ARTICLE
9 July 2025

Welcome News For Employers On Data Protection

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
It is rare for employers to receive genuinely positive news in the data protection sphere, but the Data (Use and Access) Act 2025 (DUAA) is a notable exception.
United Kingdom Privacy
Sarah Henchoz and Sheila Fahy
Your Author LinkedIn Connections

It is rare for employers to receive genuinely positive news in the data protection sphere, but the Data (Use and Access) Act 2025 (DUAA) is a notable exception.

The DUAA aims to ease compliance burdens, introduce greater flexibility, and provide more practical options for managing data, without undermining the fundamental rights of individuals. In codifying and clarifying certain approaches to data protection compliance, the DUAA may enable employers to more confidently adopt proportionate, risk-based approaches to managing personal data.

The summary below outlines the key provisions already in force, as well as those expected to come into effect in due course, together with an action list for employers. Each change presents an opportunity for employers to streamline processes and enhance internal data handling practices.

Provisions in force immediately

A particularly welcome development is the statutory recognition of the "reasonable and proportionate" standard for responding to Data Subject Access Requests (DSARs), as established in the Mike Ashley v HMRC case. Current ICO guidance (under review in light of the DUAA) states that, to determine whether a search is reasonable and proportionate, controllers must consider the circumstances of the request, the difficulties involved in finding the information and the fundamental nature of the right of access.

As an example, if a long-serving employee requests all personal data held as a fishing expedition, an employer may be able to legitimately push back. This will depend on context and circumstances, and an appropriate assessment will always need to be made.

Forthcoming changes

  • Data subject right timelines: while the one-month response period for data subject rights requests remains, the DUAA allows for that period to start on the later of the date of the initial request (the current position), the date on which the employer receives additional identity information it has requested and the date the employer receives any relevant fee.

    The DUAA will allow employers to stop the clock where further information is needed to clarify or verify an access request. For example, if an employee submits a vague request or fails to provide sufficient identification, the response period may be suspended until the necessary details are received.

  • Automated decision-making: the DUAA provides greater flexibility for controllers to use solely automated decision-making when making a significant decision (ie a decision that has a legal or similarly significant effect upon the employee).

    Provided that appropriate safeguards are in place, the ability to carry out such automated decision-making is not limited solely to circumstances where the legal basis relied upon is consent or contractual necessity. Specified safeguards currently include informing individuals of the decision, offering the opportunity to make representations and contest the decision, and enabling human review.

    The DUAA does restrict the use of solely automated decision-making when significant decisions are based on the processing of special category personal data or when a "recognised legitimate interest" (see below) is the legal basis relied upon to process the personal data.

    These automated decision-making changes may be particularly interesting for employers using AI tools in recruitment or performance management, such as automated CV screening or algorithmic performance scoring. However, whilst the new provisions may provide some confidence to employers, the activity continues to be high risk and caution is required.

    There remain many factors to consider in relation to compliance with the broader data protection regime such as fairness, transparency, and the need for Data Privacy Impact Assessments. Helpfully, we have already seen the ICO's audit report on AI in Recruitment, and it has also listed the use of automated decision-making in recruitment as a priority area in its AI and biometrics strategy. The ICO has indicated that it will be scrutinising the use of automated decision-making in recruitment by major employers and recruitment platforms before publishing findings and regulatory expectations (as well as holding employers to account).

  • New right to complain: employees will gain a statutory right to complain directly to the employer, as data controller, regarding UK GDPR compliance. Whilst the ICO already suggests that an individual should engage directly with a data controller before complaining to the ICO, the DUAA introduces new obligations. For example, an employer must facilitate the making of complaints (such as through complaints forms), acknowledge complaints within 30 days, and respond without undue delay. While this introduces new procedural obligations, it also provides an opportunity to resolve concerns internally before escalation to the ICO.

  • Recognised legitimate interests: the DUAA introduces a new legal basis to process personal data of "recognised legitimate interests", allowing certain types of processing (currently public sector, security and crime prevention focused) to proceed once the necessity test has been satisfied but without the need for completion of a balancing test. This may simplify the sharing of personal data with public authorities or regulators in appropriate contexts.

  • International data transfers: the data protection test, used to determine whether the UK considers a third country or international organisation as providing "adequate" protection for personal data, is modified. The standard of protection required must not be "materially lower" than the standard provided under the UK's data protection regime. Likewise, when employers look to rely on safeguards to enable the transfer of personal data to third countries, the DUAA clarifies that employers must act reasonably and proportionately when considering whether the protections offered by the safeguards are not materially lower than those offered in the UK. This modification may offer global employers greater flexibility in managing cross-border data flows, subject to updated ICO guidance, which is expected later this year.

Next steps for employers

Below is a list of suggested changes that employers can take to prepare for the new regime:

  • ICO guidance on DSARs is expected this summer. In light of the DUAA changes and that associated guidance, review and update DSAR response processes to ensure all relevant staff understand and can implement the updated timings and the "reasonable and proportionate" standard in practice.
  • Review template letters used to push back on DSARs that are excessive, unfocused, or appear to be fishing expeditions.
  • Consider current automated decision-making processes, particularly those involving AI, to ensure appropriate safeguards are in place and the approach continues to be compliant with broader regulatory requirements. The ICO will be consulting on an update to its automated decision-making and profiling guidance in autumn 2025, and will develop a statutory code of practice on AI and ADM.
  • Review internal complaints procedures in anticipation of the new statutory right to complain, including processes for timely acknowledgment and response. Complaints guidance is expected from the ICO in the winter of 2025.
  • Identify any data processing activities that may fall within the new "recognised legitimate interests" category and consider whether current documentation and policies need updating. ICO guidance on this new legal basis is expected in the winter of 2025.
  • The ICO opened a call for views on international transfer guidance last month and is expected to publish guidance in the winter of 2025. The changes under the DUAA, in the context, and taking account, of any updated guidance, may provide an opportunity for employers to review their risk assessments for international transfers.
  • Provide training to HR, legal, and data protection teams on the DUAA's changes and their practical implications.
  • Communicate upcoming changes to employees, particularly around DSARs, automated decision-making, and the new complaints process, to manage expectations and promote transparency.
  • Update privacy notices, where necessary.

Looking ahead

The Employment team will be collaborating closely with our data protection specialists to deliver a practical webinar for clients. This session will be scheduled once further guidance from the ICO is available and additional regulations implementing the DUAA's measures have been issued.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sarah Henchoz
Sarah Henchoz
Photo of Sheila Fahy
Sheila Fahy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More