New UK Data Act 2025: key changes and compliance obligations for businesses

After extensive and protracted debate and revisions, the Data (Use and Access) Act 2025 (the “DUAA”) received Royal Assent on 19 June 2025.

The DUAA is being rolled out in stages between June 2025 and June 2026. Most measures are expected to commence within six months of Royal Assent, with the remainder phased in over the following year.

The DUAA is supplementary to the existing UK data privacy canon which includes the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (the “DPA”) and the Privacy and Electronic Communications Regulations (“PECR”). Despite being marked as the most significant overhaul of the UK’s data protection regime post-Brexit, the DUAA does not in fact replace existing legislation, but instead sits alongside it.

Structural reform: from ICO to the Information Commission

A big structural change is the planned replacement of the Information Commissioner’s Office with a new ‘Information Commission’ (the “IC”). Expected to be in place by 2027, the IC will adopt a corporate governance model, including a chief executive and a board, more closely resembling that of Ofcom.

This is aimed to professionalise the regulator in the data protection space and bring it into line with other similar regulators. The ICO’s response to the introduction of the IC and the DUAA more generally was incredibly positive, stating that it was “pleased that the government has prioritised these necessary reforms” and can be found HERE.

Recognised legitimate interests

The most immediate practical reform is the creation of a statutory category of ‘recognised legitimate interests’.

Under UK GDPR, organisations must have a lawful basis to process personal data. One such basis is ‘legitimate interests’, which allows processing of personal data where there is a genuine need and the activity is necessary for the intended data processing purpose, provided that a balancing test shows that the organisation’s interests are not outweighed by the data subject’s rights and freedoms.

Under the DUAA, organisations processing data for purposes such as direct marketing, intra-group administrative transfers, fraud prevention or public security will no longer need to conduct this balancing test between their own interests and those of the data subject. This does not though provide a carte blanche for direct marketeers who still must comply with, amongst other legislation, PECR which governs unsolicited marketing and the need for consent in these circumstances.

Although recital 47 of UK GDPR already hinted that direct marketing could be a ’legitimate interest’, the DUAA removes doubt by codifying this into law.

To maintain compliance, organisations relying on these newly-recognised legitimate interests will prudently consider having their internal documentation reviewed and updated to reflect the change. In particular, records of processing activities, privacy notices and legitimate interests assessments may need to be updated to identify where the new statutory category applies and to ensure transparency for data subjects.

The current ICO guidance is expected to be updated with further clarification on the new statutory category of ‘recognised legitimate interests’ later this year.

Cookies, PECR and ICO enforcement powers

The DUAA also modernises rules on cookies and tracking technologies by expanding these to cover cookie-like technologies such as tracking pixels and browser fingerprinting.

At the same time, the circumstances have been narrowed in which consent is required. Consent will no longer be needed for certain low-risk uses, such as analytics cookies, website appearance or preference cookies, security functions, fraud detection and fault prevention or where cookies are used to facilitate automatic authentication. In each case, however, organisations will still be required to provide individuals with clear information and the facility to opt out.

Perhaps the most significant shift in this area concerns enforcement. The DUAA aligns the penalty regimes under the UK GDPR, the DPA and PECR. It removes the current £500,000 cap on fines for PECR breaches and replaces this with a much higher limit of £17.5 million or 4% of worldwide annual turnover, creating a substantial increase in exposure, particularly in relation to cookie use and electronic direct marketing.

Automated decision-making and AI

The DUAA introduces a relaxation of certain restrictions on automated decision-making (“ADM”), which under the UK GDPR were tightly constrained where decisions significantly affected individuals. Organisations will have greater flexibility to use ADM and AI-driven tools, provided that ‘special category’ data (e.g. health, racial or biometric data) is not involved.

The DUAA also clarifies key concepts, including what constitutes a ‘significant decision’ – one with meaningful effects on an individual – and the requirement for ‘meaningful human intervention’, guiding organisations in determining when oversight is necessary. Under the DUAA, automated decisions are now permitted provided that certain safeguards are in place, including the right for individuals to request human intervention and challenge the decision.

International data transfers

The DUAA establishes a revised framework for international data transfers, setting a threshold that requires protections in the recipient country to be no less than ‘materially lower’ than those in the UK. This represents a shift from the current UK GDPR approach, which mirrors the EU’s stricter ‘essentially equivalent’ standard.

Under the DUAA, the Secretary of State is empowered to approve transfers by regulation, taking into account not only the data protection test but also the wider context of international data flows and their economic benefit to the UK. The new ‘not materially lower’ test is applied not only to adequacy decisions concerning third countries or international organisations but also when using safeguard mechanisms such as standard contractual clauses (“SCCs”) (see the SCCs HERE and the ICO’s addendum to the SCCs HERE).

Data subject access requests

The DUAA introduces a practical ‘stop the clock’ mechanism for data subject access requests (“DSARs”). Where an organisation must verify an individual’s identity or seek clarification on the scope of the request, the statutory timeframe will be paused until the necessary information is provided.

This codifies existing practice and gives organisations greater certainty that they will not be penalised for delays beyond their control.

The DUAA further codifies case law confirming that searches conducted in response to DSARs need only to be ‘reasonable and proportionate’. However, it stops short of providing further guidance on what constitutes a reasonable and proportionate search. This key change has been backdated and is deemed to have come into force on 1 January 2024.

Scientific research

The DUAA introduces a statutory definition of scientific research, confirming that this encompasses public and private and commercial and non-commercial projects. This clarification is intended to set down the scope of lawful processing for research purposes and to encourage organisations, including life sciences companies and academic institutions, to undertake scientific research. It also provides greater flexibility for the reuse of personal data across compatible research projects, subject to appropriate safeguards.

The DUAA also allows for broader consent in the research context. Consent remains valid even where every specific research purpose is not known at the outset of the project, provided that ethical standards are followed and the data is used solely for genuine scientific research. Where feasible, individuals should have the option to consent to specific parts of the research rather than being required to accept or decline the entire scope.

Adequacy and the EU relationship

Following a proposal from the European Commission, the UK’s ‘adequacy status’ under EU law – essential for frictionless data transfers – was due to lapse in June 2025 but has now been extended until December 2025.

The European Commission will now consider whether the changes introduced by the DUAA undermine protections to the point of endangering ‘adequacy’. Concerns have already been raised, particularly around ADM and the more flexible approach to international transfers. While the ICO has broadly welcomed the changes, it cautioned that the benefits of increased flexibility must be matched with robust protections, especially to ensure meaningful human involvement in ADM and to preserve trust in cross-border data flows.

If ‘adequacy’ is lost, organisations are likely to face significant time and cost implications given that they will need to rely on contractual clauses or binding corporate rules.

 Concluding thoughts

 The DUAA represents the most substantial recalibration of UK data protection law in the post-Brexit era, but its reforms are evolutionary rather than revolutionary: clarifying lawful bases, easing AI adoption, reshaping cookie rules and dramatically increasing PECR enforcement powers.

For businesses, the compliance challenge remains. Documentation needs to be updated, privacy practices revised and AI and DSAR processes reviewed. Most importantly, businesses need to be aware of the possibility of an upcoming  ‘adequacy’ gap with the EU, which could profoundly affect international operations.

As further ICO guidance is published through 2025 and 2026, businesses will prudently use the current window before full implementation of the DUAA to assess their data governance frameworks and ensure that they are prepared for the new regime.

This piece was written by Sanya Bhambhani and Robert Humphreys.  As ever, If you would like advice on the DUAA (and data privacy generally) or would like to further understand how it could impact your business, please don’t hesitate to contact a member of the HLaw team.

All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website.  None of the above constitutes legal advice and is not to be relied upon.  Much of the above will no doubt fall out of date and conflict with future law and practice one day.  None of the above should be relied upon.  Always seek your own independent professional advice.

Humphreys Law