The Data Protection Act 2018 (DPA) is the legislation which implements the UK GDPR. Government attempts to reform the legislation to make it more specific to UK circumstances has had a difficult gestation period, with the conclusion being only relatively minor changes having a practical impact on the day-to-day operation of UK data protection laws. Legislation now in the course of being implemented is to be found in the Data (Use and Access) Act 2025 (DUAA).
Oversight of enforcement is changing
The importance of compliance oversight is reflected in one reform made by the legislation. One of the longer-term structural changes is the replacement of the current Information Commissioner’s Office with a new Information Commission. This body will have a corporate structure similar to OFCOM, with a Chief Executive. The change is expected to take effect in 2027.
International transfers of personal data – an important change in emphasis
The DUAA now lets the Secretary of State judge if another country's data protection is 'not materially lower' than the UK's, moving away from GDPR’s stricter 'essentially equivalent' standard. This change doesn’t impact current policy but may increase UK flexibility on international data transfers.
DSARS (Data Subject Access Requests) guidance now becomes law
The DUAA will make existing ICO guidance on Data Subject Access Requests (DSARs) part of UK law. If your organisation already follows DSAR best practices, your current processes are unlikely to need major changes.
Here’s what the new legal provisions clarify:
- The one-month deadline for responding begins only after you have confirmed the requester’s identity
- If you need clarification about the person submitting the request or details of the request, you can stop the clock until a reply is received
- You are only required to conduct a search that is ‘reasonable and proportionate’
One significant addition, if you withhold information based on legal privilege or client confidentiality, you must now clearly explain to the individual which exemption is being used and why. Individuals also gain the right to ask the ICO to review how these exemptions were applied, adding another layer of transparency and accountability.
Automated decision making – the rules are changing
The UK GDPR restricts automated decisions that significantly affect individuals, but the DUAA relaxes these rules for cases not involving special category data (e.g., health, race, biometrics). This allows organisations more flexibility with AI tools. The Act defines ‘meaningful human intervention’ and ‘significant decisions’, clarifying when oversight is needed and what counts as high impact. Organisations should review automated workflows, ensure clear and accountable human review processes where required, and consider increasing automation under the new rules.
Recognised Legitimate Interest – a new basis for lawfully sharing information
The DUAA introduces ‘Recognised Legitimate Interests’, eliminating the need for a Legitimate Interests Assessment (LIA) when processing personal data for specific purposes listed in Annex 1, Schedule 4 of the Data (Use and Access) Act 2025:
- Disclosures to public bodies for public functions
- Processing for security, defence, or emergency response
- Preventing or detecting crime and safeguarding vulnerable individuals
This provision benefits organisations sharing data with public authorities such as education authorities that regularly process data to protect vulnerable people or prevent harm.
A new basis for using data in research activities
The DUAA makes clear that scientific research can be commercial or non-commercial, increasing flexibility in personal data reuse for compatible projects. This change is important for businesses looking to validate the educational outcomes achievable from their products and, of course, academic institutions, as it may expand lawful secondary use of data while maintaining necessary safeguards.
Charities will benefit from an extension to soft marketing requirements
Charities will soon be allowed to use the soft opt-in exemption for electronic marketing. If they meet certain requirements, they can conduct marketing using opt-out consent instead of needing people to opt in.
Is there an implementation timetable?
No specific timetable has been provided by government. The new legislative provisions will be rolled out gradually by the government, giving organizations ample time to adapt to extra requirements or adjust their current procedures. While some parts of the law might come into effect sooner, most will have a transition period that usually lasts up to a year.
Get in touch
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Related expertise
Related insights
Read the other articles from our latest Commercial Education update
Law Firm of the Year
We are proud to have been named Law Firm of the Year at the prestigious Legal Business Awards 2024!
Legal Business is the market-leading monthly magazine for the UK and global legal market. Its readership spans the UK, Europe, Asia and the US, and the awards celebrate the very best in the legal profession.
This win is absolute recognition for all the hard work across the firm over the past year.
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.