The Data Law Shake‑Up: A Simpler System… With Bigger Consequences
UK data protection law is changing. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, amends the UK GDPR, the Data Protection Act 2018 and PECR. The reforms aim to simplify compliance and support innovation but they also introduce new duties, higher penalties and fresh operational requirements. With implementation rolling out through 2025–2026, now is the time to review your systems, governance and documentation.
What is changing?
The DUAA updates rather than replaces the UK GDPR, modernising several areas. Government and ICO commentary emphasises that the reforms aim to simplify rules while maintaining strong protections and expanding regulatory powers.
Key changes include:
- Automated ‑Decision-Making (ADM)
The Act makes it easier for organisations to use fully automated systems for significant decisions about individuals. However, organisations must still provide clear information, allow individuals to challenge decisions, and offer meaningful human review. - Subject Access Requests (SARs)
Organisations need only carry out searches that are reasonable and proportionate. They can also pause the clock while verifying identity or seeking clarification, reducing unnecessary admin. - Recognised Legitimate Interests
A new lawful basis covers preventing crime, safeguarding and protecting public security. Where the criteria are met, no balancing test is required but transparency obligations still apply.
- Cookies and Tracking Technologies
Certain low-‑risk cookies (e.g. analytics, performance improvement or security) can now be used without consent. This is the first major relaxation of UK cookie rules in years. - Higher PECR Fines
PECR penalties now match UK GDPR levels: up to £17.5 million or 4% of global annual turnover, significantly increasing the potential consequences of non-compliance.
- International Data Transfers
A new test for assessing data protection standards in other countries gives organisations more flexibility, though it may increase the risk of UK–EU divergence on adequacy decisions.
- Mandatory ‑Complaints Handling (from June 2026)
Organisations must implement a formal process for handling data‑protection complaints. Complaints must be acknowledged within set deadlines before individuals can escalate to the ICO.
Implementation Timeline
Already in force (2025)
Several provisions are already live, including:
- Rules supporting Smart Data schemes, enabling consumers to share data safely with trusted providers.
- A legal framework for Digital Verification Services for digital identity confirmation.
- Updated objectives for the ICO, clarifying the regulator’s priorities.
From 5 February 2026
The main changes take effect, covering:
- Which lawful bases organisations can rely on;
- How automated decision‑making is handled;
- How businesses respond to Subject Access Requests;
- When cookies can be used without consent; and
- Higher PECR fines.
From 19 June 2026
Organisations must have a formal complaints-handling process ‑in place before individuals can escalate concerns to the ICO.
Later in 2026
Further regulations and step-‑by-‑step ICO guidance will follow as the new framework beds in.
Preparing for Compliance: What to Do Now
With deadlines approaching, organisations should take the following steps:
- Reviewing how they handle Subject Access Requests and making sure processes meet the new rules.
- Updating privacy notices and Records of Processing Activities (ROPAs) so they reflect the latest legal requirements.
- Checking and simplifying cookie practices in line with the new exemptions.
- Assessing any automated decision‑making systems and ensuring the right safeguards are in place.
- Setting up a clear workflow for managing data‑protection complaints.
- Training staff so they understand the new duties and what the changes mean in practice.
If you’d like to discuss how these changes affect your organisation, our Commercial team is here to help. We support clients across all sectors with DUAA, UK GDPR and PECR compliance. Get in touch at [email protected].
