With very little fanfare (which is unusual given the subject matter!) a number of new key provisions of the Data (Use and Access) Act 2025 (“DUAA”) came into effect on 5 February 2026.
Although it is argued by most legal commentators that the DUAA - which is part of the UK’s attempt to update Data Protection law post-Brexit – was evolution, not revolution, the new changes will impact your business and how it uses personal data. Ignore the lack of headlines this time around, such changes are now in force and your business should not fall foul while processing personal data for regulatory compliance, financial and reputational reasons.
Key changes from 5 February include:
PECR fines increased
Maximum fines for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which governs the use of cookies and e-marketing, for example, has been increased from £500,000 to £17.5 million or 4% of global turnover. This eye-watering increase, which reflects UK GDPR levels, highlights the importance of PECR compliance for your business.
Purpose limitation
In addition to clarifying factors in relation to data re-use (which includes the possible impact upon a data subject and the existence of appropriate safeguards), the DUAA sets out when personal data may be processed for purposes other than those for which the personal data was originally obtained. Subject to the relevant legal bases for use of such personal data, potential compatible purposes include research, archiving or statistical purposes.
This change may impact the drafting and interpretation of your business’ Privacy Notices and should be considered carefully in relation to its application.
Automated decision making
Longstanding prohibitions relating to the use of personal data for solely automated decision making for significant decisions affecting a data subject has, on the face of it, been narrowed to relate to the automated decision making based wholly or partly on ‘special categories of personal data’ (e.g. health and ethnicity data) unless specific legal bases of processing are relied upon. While automated decision making not based upon ‘special categories of personal data’ will now have a wider pool of possible legal bases to rely upon, provided that certain safeguards are applied.
This subtle, but important, change could have wide ranging effects upon your business’decision making processes.
Recognised legitimate interests
A change which will be close to the heart of many DPOs will be the coming into force of the new recognised legitimate interests (“RLIs”). Specific RLIs include the processing necessary for the detection, investigation or prevention of crime; processing necessary for national security; and processing for requests made by bodies acting in the public interest, for processing by those bodies.
Another boon for businesses (and their DPOs) is the fact that reliance upon RLIs will not require the usual Legitimate Interest balancing tests, therefore reducing burdensome red tape and often difficult and complex considerations.
In conclusion, the above changes (including others ranging from a relaxation of cookie consents to a reformation of the international data transfer test) coming into force are key to your business and will potentially benefit your use of personal data, a valuable business asset. Ensure your business is fully aware of such DUAA provisions.
For expert guidance on any issues relating to data protection law, contact our data protection solicitors.
