UK data protection law changes – requirements to address

Data protection laws in the UK have changed, with the introduction of the Data (Use and Access) Act 2025 (DUAA), which received royal assent on 19 June 2025.

These changes bring about a number of requirements to address, explored in this article, with a particular focus on complaint handling provisions applying from 19 June 2026. Now is also an opportune time to review employee-facing privacy notices, in light of changes under the Employment Rights Act 2025, and if organisations are using new technologies.

Handling data protection complaints

Our article last year flagged how DUAA includes new rights requiring complaints to be made to the controller before being reported to the Information Commissioner’s Office (ICO).

• Organisations must:
  • implement a complaints procedure (eg a complaints form, an email address or complaints’ portal);
  • acknowledge complaints within 30 days of receipt;
  • investigate complaints without undue delay, make appropriate enquiries, and keep complainants informed on progress;
  • notify complainants of the outcome without undue delay and with clear reasoning.
• Controllers will need to update their privacy notices (and DSAR response templates) to inform individuals that they can complain to the controller, and how to do so.
• Controllers should train staff on how to recognise and handle data protection complaints (understanding the difference between a data protection complaint and a general complaint), and implement or update their complaint handling policies and procedures and template letters to ensure that they comply with the new rules and that employees understand processes and follow timeframes for acknowledging complaints, providing updates and outcomes to complainants.
• Controllers should maintain records of complaints, investigations, and outcomes (and be able to demonstrate timelines and communication as well as outcomes).
• Controllers should review contracts with processors to ensure timely notification and cooperation.
• Controllers should consider appointing a central point of contact for people to submit complaints to, as well as be clear who is responsible for coordinating investigations and liaising with complainants.

The ICO has published detailed guidance for organisations on what they should do when they receive a complaint. These changes apply from 19 June 2026.

Dealing with data subject access requests (DSARs)

DUAA codifies existing ICO guidance, setting out the timing to respond to a DSAR and ‘stop the clock’ provisions (allowing controllers to pause the time-limit for responding where clarification is required). DUAA also confirms that controllers are only required to carry out ‘reasonable and proportionate’ searches (ie they must make reasonable efforts to find and retrieve requested information but are not required to conduct searches that would be unreasonable or disproportionate).

• Organisations should:
  • update their DSAR templates;
  • train staff on recognising DSARs, the organisation’s DSAR response process, and applicable timelines.

The ICO updated its guidance on the right of access in December 2025, to reflect the changes under DUAA. The guidance contains examples of considerations to be taken into account when deciding whether a search is reasonable and proportionate (eg the circumstances of the request, the volume of information that may need to be searched in order to respond, difficulties in finding information, and the fundamental nature of the right of access). Controllers must be able to demonstrate why a search is unreasonable or disproportionate.

Automated decision-making (ADM)

ADM refers to a decision made about a person, which is a significant decision (meaning that it has legal or similarly significant effects) where the decision is solely automated (meaning that there is no meaningful human involvement).

Under DUAA, restrictions on ADM are relaxed for most personal data but remain for special category data, except in certain limited circumstances.

• Organisations using ADM must:
  • identify a lawful basis for processing and carry out a data protection impact assessment (DPIA);
  • implement safeguards (eg informing individuals about the use of ADM, providing information about a decision, allowing for individuals to make representations, the ability to call for human oversight, and the ability to contest decisions);
  • update their privacy notices to explain if and how ADM is being used, safeguards the organisation has implemented, and how individuals can make representations or challenge outcomes.
• Organisations should update their policies to reflect new safeguards and definitions and train staff using ADM in their day-to-day activities.

The ICO has published draft guidance on ADM, including profiling, which it is consulting on.

Cookies, storage and access technologies (SATs) and Privacy and Electronic Communications Regulations (PECR)

DUAA updates PECR so that consent is no longer required to use certain cookies (ie for statistical purposes (or analytics), website appearance, and emergency assistance) if users have been given clear and comprehensive information about the cookies and their purpose, and a simple and free means to object. Consent is still required where information is being shared with third parties.

• Organisations should:
  • audit use of cookies and SATs and assess applicability of the new exceptions;
  • conduct a DPIA where cookies or SATs pose a high risk;
  • update their cookie notices, banners and privacy information to reflect the new rules ensuring they provide clear and comprehensive information in an easily understandable manner. Organisations must comply with transparency requirements (eg providing information on any third parties who store or access information in the user’s device or process information accessed from the users device, and the duration for which any information will be stored for, or access to information granted for);
  • ensure opt-out mechanisms are clear and easy to use (the ICO has published a checklist of key considerations for consent mechanisms to help organisations comply);
  • ensure that non-exempt cookies or SATs are not pre-enabled;
  • when designing a new online service, put in place appropriate technical and organisational measures to ensure that data protection principles are implemented and individuals’ rights are safeguarded, and consider SATs as part of the design and implementation of a service;
  • review contracts with third parties to ensure they contain appropriate provisions, particularly when planning to share information with a third party or embed its features in the organisation’s website or service;
  • ensure that records of processing activities (ROPA) reflect processing.

The ICO has published finalised guidance on the use of SATs which provides a non-exhaustive list of examples of activities that are likely to meet the new exceptions. The focus of the guidance has been extended to cover SATs as well as cookies (eg tracking pixels, link decoration and navigational tracking, device fingerprinting, web storage and scripts or tags) in-scope of the new rules.

DUAA increases fines for breaches of marketing rules under PECR to match UK GDPR levels up to £17.5 million or 4% of an organisation’s annual global turnover from the preceding financial year, whichever is higher.

Charities should be aware of new rules allowing them to rely on the soft opt-in exemption to send direct email marketing without the need to obtain consent, subject to certain requirements (eg the charity is marketing to someone who has previously engaged with it, and it must provide an opt-out as well as the option to unsubscribe). See here for further information. Charities may wish to review their marketing practices considering this change.

Recognised legitimate interest (RLI)

DUAA introduces ‘recognised legitimate interest’ as a new lawful basis for processing which will not require a controller to conduct a balancing test. These are: public task disclosure; processing for safeguarding national security, protecting public security, and defence; responding to emergencies; detecting, investigating, or preventing crime; and safeguarding vulnerable individuals.

DUAA also codifies processing likely to constitute a legitimate interest (intra-group transfers, direct marketing, and processing necessary to ensure the security of network and information systems).

• Organisations should consider whether a RLI applies and update their privacy notices and ROPAs if relying on a RLI.
• Organisations may want to review their use of legitimate interest for direct marketing.

The ICO has published guidance on RLI which explains when organisations can and cannot use it (eg it cannot be used as a lawful basis if you want to take significant decisions about individuals based on ADM). Organisations previously relying on legitimate interest may want to consider whether RLI is a more appropriate lawful basis going forwards.

The ICO has also updated its guidance on legitimate interest to reflect the changes.

Scientific research and purpose limitation

Organisations conducting scientific research should be aware of changes under DUAA which support research and innovation. Scientific research is defined as including scientific research for commercial and non-commercial purposes, and whether publicly or privately funded.

DUAA introduces changes to consent to processing for scientific research, allowing individuals to give ‘broad consent’ to an area of scientific research. It also clarifies the purpose limitation principle and ‘further processing’, setting out the conditions for processing of personal data for a new purpose to be treated as processing in a manner compatible with the original purpose and the factors to be considered. This provides more flexibility for reusing data.

• Organisations must:
  • clearly identify and document their purpose for processing in their privacy information (and identify a lawful basis for processing);
  • only reuse personal information for a new purpose if it is compatible with the original purpose for which it was collected;
  • assess whether a new purpose is compatible with the original purpose. UK GDPR provides reuses of personal information that are compatible with an original purpose. If the original lawful basis is not sufficient a new lawful basis must be identified;
  • consider whether fresh consent is required where personal information was originally collected based on consent;
  • review and update their privacy information to ensure it reflects their processing.

The ICO recently consulted on its draft guidance on the research, archiving and statistics provisions. Read more about this here. The ICO has also updated its guidance on purpose limitation.

Steps for organisations to take

In summary, organisations should:

• update their privacy notices, cookie notices and banners, policies and procedures, and data protection handbooks to ensure they are compliant;
• implement a data protection complaint handling process and train staff;
• review DSAR processes and templates;
• audit use of ADM and update related policies;
• map their data processing activities, which can be helpful to understand the extent of personal data being processed within an organisation.

Organisations operating in both the UK and the EU will need to consider divergence between the two regimes.

Organisations should keep up to date with the latest ICO guidance, which is being published in stages in some cases following consultation. To help them do so, the ICO has published a list of guidance in development with an expected timescale for publication.