The UK’s data protection landscape has shifted. The next phase of the Data (Use and Access) Act 2025 (DUAA) is now in force, bringing with it the most substantial reforms to UK data protection since the introduction of the UK GDPR. While the Act received Royal Assent back in June 2025, many organisations have been waiting for this moment, the point at which the reforms actually start to bite.

With most of the remaining data protection provisions now live, businesses must move quickly from theoretical understanding to practical implementation.

What has come into force and what hasn’t

As of now, the majority of the DUAA’s data protection reforms apply. The two key exceptions are:

• Mandatory complaints procedures, which will come into force on 19 June 2026
  
• Certain ICO governance reforms, which will follow at a later date
  

Everything else such as lawful basis changes, DSAR reforms, automated decision-making flexibility, PECR enforcement changes, and enhanced ICO powers, is now part of the UK’s operational data protection regime.

The ICO has also confirmed that updated guidance on data protection by design and default, subject access requests, and Part 3 law enforcement codes of conduct is ready to use, with more guidance and consultations planned throughout 2026.

What businesses cannot ignore

A new lawful basis, “recognised legitimate interests”

DUAA introduces Recognised Legitimate Interests (RLI), a new lawful basis that sits alongside, but is distinct from, the existing UK GDPR “legitimate interests” ground.

RLI applies only to a closed list of five pre-approved public interest purposes, including crime prevention, safeguarding vulnerable individuals, emergency response, national security, and certain public task disclosures.

This matters because it means a full balancing test is not required, the right to object still applies and transparency obligations remain unchanged.

What businesses should do now

• Map current processing activities to see whether any could lawfully rely on RLI
  
• Update privacy notices and Records of Processing Activities (ROPAs)
  
• Ensure internal guidance makes clear when RLI can and cannot be used

This is not a “shortcut” basis. Used carelessly, it will attract regulatory attention.

DSAR reform: more practical, but still high-risk

The DUAA brings long-requested pragmatism to data subject access requests (DSARs).

Key changes include:

• Controllers only need to conduct “reasonable and proportionate” searches
  
• A new “stop the clock” mechanism allows time to pause while awaiting clarification
  
• Clearer rules on applicable response periods

Organisations should not mistake flexibility for leniency. DSAR handling is one of the most complaint-driven areas for the ICO.

What businesses should do now

• Update DSAR procedures and internal playbooks
  
• Train staff on what “reasonable and proportionate” means in practice
  
• Prepare now for the June 2026 complaints-handling obligation, which will require:
  
  • Acknowledgement within 30 days
    
  • Substantive responses without undue delay
    

Automated decision-making: more freedom, more accountability

The DUAA rewrites the UK’s approach to automated decision-making (ADM). Most automated decisions are now permitted provided appropriate safeguards are in place, including clear information to individuals, the right to challenge decisions and access to meaningful human intervention.

Only ADM involving special category data (such as health data) continues to require explicit consent or contractual necessity.

What businesses should do now

• Identify where ADM is being used, especially in HR, finance, marketing, and AI-driven tools
  
• Update privacy notices and DPIAs to reflect the new framework
  
• Ensure challenge and human review processes actually work in practice—not just on paper

The ICO has indicated that transparency and fairness will remain enforcement priorities.

PECR enforcement goes big

One of the most commercially significant changes sits within PECR enforcement. Maximum fines have jumped from £500k to £17.5m or 4% of global turnover, bringing PECR in line with UK GDPR penalties.

At the same time, DUAA expands cookie consent exemptions, introduces a right to opt out, even where consent is not required and allows browser-based and technical consent mechanisms.

What businesses should do now

• Reassess cookie banners and consent tools
  
• Determine whether exemptions apply and document that assessment
  
• Implement clear, free opt-out mechanisms where required

This is an area where many organisations might assume compliance but they could be wrong.

Data transfers: a simpler test, not a lower standard

The DUAA replaces “adequacy decisions” with a data protection test, asking whether protection overseas is not materially lower than UK standards. The language has changed, but the accountability burden has not disappeared.

What businesses should do now

• Update international transfer assessments and templates
  
• Ensure teams understand the new terminology
  
• Avoid assuming the test is weaker, it is simply more flexible

A stronger, sharper regulator

The ICO now has enhanced powers, including the ability to compel witnesses to attend interviews, require technical or independent reports and demand specific documents via statutory notices. 

While structural reform of the ICO itself is still pending, enforcement capability has already increased.

Businesses should expect deeper investigations, more technical scrutiny, and less tolerance for vague compliance narratives.

What should organisations be thinking about?

With the DUAA now live, organisations should prioritise:

• Updating core UK GDPR documentation. Privacy notices, lawful basis assessments, DSAR procedures and ADM disclosures all need review.
  
• Reviewing cookies and tracking practices, especially where analytics or functional cookies are used without consent.
  
• Assessing enforcement exposure, particularly under PECR and in automated decision-making contexts.
  
• Tracking ICO guidance closely. The ICO has published a forward plan for new and updated guidance and more consultations are coming.
  
• Preparing for June 2026 now. Complaints-handling obligations will require process, training, and governance changes. Leaving this until 2026 will be a mistake.
  

The DUAA is not a rollback of data protection, it is a recalibration. Businesses that invest now in understanding and embedding the reforms could see opportunities in DUAA to innovate, streamline compliance, and use data more confidently. Organisations that assume DUAA represents a softening of the data protection regime risk being caught out by stronger enforcement powers and increased fines. The risks have never been higher.

Our 10-step guide to data protection outlines the essential actions organisations should take to build and maintain a robust data protection framework. It turns complex legal requirements into a clear, practical roadmap you can use to assess your current approach and strengthen your policies, controls and practices. Get it here.