If you have heard that the UK has “opened the door” to hosting personal data on non-UK servers, the reality is more nuanced. UK GDPR never imposed a blanket data-residency rule. What has changed in 2025 is the legal test and the practical steps for sending personal data overseas. For data teams choosing cloud regions, reviewing vendor chains or refreshing contract packs, that shift matters.
What changed and what stayed the same
In June 2025, as part of their new Data (Use and Access) Act, parliament introduced a new, simpler standard for international transfers. When you send personal data to another country using contracts or similar safeguards, you now ask a clearer question. Will protection after the transfer be not materially lower than the UK baseline. This gives the government more flexibility to recognise other countries as adequate. It also gives organisations more room to make proportionate, risk based assessments that reflect real technical controls, such as encryption and access management, rather than theoretical worst cases.
There is still no blanket permission to send data anywhere without checks. You still need a lawful route. That can be an adequacy decision, the UK International Data Transfer Agreement, the UK addendum to the EU standard contractual clauses or a narrow exception. The Information Commissioner’s Office is updating its guidance, but the core approach remains. Map the transfer, pick the right mechanism, document why it is appropriate and keep that record up to date.
What this means for cloud and hosting choices
Selecting a non-UK cloud region remains entirely possible and in many cases sensible, but the emphasis now shifts to showing that your real controls keep risk low. Start with the business need that drives region choice, for example latency for users in Ireland, cost for a disaster recovery copy in Frankfurt, or vendor availability where a product is only hosted in the United States. Then show, in plain terms, how the personal data involved is protected in that location. The new test allows you to rely on practical measures, so describe them clearly. Encryption at rest and in transit with strong ciphers, customer managed keys or a hardware security module, tight role based access controls, privileged access that is time bound and audited and comprehensive logging with alerting, all help to demonstrate that protection is not materially lower than the UK baseline.
How this sits alongside EU rules
Most UK organisations also receive data from the EU. The UK remains adequate in EU law, and the goal is to keep it that way. The UK’s new test is more flexible, but the core protections are aligned. The practical takeaway is to implement the UK changes while watching for any EU commentary. Keeping EU confidence preserves smooth two way data flows, which is a strategic priority for many businesses.
What good practice looks like now
Focus on clarity rather than paperwork volume. Keep a current map of your transfers, including sub processors. Prefer adequacy where it fits. Where you use clauses, write a short, concrete assessment that links your technical and organisational controls to the new standard. Explain how your safeguards reduce risk in context, rather than copying generic text. Build sensible review points into contract renewals and vendor management. Train product and procurement teams so that location choices and transfer routes are considered early, not added at the end.
Looking ahead
The direction is pragmatic. The UK wants data to move for trade and innovation, without a data residency rule, and without lowering the privacy baseline. If adequacy decisions expand and the ICO provides proportionate examples, many organisations will find it easier to justify reputable non UK hosting without adding risk.
