Data Use and Access Act 2025 – Key Changes Now in Force

Share This Post

Important changes to UK data protection law came into force on 5th February 2026 under the Data (Use and Access) Act 2025.

The good news is that most of these changes make compliance easier rather than adding new burdens. Below is a summary of what’s changed and what (if anything) you need to do.

Data Subject Access Requests (DSARs)

You can now formally “stop the clock” on DSAR response deadlines while waiting for clarification from the requester. This was already ICO guidance, but it’s now statutory. The law also confirms that searches must be “reasonable and proportionate”.

Action: Update your DSAR procedures to document when and how you request clarification.

Automated Decision-Making

The prohibition on automated decision-making has been significantly relaxed. You can now make automated decisions (including using AI) without explicit consent, provided:

You’re not processing special category data (health, ethnicity, etc.)
You provide appropriate safeguards (information, right to contest, human review)

Action: If you use automated decision-making, review whether you can simplify your approach.

Legitimate Interests

A new lawful basis called “recognised legitimate interests” is available for specific purposes including crime prevention, emergencies, and safeguarding. For these purposes, you don’t need to do a balancing test. There’s also a helpful list of examples for standard legitimate interests (like direct marketing and intra-group sharing), though these still require a legitimate interests assessment (and aren’t really anything we didn’t already know anyway).

International Data Transfers

A more flexible “data protection test” now applies – the recipient country’s standards must not be “materially lower” than the UK’s (rather than “essentially equivalent”). This is particularly useful when considering Transfer Risk Assessments (TRA) although in reality is unlikely to make that much difference.

Cookie Rules (PECR)

Consent requirements have been relaxed for certain cookies used only for statistics or functionality, provided you offer an opt-out. However, penalties for PECR breaches have increased dramatically – from £500,000 to £17.5 million or 4% of global turnover.

Services Accessed by Children

If your services are likely to be accessed by children, you must now consider “children’s higher protection matters” in your design, including age-appropriate safeguards and awareness of children’s rights. Essentially the Children’s Code is now statutory and applies to any service likely to be accessed by a child, rather than services aimed at children.

What’s Still to Come

The process for handling complaints which the Act introduces is still outstanding, due to take effect 19th June 2026. Essentially, data subjects will have a statutory right to complain directly to you. You’ll need to acknowledge complaints within 30 days and respond “as soon as possible”. The ICO have now published their guidance since their consultation, so I’ll provide further guidance on this shortly.”

Amelia Boswell

More To Explore

Data Use and Access Act 2025 – Key Changes Now in Force

Important changes to UK data protection law came into force on 5th February 2026 under the Data (Use and Access) Act 2025. The good news

What June 2026 Means for Data Protection Complaints in the UK

According to the latest ICO figures, data protection complaints are on the rise. And with new legislation on the horizon, UK businesses face a fundamental

GDPR Simplification Proposal: Reducing Burden or Weakening Protection?

In May 2025, the European Commission published a proposal that has sparked considerable debate within the data protection community. As part of its Fourth Omnibus

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

Data Use and Access Act 2025 – Key Changes Now in Force

Share This Post

More To Explore

Eat. Sleep. GDPR. Repeat.

Unlimited email & phone support

Up to 4 hours "hands-on" help per month

Online resources

Updates, alerts & briefings

DPO services

Webinars, workshops & training

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy

services

COMPANY

Legals

request a call back