UK Data Protection And Privacy Reform Goes Live: What You Need To Know

Whilst the Data (Use and Access) Act 2025 ("DUA Act 2025") received Royal Assent back in June 2025, the most significant changes under the UK's long-awaited data protection and e-privacy "reform" come into force today (5 February) - marking the most meaningful shift in this area since Brexit.

Today's changes include:

• a shift from prohibiting automated decision making, to permitting it subject to certain rules and safeguards;
• an increase in enforcement risk for e-privacy breaches from £500,000 to the higher of £17.5 million or 4% of global annual turnover, to align with the UK GDPR;
• a list of "recognised" legitimate interests, where the full balancing test is not required but necessity of decisions taken to process data for these purposes should be recorded;
• a new "data protection test" for both controllers and the UK Government to apply when considering whether a data importer has appropriate safeguards in place to protect personal data; and
• a codification of market practice (for example a new regime around complaints by data subjects which comes into force in June 2026).

The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 ("Regulations") introduce a substantial chunk of the provisions under Part 5 of the DUA Act 2025, which address amendments to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). Whilst the package includes several more "innovation-friendly" measures that drew scrutiny from the European Commission during its review of the UK's adequacy decision - particularly those relating to automated decision making and international data transfers - concerns about maintaining adequacy ultimately prevented the UK Government from pursuing the sweeping post-Brexit overhaul it had originally touted in 2021.

In this blog we consider some of the key changes introduced by the Regulations that organisations subject to UK data protection and e-privacy legislation should be aware of. For further information regarding the DUA Act 2025 please refer to our more detailed blog here.

Key changes that come into force today:

1. Automated decision making ("ADM")

s.80 of the DUA Act 2025 sets out the rules relating to ADM and is perhaps the most significant change to the UK GDPR by the Act. It marks a shift from there being a prohibition on ADM with limited exceptions, to permitting ADM subject to certain rules and safeguards. The prohibition remains for ADM involving special category data. For ADM not involving special category data, this is now permitted provided that certain safeguards are in place, namely:

• provide people with information about significant decisions made about them (i.e. transparency);
• enable people to make representations about and to challenge such decisions; and
• enable people to obtain human intervention in respect of such decisions.

This relaxation could be significant for many organisations including in the context of AI systems. In parallel it will also be interesting to monitor the progress of new Article 88c EU GDPR under the EU Digital Omnibus which appears to recognise training / development and operation of AI systems as a "legitimate interest" for the purpose of Article 6 EU GDPR.

2. Data subject access requests

ss. 75 – 77 of the DUA Act 2025 make certain amendments in respect of data subject access requests. These include clarification that controllers can "stop the clock" on time limits for responding to DSARs if they reasonably need more information from the requester to confirm the scope of the DSAR (e.g. where the controller processes a large amount of personal data about the requester). s. 78 of the DUA Act 2025, which clarified that controllers need to make reasonable and proportionate searches in response to a DSAR, came into force when the DUA received Royal Assent in 19 June 2025. These changes largely reflect current regulatory guidance in the UK. Earlier proposals allowing controllers to refuse to respond to vexatious DSARs (potentially as a result of the perceived abuse of DSARs for reasons other than genuine concern regarding data processing) did not make the final cut of the DUA Act 2025. However, by comparison, current proposals under the EU Digital Omnibus enable controllers to either charge a reasonable fee or refuse a request where the data subject "abuses the rights conferred by [the GDPR] for purposes other than the protection of their data".

3. "Recognised" legitimate interests

s.70 and Schedule 4 of the DUA Act 2025 establish a new lawful basis that permits processing necessary for certain "recognised" legitimate interests. Whilst the full balancing test is not required, it is still important to record the necessity of decisions taken to process data for these purposes. The list of "recognised" legitimate interest is narrow in focus e.g. includes where processing is necessary for safeguarding national security, protection public security or for defence purposes; purposes of responding to an emergency; and detecting investigating or preventing crime or apprehending or prosecuting offences. However, if controllers do seek to rely on this new lawful basis, they should consider updating UK privacy notices and ROPAs as well.

4. International transfers of personal data to third countries and international organisations

s.85 and Schedule 7 of the DUA Act 2025 introduce the "data protection test" for both controllers and UK Government to apply when considering whether a data importer jurisdiction has appropriate safeguards in place to protect personal data. The test is whether the standards of protection in the importing jurisdiction are "materially lower" than the protection in the UK. Given that this will be an assessment for the UK Government, involving less rigid factors than under the EU GDPR, it remains to be seen whether this will cause the UK and EU to diverge in their assessments of which countries qualify as "adequate".

5. Cookie consent rules...

s. 112 and Schedule 12 of the DUA Act 2025 introduce a slight 'relaxation' of cookie consent rules; consent is not required for cookies (or similar technologies) that are low privacy risk (e.g. certain analytics cookies). That said, users must still be given the right to opt-out of these cookies (distinguishing them from strictly necessary cookies where no such opt-out is required). Time will tell how this relaxation will play out in practice, particularly for organisations who adopt a global approach (rather than a UK-specific approach) to cookies without separating out users by location.

6. ... with higher stakes for compliance

s.115 of the DUA Act 2025 establishes a substantially higher enforcement risk for breaches of PECR (including breach of the cookie rules). The regime includes an increase in fines from £500,000 to a maximum of £17.5 million or 4% of global annual turnover (aligning with UK GDPR). This means that the consequences of non-compliance have just become more significant and should remain a priority for compliance teams.

7. Key changes still to come around data subject complaints

s.103 and Schedule 10 of the DUA Act 2025 relate to complaints by data subjects and come into force on 19 June 2026. These provisions include a right for data subjects to make a complaint to controllers if they believe there has been breach of the GDPR. This effectively aligns with market practice, which is often to direct individuals to try and resolve their complaints with the controller in the first instance. However, the provisions also now include statutory timeframes for controllers to respond to these complaints which ought to be implemented into organisations' complaints processes and procedures (acknowledge receipt within 30 days and respond to complaint without undue delay).

Revolution or more of an evolution?

Although the DUA Act 2025 is not insignificant in its potential impact, when compared to the perhaps more commercial approach adopted by the EU Digital Omnibus proposals, the UK may be left with a sense that it has missed an opportunity for more ambitious reform. That said, the DUA Act 2025 also grants the Secretary of State broad powers to introduce further regulations (including additional "recognised" legitimate interests), allowing the data protection and privacy framework to evolve without the need for new primary legislation – while keeping a close eye on the EU Digital Omnibus and maintaining UK adequacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.