UK data protection law changes and EU GDPR simplification proposals: what you need to know

Posted: 19/06/2025

UK: Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUA Act) has today received royal assent, marking a significant update to the UK's data protection laws. 

The Data (Use and Access) Bill was passed on 11 June 2025 after a period of ping-pong between the House of Lords and the House of Commons. While not a radical overhaul, it introduces important changes that businesses and organisations need to prepare for. It aims to modernise data use, support innovation, and streamline compliance without straying too far from the core principles of the UK GDPR. The full text has not yet been published, but the proposed simplifications should mean less red tape when it comes to using personal data, whilst providing greater regulatory certainty for businesses, empowering them to use personal data responsibly and speeding up innovation in the UK. 

The reason the bill took so long to pass through Parliament was the introduction by the House of Lords of amendments focusing on data-scraping and the use of copyright works to train general purpose AI models. These amendments have been dropped (subject to a compromise that the government will publish a report on its copyright and AI proposals within nine months of the bill receiving royal assent and an interim report being published within six months), allowing the bill to finally pass.

Key changes at a glance

International data transfers

• The DUA Act introduces a new data protection test for the Secretary of State when assessing a country's standard of data protection in connection with granting adequacy. The new test will be whether a country’s protections are 'not materially lower' than the standard in the UK, rather than 'essentially equivalent' as under existing rules.
• This change could affect the UK’s adequacy status with the EU and has certainly raised a few eyebrows. The current UK adequacy decision has already been extended from 27 June 2025 (the European Commission granted a six-month extension until 27 December 2025) to allow time for the bill to pass into law and for the European Commission to assess its impact on data transfers. However, it may make it easier for the UK to facilitate international data transfers with other jurisdictions.

Automated decision-making (ADM)

• Restrictions on ADM are relaxed for most personal data but remain strict for special category data (eg health data). New terms like 'significant decision' and 'meaningful human involvement' are introduced. Significant decisions made by solely automated means (ie without meaningful human involvement) based on processing of special categories of data are prohibited except in certain limited circumstances.
• Organisations carrying out ADM must offer safeguards like providing information about a decision, allowing for individuals to make representations, the ability to call for human oversight and the ability to contest decisions.

Cookies and Privacy and Electronic Communications Regulations (PECR)

• Consent rules for low-risk cookies are relaxed (eg for analytics, site optimisation and emergency assistance cookies). Under the DUA Act organisations will not need explicit consent as long as users are provided with information about how cookies are being used and have the option to opt out.
• Fines for breaches of marketing rules under the PECR are increased to match UK GDPR levels up to £17.5 million or 4% of an organisation's annual global turnover from the preceding financial year, whichever is higher.
• Charities will now be able to rely on the soft opt-in exemption to send direct email marketing without needing to obtain consent, subject to certain requirements (eg the charity is marketing to someone who has previously engaged with it, the charity must provide an opt-out as well as the option to unsubscribe). 

Data subject access requests (DSARs)

• The DSAR rules set out in ICO guidance are codified.
• The DUA Act sets out timing for DSAR responses, including stop the clock provisions.
• Controllers must only carry out 'reasonable and proportionate' searches, which will be a welcome change for many organisations.
• Organisations must now explain when they withhold data due to legal professional privilege.

Simplifications – supporting research and innovation

• The DUA Act provides a new definition of scientific research to include scientific research for commercial and non-commercial purposes, and whether publicly or privately funded.
• There are also changes to consent to processing for scientific research, which clarify that individuals can give ‘broad consent’ to an area of scientific research.
• The DUA Act clarifies the purpose limitation principle and 'further processing', setting out the conditions for processing of personal data for a new purpose to be treated as processing in a manner compatible with the original purpose and factors to be considered. It is hoped that this will provide more flexibility for reusing data.
• The DUA Act introduces 'recognised legitimate interests' which will not require a controller to conduct a balancing test, as well as examples of types of processing that may be legitimate interest (eg intra-group transfers of personal data and direct marketing, and processing necessary for the ensuring security of network and information systems).

New complaints rights

• The DUA Act includes new rules requiring complaints are made to the controller before being reported to the ICO. Organisations will need to implement a complaints procedure and must respond to complaints within 30 days.

Potential additional special categories of personal data

• The DUA Act includes the power for the Secretary of State to add new types of special category personal data.

The DUA Act also sees the ICO being abolished and the setting up of the Information Commission (IC), which will be restructured and expanded to include new roles in relation to emerging technologies.

What to do now:

While most provisions will not take effect immediately (as they are dependent on secondary legislation), here are some practical steps businesses and organisations can take to prepare:

Understand what personal data is held and how it is being used
Organisations should carry out or update a data mapping exercise. This is an important step for compliance, to regularly ensure that the extent of personal data processing within an organisation is understood (particularly in light of the increasingly widespread adoption of artificial intelligence and associated regulatory requirements in that regard). Consider whether any special categories of personal data are being processed. Review and refresh privacy notices.

Review automated decision-making  
Audit use of automated decision-making. Update policies to reflect new safeguards and definitions.

Update DSAR procedures
Revise the templates of DSAR response letters to include required information eg new exemption explanations. Train staff on the updated DSAR response process.

Audit cookie use
Identify which cookies may be considered 'low risk' and update cookie notices and banners. Ensure opt-out mechanisms are clear and easy to use.

Check marketing practices
Review use of legitimate interests for direct marketing. Charities may want to consider switching to the new 'soft opt-in' model.

Monitor guidance
Businesses and organisations should review IC guidance regularly to ensure they are up to date with the latest developments, particularly new codes of practice for AI.

Implement a complaints handling procedure
Implement a complaints procedure and train staff on new processes and timescales.

Most organisations will not need a complete overhaul of their compliance frameworks, but early preparation is key to ensure a smooth transition to the new laws. 

EU simplification proposals

Alongside the UK updates, the European Commission has also proposed targeted changes to the EU General Data Protection Regulation (EU GDPR) as part of its fourth simplification Omnibus Package. The proposals aim to simplify rules and reduce compliance burdens for growing businesses, while maintaining strong data protection standards.

Key proposed changes

Simplified record-keeping (Article 30(5))

• Currently, organisations with fewer than 250 employees are exempt from keeping detailed records of data processing activities (RoPA), but only if their processing is occasional, does not result in a 'risk' to the rights and freedoms of data subjects, and does not involve special categories of data or personal data relating to criminal convictions and offences.
• Under the proposals the scope of the exemption would be expanded so that it would apply to organisations with fewer than 750 employees unless their processing is likely to result in a 'high risk' to the rights and freedoms of data subjects. 

Clarification on employment-related processing

• A new recital clarifies that processing of special categories of data in accordance with Article 9(2)(b) (employment, social security and social protection law) does not automatically trigger the obligation to maintain a RoPA. 

New business category: small-mid caps (SMCs)

• A new business category is introduced for SMC companies with fewer than 750 employees and either up to €150 million in turnover or €129 million in balance sheet assets. These SMCs will be able to access certain existing benefits available to small and medium-sized enterprises which aim to offer simplification and reduced administrative burden. It is hoped that this will also provide better incentives for SMEs to grow and become more competitive.
• SMCs will be explicitly considered in EU GDPR provisions on codes of conduct (Article 40) and data protection certification mechanisms (Article 42), ensuring their needs are reflected. 

What you should consider:

Whilst these changes are not yet law, they signal a shift towards risk-based compliance and support for growing businesses. Here are some suggestions for how businesses and organisations can prepare: 

Assess risk profile
Review data processing activities to determine if any are 'high risk' under EU GDPR Article 35. If not, the organisation may benefit from reduced record-keeping obligations under the new rules.

Revisit record-keeping requirements
If currently maintaining a RoPA, consider whether this will still be needed under the proposed 750-employee threshold.

Monitor for SMC eligibility
If the organisation is growing beyond SME status, check to see if it will qualify as an SMC. 

Stay informed
Look out for updates from the European Commission and relevant data protection authorities.

What next?

The EU's GDPR reforms aim to ease compliance for growing businesses without compromising data protection. While the changes are still proposals, they reflect a broader trend toward proportional, risk-based regulation. Now is a good time to review data practices and prepare for a potentially more flexible compliance landscape. The European Data Protection Board and European Data Protection Supervisor have already issued a joint letter expressing preliminary support for the proposals, and it is expected that they will complete the EU legislative process later this year or early in 2026.
.

Return to news headlines