The UK regulatory landscape for data protection and usage has substantially changed following the granting of Royal Assent to the Data (Use and Access) Act 2025 (the “Act”), with the groundwork for more changes having been laid for the future.
The Act builds upon the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”); whilst none of the regulations have been replaced, the Act makes certain changes to the existing regime with the aim of making the rules simpler for businesses and to promote innovation and economic growth. These are noble aims, and will likely be welcomed by businesses, but it is important that businesses of all sizes understand how the Act will impact upon their data processing activities. This article summarises some of the key changes that are likely to be relevant to businesses; although some of the potential changes have not yet come into effect, it is necessary to understand what steps businesses may need to take in order to comply with (and indeed benefit from) the new regime.
Data Processing, Artificial Intelligence and Automated decision-making
Possibly the most impactful development presented by the Act is the change to the regulatory regime relating to automated decision-making (ADM), which is the use of AI and other automated means to make decisions. The new regime is much more permissive, with a wider range of circumstances in which personal data can be used in ADM. However, it is important that necessary safeguards are implemented, including providing people with information about significant decisions made about them, enabling people to challenge such decisions and enabling people to obtain human intervention in respect of such decisions. Tight safeguards remain on the use of sensitive personal data (such as race, gender or health) in ADM.
As the government continues to emphasise the importance of AI development and legislation, the ADM development represents a significant change in the regulatory landscape, and opens up significant new opportunities for businesses. However, restrictions still apply, and companies need to consider them carefully.
Processing Activities
In addition to the alterations to the ADM regime, amendments have been made to various requirements relating to processing activities. In particular, the concept of further processing has been clarified, such that businesses have to consider whether additional processing aligns with the original purpose of the processing, while also accounting for the context of the original collection and considering the potential impacts on data subjects.
The Act has also established a new lawful basis for the use of personal data of ‘recognised legitimate interest’. This establishes a list of uses, that may be amended by the Secretary of State from time to time, that will enable the data controllers to use personal data without considering the impact on the individual, with initial examples including internal administrative considerations, prevention of fraud, and emergency responses. This will provide data controllers with additional options for how they choose to use personal data, and will reduce the administrative burden of producing legitimate interest assessments where a ‘recognised legitimate interest’ can be relied upon. There’s also an additional category for processing that may or may not be a legitimate interest, such as direct marketing and sharing data within a group structure – companies will still have to prepare a legitimate interests assessment for these, but there is a greater presumption that these will be legitimate grounds for processing.
Individual’s Data Rights
The position set out in the ICO’s current guidance regarding individuals’ data rights and responding to Subject Access Requests (SARs) has been codified by various provisions in the Act. For instance, it has been clarified that controllers of personal data can pause the time limit required for a response to a SAR while they seek clarity on its scope, and that a search in response to a SAR only has to be “reasonable and proportionate” to the request. In addition to this, a new right to complain has been established, whereby individuals can complain to data controllers about their general UK GDPR compliance, with a requirement for a response within 30 days.
Cookie Consent
The Act also alters some of the cookie consent requirements for websites in the UK. While consent mechanisms for browsers accepting cookies still exist, the Act allows non-essential cookies dealing with certain categories such as website performance, user preference and gathering of statistical data to be used without the requirement for consent, as well as establishing a specific list of strictly necessary cookies that don’t require consent options. This provides clarity to businesses as to what they actually need to seek consent for when building their online presence, albeit as the Act only applies in the UK, businesses with a presence outside of the UK will still need to consider their compliance requirements in other jurisdictions.
Transfers of Personal Data outside of the UK
The threshold for transferring personal data out of the UK has been amended by the Act; whereas the previous criteria was for the recipient county to have adequate data laws before data could be exported, this has now been altered so that the test is whether the other country has “materially lower” data protection provisions than the UK. This represents a simplification that may benefit data exporters, but which has raised questions about how the UK’s data protection regime aligns with the EU’s in terms of adequacy – negotiations are ongoing between the EU Commission and the UK government, and the UK government has expressed confidence that the alteration of the data protection regime shall not impact its applicability to European regulations.
The Information Commission, enforcement and fines
The Act also replaces the Information Commissioner’s Office, with the Information Commission. Whilst this may be seen by some as a cosmetic change, attempts have also been made to reduce the Commission’s overall workload, with individuals being required to seek satisfactory resolutions with any organisations that they wish to make a data protection related complaint about in advance of escalating to the Commission.
There have also been additional powers granted to the Commission in terms of levying fines against businesses for data breaches. In particular, potential fines for infringing the PECR have been substantially increased to 4% of global annual turnover or £17,500,000 (from an original maximum of £500,000). This brings sanctions under PECR into alignment with the UK GDPR, and increases the importance of properly justifying and structuring direct marketing communications.
Conclusion
It is important for businesses to assess the extent to which the Act will affect their ongoing business, and how it sets the stage for future developments in the regulatory landscape. For instance, alterations to the requirements surrounding ADM may impact the workflows and technological options available to companies in a positive sense, whereas the increase in potential fines under PECR may warrant a rethink with regards to direct marketing campaigns and requirements. Data usage and protection is of paramount importance, and ensuring that you’re up to date with the latest developments as the landscape changes is vital to any business, from sole traders to multinationals.
Our Corporate and Commercial Team is well-versed in data protection and the legal requirements for businesses dealing with personal data – if you would like advice in relation to anything discussed in this article, or any other aspect of data protection, please don’t hesitate to get in touch with a member of the team at 01242 224433, or at [email protected].
