Significant changes to UK Data Protection Legislation – are you still compliant?

The Data (Use and Access) Act 2025 (the DUAA) officially became law in June 2025, with a phased enforcement model under which different provisions take effect at different times. On 5 February 2026, many more came into force, making key changes to the UK General Data Protection Regulation (the UK GDPR) and the Data Protection Act 2018 (the DPA).

This article looks at the key changes, and suggests actions that affected businesses should be considering now.

Key changes

One of the most significant changes relates to the transfer of personal data outside of the UK. Previously, whether personal data could be transferred outside of the UK depended on whether the transfer was deemed to be “adequate”. That might be because the jurisdiction in question had been given an adequacy determination (i.e. that the jurisdiction’s data protection practices were equivalent to those of the UK). Or on the basis that “appropriate safeguards” were in place, such as standard contractual clauses. There are also separate provisions for transfers in exceptional situations – for example where the data subject has given explicit consent, or due to the transfer being necessary for the performance of a contract.

Chapter 5 of the UK GDPR (which deals with international transfers) has now been significantly updated. A new Article 44A sets out the general principles of transfer, and refers to a new “Data Protection Test”. Similarly new Articles 45A, 45B and 45C set out how the Secretary of State will evaluate whether the data protection practices of a relevant jurisdiction meet that test. The new assessment looks at whether the laws and practices are “not materially lower” than the standards in the UK – a small but significant shift that could result in new jurisdictions being granted Adequacy. The new threshold accepts minor differences in data protection regimes between countries, provided the overall, substantive level of protection is not materially lower than the UK.

Other changes, to Article 46, will affect organisations that rely on safeguards as the basis for their international transfers. It is no longer enough for safeguards to be put in place: there must also be an assessment of the data protection test for the relevant jurisdiction, so there is now a statutory requirement for transfer risk assessments to be done. Businesses that have been relying on standard contractual clauses to provide safeguards would be well advised to review these, to ensure that an appropriate risk assessment has been completed for each relevant transfer.

Other significant changes include the following.

A new lawful processing basis has been added to Article 6 of the UK GDPR. These “recognised legitimate interests” cover processing of personal data for purposes related to national security and defence, emergencies, crime prevention and safeguarding. Organisations do not have to complete a legitimate interests assessment when processing personal data under this basis. A new Annex 1 to the UK GDPR sets out these recognised legitimate interests.

New Article 15(1A) of the UK GDPR means that a controller need only undertake a “reasonable and proportionate search” of their records when responding to a Data Subject Access Request (DSAR). This effectively codifies the existing approach. Similarly, Article 12 and a new Article 12A provide detail on when dealing with a DSAR can be paused, or where the time limit for dealing with a DSAR can be extended.

The restrictions on automated decision-making (ADM) that involve non-sensitive personal data (Article 22 of the UK GDPR) have been relaxed. This will enable organisations to make quicker and more accurate decisions when implementing ADM for processing high volumes of data, provided that there is no sensitive personal data involved.

New provisions further protect and support children when using certain online services (websites, apps, search engines, social media etc.) (Article 25 of the UK GDPR). Where organisations are processing personal data in the provision of these online services, they are under an obligation to consider how children can best be protected and supported when using the services. Online services must ensure children’s privacy by default (as opposed to it being an option that is given to the user), collect only the minimum amount of personal data necessary, draft privacy notices in age-appropriate language, and use reasonable measures to verify the age of users to identify when users are children.

A broader definition of “scientific research” now includes research that is publicly or privately funded and carried out by commercial and/or non-commercial entities (new Article 4(2) of UK GDPR). The rules around obtaining consent for scientific research processing have also changed (new Article 4(6) and (7) of UK GDPR), and new safeguards have been introduced for processing for research-related purposes (inserted in a new Chapter 8A of UK GDPR). The update is expected to simplify data protection compliance for academic institutions and private companies engaged in research activities.

Changes to the Privacy and Electronic Communications Regulations 2003 (“PECR”) provide new exemptions to cookie consents (a new Schedule A1) – relating to specific analytical and functional cookies, and those used for security and fraud detection purposes. Removing these categories of cookies which previously required consent is intended to streamline the process for service providers to secure cookie consent for only specific categories of cookies.

The Information Commissioner’s Office (“ICO”), through amendments to section 157 DPA and Article 83 of the UK GDPR, now has enhanced enforcement powers in relation to PECR, including the power to issue increased maximum fines of up to £17.5m or 4% of an organisation’s global turnover (whichever is higher). Such fines were previously capped at £500,000. This now brings the ICO’s enforcement powers under PECR in line with those under the UK GDPR.

Charities can now take the benefit of a ‘charitable purposes’ soft opt-in under PECR (new paragraph 3A in Regulation 22). This will allow them to carry out electronic marketing to individuals who have contacted them for other reasons.

Important upcoming change

On 19 June 2026, there will be a further important change to the DPA: data subjects will have a specific right to complain to a controller. The controller will need to acknowledge the complaint within 30 days of receipt and provide a full response “without undue delay”. Full ICO guidance is expected before the new complaints procedure is implemented, but in the meantime it is worth noting that the ICO is already expecting data subjects to raise a complaint with the relevant controller before contacting the ICO about their issue.

Controllers should therefore already be taking steps to produce and publish a complaints procedure, and informing subjects as to how to file a complaint and how these will be processed. Many organisations will build on existing procedures, but others may choose to put a specific data protection complaints procedure in place. Either way, privacy notices will need to be updated to reflect this.

Practical implications

The aim of DUAA was, amongst other things, to make compliance with UK GDPR and PECR easier. For that reason, organisations should be reviewing and updating their policies and procedures to reflect the new provisions but at the same time ensuring that they are compliant with relevant laws, particularly in light of the new enforcement powers under PECR.

Key actions to be taking now

International Data Transfers

Update international transfer documentation to reflect the new “Data Protection Test”
Review existing data flows to check whether they meet the new “Data Protection Test”

Lawful Basis

Identify processing activities that may fall under the new “recognised legitimate interests” lawful basis
Update privacy notices to include this new lawful basis where used

Automated Decision-Making (ADM)

Review automated systems that process non‑sensitive personal data to take advantage of the less restrictive ADM rules

Scientific Research Processing

Re‑assess research activities in light of the broader definition of “scientific research”

Cookie Compliance/Email marketing

Remove unnecessary cookie banners for categories that no longer require consent
Update cookie notices to reflect the changes made
For charities, consider whether they wish to update their marketing practices to take the benefit of the charitable purposes soft opt-in

Data subject access requests