Data Protection reform – the new Data (Use and Access) Act 2025
The General Data Protection Regulation (GDPR) was one of those pieces of legislation that almost everyone can remember being introduced. For better or worse, it completely changed how organisations were required to handle personal data and its impact was extensive.
Reforming and updating GDPR has been on the cards for a long time, but limited reform has now arrived through the Data (Use and Access) Act 2025 (DUA Act 2025) which got Royal Assent on 19 June 2025.
What’s changed?
The DUA Act 2025 lowers compliance and increases flexibility in some key areas. Some significant changes to the GDPR which organisations should be aware of relate to:
Automated decision making (ADM)
Unsurprisingly, given the rapidly changing AI environment, the rules relating to ADM are perhaps the biggest change to the UK GDPR introduced by the Act. It amends the principles involved, so instead of being a prohibition on ADM with limited exceptions, the legislation now permits ADM, subject to specific rules and guardrails. The ban remains for ADM involving special category data. Still, for ADM not involving special category data, this is now permitted provided that certain safeguards are in place, including requirements to:
provide people with information about significant decisions made about them (i.e. transparency);
enable people to make representations about and to challenge such decisions; and
enable people to obtain human intervention in respect of such decisions.
Data subject access requests (DSARs)
Sections 75 – 79 of the DUA Act 2025 make certain amendments, including clarifying that controllers:
can "stop the clock" on the time limit for responding to DSARs if they reasonably need more information from the requester to confirm the scope of the DSAR (e.g. where the controller processes a large amount of personal data about the requester); and
only need to make reasonable and proportionate searches in response to a DSAR.
Recognised legitimate interests
Under GDPR, processing personal data is lawful only if one of the conditions in Article 6(1) GDPR applies. These conditions include where someone has given their consent for their data to be processed, but also where the “processing is necessary for the purposes of the legitimate interests pursued by the controller”.
The new DUA Act 2025 provides more detail on what might be legitimate. The list set out in Section 70 of the DUA Act 2025 is fairly limited in scope and includes where processing is necessary for:
safeguarding national security, protecting public security or for defence purposes;
the purposes of responding to an emergency; and
detecting, investigating or preventing crime or apprehending or prosecuting offenders.
Perhaps more helpfully for commercial organisations, the DUA Act also includes examples of interests that might be legitimate, such as direct marketing and intra-group transfers. However, these interests still require application of the balancing test and so don't reflect a big change to current practice.
Cookie consent rules
Section 112 of the DUA Act 2025 introduces a slight 'relaxation' of the cookie consent rules. It provides that consent is not required for are low-privacy-risk cookies (or similiar technologies) (e.g., certain analytics cookies). However, users must still be able to opt out of such cookies. As such, the new rules create three different types of cookie rules:
strictly necessary cookies: no consent and no opt-out required;
low risk (e.g. analytics cookies): no consent but ability to opt-out required;
other cookies: opt-in consent required
More flexibility to reuse personal data
Changes will allow organisations not to provide transparency information when further processing personal data for certain limited processing purposes if providing a notice is impossible or would involve a disproportionate effort. Purpose limitation and when an organisation can consider a new use compatible with the original purpose, receive some restructuring and amendments.
International data transfers
Under the DUA Act 2025, the relevant test is whether the standards of protection in the importing jurisdiction are "materially lower" than those in the UK. This contrasts with the GDPR, which requires third-country protections to be equivalent to UK protections. This change aims to simplify cross-border data flow.
Right to complain
Section 103 of the DUA Act 2025 amends the UK Data Protection Act 2018 to include a right for data subjects to make a complaint to controllers if they believe a breach of the GDPR has occured.
Regulatory Changes
The ICO is renamed the Information Commission, with unchanged core powers but increased fining authority under the Privacy and Electronic Communications Regulations 2003 (PECR), which are also being amended by the DUA Act 2025. This change closes an enforcement gap by aligning the fines under PECR with those under GDPR.
When do the changes take effect, and who will they impact?
Some of the DUA Act 2025 requirements came into force in June, when it was granted Royal Assent, and others will follow on 20 August. However, many of these relate to very specific, niche changes and affect only a small number of agencies and organisations.
The changes that will most likely impact businesses and cover the GDPR reforms will require secondary legislation to take effect and will therefore be introduced in phases over the next year,most likely 6 months after and 12 months after Royal Assent. As and when we get further details, we’ll let you know!
In the meantime, organisations should follow the existing GDPR requirements.
What can we do to prepare?
Review your data protection compliance efforts and map out whether there are any areas of lower compliance, increased flexibility or change within the DUA Act 2025, which your organisation may benefit from
Keep an eye out for forthcoming ICO guidance
Review your corporate website and its cookies
Policy Updates: Organisations should review their internal policies, particularly regarding ADM, DSARs, and legitimate interest assessments.
Privacy Notices: May need revision to reflect new processing bases and exemptions.
Training: Employees f should be trained on the new rights, responsibilities, and procedures.
Monitoring EU Adequacy: Businesses transferring data to/from the EU should prepare for potential changes in adequacy status.
If you are feeling overwhelmed or don’t know where to start, RGS can help you plan! Contact us to find out how we can help.