Data protection law changes — key points to note

The Data (Use and Access) Act (DUAA) became law on 19 June 2025. The good news is that the DUAA generally refines existing rules and clarifies some areas that have proved problematic — there are no wholesale changes to the GDPR regime. Changes under the DUAA are expected to come into force in stages throughout 2025/26 and this note summarises some of the key updates on the horizon.

Data protection 

1. Those responsible for managing data subject access requests (“DSARs” or “SARs”) on behalf of their organisation will appreciate this area is complex. The DUAA provides welcome clarification that an organisation only has to carry out “reasonable and proportionate searches” for relevant information. 
2. If your organisation operates an online service that may appeal to children, the obligation to address data privacy by default and design is now expanded to include specific child-friendly considerations. This becomes a strict obligation on controllers, elevating the current position from expecting controllers to comply with guidance.
3. Processing of personal data under GDPR must be justified on one of six lawful bases, one of which is “legitimate interests”. The legitimate interests basis is available where: (i) the data processing in question is necessary; and (ii) a balancing test is satisfied, to ensure the interest in question does not outweigh any risk to individuals’ rights. This balancing test should be documented but is often overlooked.
4. The DUAA introduces the concept of “recognised legitimate interests”, where there is still a requirement that the processing be necessary but no balancing test is required – this covers specified situations such as safeguarding vulnerable individuals and responding to emergencies. 
5. The DUAA also indicates that direct marketing, transfers between group companies for administrative purposes and ensuring system security may be considered necessary processing for the purposes of relying on legitimate interests, which gives weight to justifying these uses (previously only mentioned within the preamble to GDPR).
6. Requirements for lawful international transfers of personal data will be slightly stricter. The organisation exporting personal data must determine that the standard of protection provided by the recipient country’s data protection regime is “not materially lower” than the standard of the protection provided in the UK (a shift from requiring that the protection offered under the UK regime is “not undermined” by the transfer). The exporter must act reasonably and proportionately when considering this question - encompassing the “transfer risk assessment” that has been good practice for some time but not mandatory. Such risk assessments should therefore be documented if this practice is not already in place.
7. Not an obligation per se but something to bear in mind, the DUAA expands the powers of the Information Commissioner’s Office (“ICO”, the UK data protection regulator). One such power is a new right for the ICO to issue an “interview notice” when investigating non-compliance, requiring a current or former employee, manager or other worker of an organisation to answer questions (rather than relying on the general obligation for controllers to cooperate with the ICO). A seemingly minor update but this adds significant weight to the ICO’s investigatory powers, which increases pressure on organisations to manage compliance.

Electronic communications

The DUAA also implements updates to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”), being the rules that govern direct marketing and electronic communications. These rules have been awaiting update for some time and most changes now align definitions and timescales with GDPR. The update also brings a welcome change to enforcement powers, permitting the ICO to issue monetary penalties of up to £17.5 million.

Marketers will be familiar with the “soft opt-in” rule, whereby (subject to certain conditions) an organisation may send electronic marketing to individuals who have purchased or enquired about similar goods or services in the past, without requiring opt-in consent to marketing. The soft opt-in is now extended to charities on the same basis, so it will apply where the charity:

• obtains the contact details when the person offers support to, or expresses an interest in, its charitable purposes;
• gives the person an “unsubscribe” option at the time of collecting their contact details; and
• gives the person the same opportunity to unsubscribe each time the charity contacts them. 

Updates also include changes to rules on storing cookies or accessing information on individuals’ devices. The current position is that clear information about the purpose of any cookies (or similar technologies) must be provided and, unless the cookies are strictly necessary, opt-in consent is obtained prior to the cookies being set on a user’s device. This principle is retained but the Regulations are updated to include additional instances in which cookies may be used:

• the storage or access is necessary for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
• the storage or access is “strictly necessary” to provide an information society service;
• the storage or access is for the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
• the storage or access is for the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
• the storage or access is for the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance. 

Preparing for implementation

The detail of certain rules is yet to be defined as we await updates to the ICO’s formal guidance. However, these are useful headline changes to bear in mind for planning purposes, especially for those tasked with managing data protection compliance.