, or leaked can be a reportable breach. Tamper-evidence and a verification trail help you detect and assess such incidents quickly — which matters when the clock is 72 hours.
Where verifiable issuance fits — and where it doesn't
The pattern across those obligations is clear: UK GDPR expects issued documents to be accurate, protected against alteration, and demonstrably so. That is precisely what verifiable issuance provides.
VerifyDoc.ai issues each document with a QR-backed Certificate of Authenticity and a hosted proof page, so that the document can be confirmed as the genuine, unaltered version you issued, supporting accuracy and integrity; you hold a demonstrable record that it was issued and protected, supporting accountability; a recipient can verify authenticity without you exposing more data than necessary, supporting minimisation; and alteration is detectable, aiding breach detection within the 72-hour window.
An honest scope note: verifiable issuance is one component of compliance, not the whole of it. It does not, by itself, give you a lawful basis for processing, a privacy notice, a Record of Processing Activities under Article 30, a Data Protection Impact Assessment where required under Article 35, a Data Protection Officer where required under Article 37, a retention policy, or a breach-response process. You still need those. What VerifyDoc.ai addresses is the document-integrity and verification slice — a real and often-neglected part of the picture, but a slice. See how it works.
A practical checklist for document issuers
Map your issued documents — payslips, transcripts, references, statements, certificates — as processing activities, and confirm your lawful basis for each. Apply the security principle to issuance: protect documents against alteration with tamper-evidence, not just access controls. Make integrity demonstrable by keeping a verification trail so you can show what you issued and that it was protected.
Mind minimisation in verification, confirming authenticity without over-exposing document contents. Build breach detection in, so you can spot a tampered or leaked document fast enough to meet the 72-hour duty. Refresh your documentation for the DUAA, updating privacy notices and procedures to reflect the new lawful basis and other 2025 changes. And take advice on lawful bases, DPIAs, transfers, and any high-risk processing.
Make your issued documents accurate, secure, and demonstrable
VerifyDoc.ai gives every document you issue a QR-backed Certificate of Authenticity and a verification trail — supporting the UK GDPR principles of accuracy, integrity, and accountability, and helping you prove a document is the genuine, unaltered version you released. Start free or see how it works.
Related reading: Nigeria Data Protection Act 2023: a guide for document issuers and Are electronic signatures legally binding in the UK?.
This article is for general information and does not constitute legal advice. UK data-protection law, the DUAA's phased commencement, and ICO guidance continue to develop; consult a qualified data-protection adviser for your specific circumstances.
