On 19th May 2025, the Data (Use and Access) Act received Royal Assent, meaning that the updates to UK GDPR and DPA2018 (collectively referred to in this message as “UK GDPR”) is now a new piece of UK data protection legislation for you to think about.
If anything, the new Act should make GDPR compliance a little easier in some areas, although it does introduce some new obligations, so here’s a quick summary of the changes:
Data Protection changes:
- Subject access requests (DSAR): only have to make reasonable and proportionate searches for a data subject requests
- Recognised legitimate interests: introduces a range of “approved” legit interests that can be used without requiring assessment, including clarifying when legit interest applies to marketing
- NEWÂ Complaint handling: need to have a data protection complaint handling process, acknowledge complaints within 30 days and respond “without undue delay”
- Assumed purposes: introduces situations where you can assume some processing is compatible with the original processing purpose
- Updated definitions: some amendments to the definitions for processing for scientific research, historical research and statistical purposes
- Automated decision making: provides a range of automated decision making legal basis for processing personal data, although safeguards still need to apply and the new basis do not apply to special category data
- Non-UK processing: some clarity about processing data outside the UK
- NEWÂ Online services used by children: requires online services used by children to take children’s needs into account when processing their data (anyone following the ICO’s Children’s Code will already be doing this)
PECR (electronic marketing) changes:
- Change to cookie rules: consent will not be needed for certain types of cookies such as those used for analytics and website improvement
- Soft opt-in for charities: charities will be able to rely on soft opt-in for their marketing activities
Also, the Information Commissioner’s Office (ICO) will become the Information Commission (IC) with a CEO and Board.
Whilst the Act has been passed, the government will phase implementation of the new law using secondary legislation. Most provisions are expected to come into force two to six months after Royal Assent (so August – December 2025), some may take up to a year – so watch this space!
