UK Data reform: What businesses need to know

On 19 June 2025, the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent, bringing with it a series of targeted updates to the UK’s existing data protection framework.

While the Act does not replace the UK GDPR, the Data Protection Act 2018 (“DPA”), or the Privacy and Electronic Communications Regulations (“PECR”), it introduces reforms that aim to support innovation, streamline compliance, and protect individual rights.

For businesses and organisations handling personal data, the DUAA offers both greater clarity and some much-needed flexibility, particularly in areas such as research, international data transfers, cookies, and legitimate interests.

Key changes at a glance

The DUAA makes several important amendments, including:

Simplified subject access requests (“SARs”) and complaint handling

The changes are minimal for organisations that have robust SAR processes, but helpful clarifications have been made:

• The one-month response deadline starts after identity has been confirmed
• If clarification is needed, the timeline pauses until it’s received
• Searches must be reasonable and proportionate, not exhaustive.

In addition, organisations are now required to have a data protection complaints process, including offering an online form, acknowledging complaints within 30 days, and responding without undue delay.

International transfers: A shift in thresholds

One of the most watched provisions is the DUAA’s new threshold for international data transfers. The DUAA has replaced its current test and now the test will be met where the protection standards provided for data subjects in the third country is “not materially lower” than the UK’s. This is intended to be an easier threshold than the GDPR’s “essentially equivalent” test.

The DUAA also allows the UK government to place certain countries on a transfer ‘blacklist’, banning businesses and other organisations from transferring personal data there, if the restriction is in the public interest.

Automated decision-making

The DUAA lifts some barriers by allowing a wider range of lawful bases for significant automated decisions, including legitimate interests. This supports organisations in deploying AI tools more confidently, although it does not extend to special category data. This could give organisations more flexibility to use AI-driven tools and processes.

Recognised legitimate interests: New lawful basis

The introduction of a ‘recognised legitimate interests’ lawful basis is one of the DUAA’s most practical updates. It removes the requirement to conduct a balancing test for specific types of data use for example, sharing data with public authorities or processing data to safeguard vulnerable individuals.

This could prove particularly valuable in sectors such as healthcare, education, and public services, where the purpose of processing is clear and socially beneficial.

Cookies

Organisations may now set certain cookies, such as those used for statistical analysis or improving website functionality without user consent which can reduce the compliance burden for organisations managing cookie regulations.

Scientific research

The Act makes it clearer when you can use personal information for the purposes of scientific research, including commercial scientific research. It also confirms that individuals can give broad consent for their data to be used across related research projects without reissuing privacy notices, provided other safeguards are in place and information is published online.

Charities and soft opt-in

Charities can now rely on the ‘soft opt-in’ when sending marketing emails to individuals who have previously shown an interest in their work, so long as an opt-out is clearly offered. This brings the rules closer to those already enjoyed by commercial organisations and may support more effective fundraising and engagement strategies.

Children’s data and age-appropriate design

For online services likely to be accessed by children, the DUAA reinforces the importance of protecting younger users. If your organisation already adheres to the Age Appropriate Design Code, no changes are needed, but if not, this is a prompt to review your current practices.

When will the changes take effect?

Implementation will be phased over the next 12 months, with the ICO expected to publish detailed guidance and timelines. Now is the time for organisations to:

• Engage with their Data Protection Officer (“DPO”)
• Review internal policies and training
• Begin aligning with the new provisions ahead of enforcement.

We will continue to monitor the ICO’s updates and provide practical insights as they become available.