GDPR for UK Journalists: What You Actually Need to Know

UK GDPR Basics: What It Is and Why It Matters

After Brexit, the EU GDPR was incorporated into UK law as the UK General Data Protection Regulation, supplemented by the Data Protection Act 2018. Together, these form the UK's data protection framework, enforced by the Information Commissioner's Office (ICO).

The UK GDPR regulates the processing of personal data — any information relating to an identified or identifiable living individual. This includes names, photographs, email addresses, IP addresses, and any other information that could identify someone directly or indirectly.

For journalists, this matters because virtually every story involves personal data. You process personal data when you:

Interview someone and record their responses
Photograph or film individuals
Name people in articles
Store contact details for sources
Research individuals' backgrounds using public records or social media
Handle leaked documents containing personal information

The Journalism Exemption: Section 26 DPA 2018

The good news is that UK law provides a specific and substantial exemption for journalism. Section 26 of the Data Protection Act 2018 (known as the “special purposes” exemption) disapplies most of the UK GDPR's requirements where personal data is processed for the purposes of journalism, provided three conditions are met:

The processing is carried out with a view to the publication of journalistic material
The data controller reasonably believes that publication would be in the public interest
The data controller reasonably believes that compliance with the relevant provision of the UK GDPR is incompatible with the journalistic purpose

What the exemption covers: When it applies, the journalism exemption disapplies most data protection principles (including the right to erasure, the right to object, and requirements for consent), as well as the individual rights provisions. This means you do not need someone's consent to process their personal data for a legitimate journalistic purpose.

What “Public Interest” Means in Practice

The public interest test is central to the journalism exemption. The ICO has published guidance stating that public interest includes (but is not limited to):

Exposing crime, corruption, or serious wrongdoing
Protecting public health and safety
Preventing the public from being misled
Holding public figures and institutions to account
Promoting transparency in matters of public concern

Public interest is not the same as “interesting to the public.” Celebrity gossip or prurient material that merely satisfies curiosity is unlikely to meet the public interest threshold. However, the test is applied broadly, and the ICO has shown considerable deference to journalistic judgment in this area.

Subject Access Requests: How to Respond

Under Article 15 of the UK GDPR, individuals have the right to request access to personal data held about them. Journalists and media organisations do receive SARs, particularly from individuals who are the subject of investigations or critical reporting.

However, the journalism exemption can apply to SARs. If complying with a subject access request would compromise a journalistic investigation or reveal confidential sources, you may be exempt from the requirement to respond. Key points:

Do not ignore SARs: Even if the journalism exemption applies, acknowledge the request and explain (in general terms) that the data is being processed for journalistic purposes.
Assess each request individually: The exemption is not automatic — you must genuinely believe that compliance would be incompatible with your journalistic purpose.
Never reveal confidential sources in response to a SAR. Source protection is a legitimate reason to refuse disclosure.
Seek legal advice for complex or contentious SARs, particularly those that appear designed to obstruct an investigation.

Data Breaches: What You Need to Know

A data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. For journalists, common breach scenarios include:

Losing an unencrypted USB drive or laptop containing source material
Accidentally sending confidential information to the wrong recipient
Having your email or cloud storage compromised by hackers
Inadvertently publishing personal data that should have been redacted

Under the UK GDPR, data controllers must report certain breaches to the ICO within 72 hours. If you are a freelancer, you are the data controller for the personal data you process. If you work for a publication, your employer should have a breach reporting procedure — follow it immediately.

Critical: If a breach involves confidential source material, the consequences go beyond data protection compliance. A breach could endanger your source, compromise an investigation, and destroy professional trust. Treat data security as seriously as you treat editorial integrity.

Practical Data Handling Tips for Journalists

Even with the journalism exemption, responsible data handling is both a legal and ethical obligation. Here are practical steps every UK journalist should take:

Encrypt your devices: Enable full-disk encryption on your laptop, phone, and any external storage. This is the single most important security measure you can take.
Use secure communications: Signal for messaging, ProtonMail for sensitive emails. Standard SMS and unencrypted email are not secure for confidential source communication.
Minimise data collection: Only collect and retain personal data that you genuinely need for your journalistic purpose. Delete data you no longer require.
Secure your cloud storage: Use strong, unique passwords and two-factor authentication on all accounts. Consider where your data is physically stored — UK or EU-based services may be preferable for GDPR compliance.
Redact carefully: When publishing documents, ensure redactions are genuine — metadata in PDFs and other formats can reveal information you intended to conceal. Use proper redaction tools, not simply black highlighting.
Have a data retention policy: Decide how long you will keep research material and source data after publication. There is no fixed legal requirement, but keeping personal data indefinitely without a clear purpose is difficult to justify.

The Right to Be Forgotten and Journalism

Article 17 of the UK GDPR gives individuals the right to have their personal data erased (the “right to be forgotten”). However, this right does not override the journalism exemption. If someone asks you to remove their name from a published article, you are not obliged to comply if the article was published in the public interest.

That said, consider each request on its merits. There may be cases where updating or amending an article is the right thing to do — for example, if factual errors are identified or if the individual's circumstances have changed significantly. Good journalism involves ongoing editorial responsibility, not just legal compliance.

FOI and Data Protection: How They Interact

If you use Freedom of Information requests in your journalism, be aware that public bodies can refuse to disclose information if doing so would breach data protection principles. Section 40 of the Freedom of Information Act 2000 exempts personal data from disclosure where release would contravene the UK GDPR.

This does not mean all personal data is automatically exempt — the public body must conduct a balancing test between the individual's privacy rights and the public interest in disclosure. If you believe a refusal under Section 40 is unjustified, you can appeal to the ICO.

Further Resources

ICO guidance: UK GDPR guidance for organisations
Defamation Law for UK Journalists — complementary legal guide
How to File an FOI Request — practical FOI guidance
Resources Library — data protection checklists