English Beat GDPR Decline: UK Reforms Key Elements Of Its Data Privacy Scheme

On June 19, 2025, the United Kingdom's Data Use and Access Act 2025 (DUAA) received royal assent and passed into law. The bill touches on a wide variety of matters and includes important revisions to the UK's foundational privacy legislation, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Because of the breadth of the law, the DUAA is likely to impact almost every company processing personal data in the UK. While many of the changes are aimed at easing the burden of complying with UK GDPR, there are also changes that impose additional obligations.

Data Subject Access Request Changes

The Change

The DUAA clarifies the timeline and depth of information required for responding to data subject access requests (DSARs) under the UK GDPR. The DUAA makes explicit that the response time for responding to a DSAR is extended by delays in the data subject providing additional requested information or paying applicable fees. In addition, the response period may be extended for a period of two further months upon notice to the data subject, where necessary due to the complexity or number of requests. The DUAA also confirms that in responding to DSARs, controllers need only provide such data as can be produced after a "reasonable and proportionate" search.

What To Do Now

Companies may want to update their policies and DSAR processes to give themselves additional time to respond to DSARs where permitted. Otherwise, companies could be held accountable to meet their own internal policies even when stricter than what the law itself requires.

Data Subject Rights

The Change

Under the DUAA, data subjects are entitled to an additional right to file complaints to controllers if they believe that the controller is in breach of the UK GDPR or certain obligations under the Data Protection Act 2018.

What To Do Now

Controllers will need to establish new processes, such as providing an electronically accessible complaint form, so that data subjects can file complaints, and also create policies and procedures for responding to such complaints. Further, controllers will need to modify their privacy policies to ensure that data subjects are made aware of the new right. Controllers should also note that the Secretary of State is empowered to establish future regulations requiring controllers to report the number of complaints they have received to the Information Commission, so they may want to begin tracking such complaints and be watching for new regulations.

Cookie Requirements

The Change

The DUAA establishes new exceptions to the requirement to collect consent before using tracking technologies such as cookies. Under the DUAA, consent is no longer required before using cookies to the extent cookies are used to do either of the following:

1. Ensure system security and detect fraud.
2. Collect information for statistical purposes to improve a service provided over the internet or the website through which such service is provided.

While the DUAA relaxes the consent requirements related to these purposes, it does not revise obligations on controllers to provide consumers with the ability to opt out in certain circumstances.

What To Do Now

Companies will need to review both consent and opt-out requirements applicable to their use of tracking technologies. With an understanding of which tracking technologies are in place and how they are used, companies should revise their consent banners and policies to permit additional exceptions.

Automated Decision Making

The Change

The DUAA provides additional clarity around automated decision making that may be restricted (or create a right to opt out) by providing, first, that a decision is based solely on automated processing if there is no meaningful human involvement in the decision. Those sorts of decisions are restricted if they produce legal effects or similarly significantly affect the individual. Second, under the DUAA, a decision is significant if it produces a legal effect or has a similarly significant effect on the data subject. The DUAA provides that a significant decision may be made based on automated processing of special category data (i.e., sensitive) if explicit consent is obtained or the decision is either necessary for a contract between data subject and controller or required by law.

What To Do Now

Companies will likely want to build in clearer definitions in their policies addressing automated decision making and reconsider when to obtain consent or provide a right to opt out of such uses. For companies that are implementing AI use cases, it is now possible to use AI for significant decisions related to special category data under the UK GDPR if the business ensures that it meets the new requirements of the DUAA. This should be done, however, only after a data protection impact assessment (DPIA).

Recognized Legitimate Interests

The Change

The UK GDPR limits the ability of companies to process personal data absent a lawful purpose. One highly contested lawful basis for processing data is that the "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party..." (and so long as such interests are not overridden by the interests or rights of the data subject). The DUAA sets forth a list of reasons for processing that are pre-approved as acceptable justifications for processing on a legitimate interests basis. These recognized legitimate interests are fairly narrow, and may not cover most companies' core business, but do cover matters of national security, crime and emergencies.

The DUAA also adds legitimate interests that may be sufficient justifications for processing personal data, but that are not recognized by default, including processing for the purposes of direct marketing, intra-group transmission of personal data for administrative purposes, and processing for ensuring the security of network and information systems. While processing that relies on these justifications will still require a legitimate interests assessment by the controller, controllers can be more confident that these are sufficient grounds for processing based on legitimate interests in most situations.

What To Do Now

Some companies may want to revisit their use cases to see if any might fit within these definitions of potential legitimate interests and, if so, potentially revisit any previously completed DPIAs to underscore at least the presumption that the relevant uses may meet the requirements of "legitimate interests."

Healthcare Standards

The Change

The DUAA amends the UK's Health and Social Care Act of 2012 by granting the Secretary of State the power to establish requirements for IT systems and services used to process healthcare data. Such standards shall relate to the functionality, connectivity, interoperability, portability, storage of and access to information, and the security of such information. While such standards are still forthcoming, they may require entities processing health information in the UK to update their practices and systems to comply.

What To Do Now

Companies processing health data will want to keep an eye out for upcoming standards.

International Transfers

The Change

The DUAA loosened the standard for protection of personal data transmitted out of the UK. To permit the international transfer of personal data, the standard is now that such a jurisdiction's protection of data is not "materially lower" than the applicable provisions of UK law. This should allow the Secretary of State more discretion in making adequacy decisions that businesses may rely on as grounds for international transfer.

What To Do Now

Companies that have worried about transferring data outside of the UK may want to reassess whether such transfers could be permitted.

Timelines and Next Steps

Some limited provisions of the DUAA came into effect automatically with the passage of the law, but most of its measures require regulation to be commenced. Stage 1 came into effect on August 20, 2025, and Stage 2 came into effect on September 30, 2025. Dates for Stages 3 and 4 are forthcoming, with Stage 3 anticipated to come approximately six months after passage of the DAA (sometime around the start of 2026), and Stage 4 anticipated to come sometime thereafter. Below is an outline of the implementation timeline. Almost all the changes directly impacting companies arrive in Stage 3 or thereafter, with earlier stages implementing, for example, regulatory authority for government bureaucracies.

Stage 1: Effective August 20, 2025

Stage 1 primarily includes the commencement of technical provisions, which clarify aspects of the legal framework and measures requiring the government to publish reports regarding AI copyright issues. Certain regulatory authority is also vested, including:

• Data Subject Rights—The Secretary of State's right to establish regulations regarding the handling of data subject complaints comes into effect under Stage 1, but actual changes to the rights of data subjects come into effect in Stage 3, as described below.

Stage 2: Effective September 30, 2025

Stage 2 includes the commencement of measures related to the establishment of a digital verification trust framework to be created by the Secretary of State, along with measures related to the retention of information by providers of internet services in connection with the death of a child.

Stage 3: Effective Approximately Six Months from the Passing of the DUAA

Stage 3 provides for the commencement of the main changes to data protection legislation and provisions on information standards for health and adult social care, including:

• Data Subject Access Request Changes
• Data Subject Rights—Changes regarding data subject rights to complain and requirements to provide notice of the right will become effective under Stage 3.
• Cookie Requirements
• Automated Decision Making
• Recognized Legitimate Interests
• International Transfers—The changes the DUAA introduces with respect to international transfers primarily relate to the standards by which the Secretary of State may approve the adequacy of data protection laws of other countries. The DUAA will have the most impact on international transfers when the Secretary of State approves by regulation the adequacy of additional countries' data privacy laws.
• Healthcare Standards—The regulatory authority for the Secretary of State to implement technical standards for IT systems used in healthcare comes into effect under this stage, but the standards themselves will not be in effect until promulgated by the Secretary of State.

Stage 4: More than Six Months from the Passing of the DUAA

Stage 4 focuses on changes to the ICO structure and public registries.

Companies processing personal information in the UK will want to take a closer look at the DUAA—it includes many details beyond the scope of this brief description. At a minimum, we anticipate entities processing UK personal data will need to update their DSAR processes, revise their privacy notices, and perhaps revisit DPIAs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.