Key Data Protection Changes Under The Data (Use And Access) Act 2025 Comes Into Force On February 5 2026

On February 5 2026, the Data (Use and Access) Act 2025 (Commencement No.6 and Transitional and Saving Provisions) Regulations 2026 (Commencement Regulation) came into force, implementing the bulk of Data (Use and Access) Act 2025 (DUAA) provisions that amend or supplement the UK GDPR, the Privacy and Electronic Communications Regulations 2003 and the Data Protection Act 2018.

Some of the key data protection and e-privacy related changes include:

• Recognised legitimate interests: DUAA introduces a new "recognised legitimate interests" legal basis, which permits organisations to process personal data if their processing is necessary to fulfil one of five new recognised legitimate interests that are now set out in the UK GDPR. The obligation to balance the interests of the organisation against those of the individuals whose personal data is being processed does not apply if relying on one of the five new recognised legitimate interests.
• Automated decision-making: organisations may now rely on any lawful basis, including legitimate interests (but not the new recognised legitimate interests) for automated decision-making, subject to appropriate safeguards being in place.
• Processing for a new purpose: the rules on re-purposing personal data have been clarified and broadened, with wider circumstances (e.g., scientific research, historical research and statistical purposes, public security, and detecting, investigating or preventing crime, etc) now considered compatible with the original purpose of collection.
• Data subject rights: DUAA clarifies that the response deadline for data subject requests starts when the organisation receives: (i) the request; (ii) further information the organisation has requested from the data subject to verify the requestor's identity (if applicable); or (iii) a fee, if the organisation has requested a fee for a manifestly unfounded or excessive request. Organisations are only required to conduct reasonable and proportionate searches when responding to subject access requests. DUAA also introduces a right for individuals to complain directly to organisations if they believe their data has been misused.
• Data protection by design: organisations providing online services likely to be accessed by children need to consider how children can best be protected and supported when implementing safeguards, recognising that children deserve extra protection as they may not fully understand how their data is used and that their needs vary by age and developmental stage.
• International transfers: when transferring personal data internationally, the required standard of protection has changed from "essentially equivalent" to "not materially lower" than UK standards.
• Cookies: DUAA sets out new exemptions which, if relied on, mean that an organisation does not need to collect individual data subject consent to store information using cookies, including, for example, if the purpose of the cookie is to collect statistical information about how a website or service is used, or enabling the website to adapt its appearance or functions in accordance with someone's preferences.
• Enforcement powers of the ICO: DUAA strengthens the Information Commissioner's Office (ICO) enforcement powers by enabling it to compel witness interviews and demand that controllers or processors produce reports to support investigations. It also increases the maximum fine that can be imposed under the PECR from £500,000, to £17.5 million or 4% global turnover (whichever is higher).

We discuss the changes introduced by DUAA in greater detail in our three-part podcast series, available here: Part 1, Part 2, and Part 3.

The Commencement Regulation is available here, and DUAA is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.