Changes to UK data protection legislation are underway and they will impact on businesses.

A phased introduction of the new Data (Use and Access) Act 2025 began in June, with the aim of simplifying and modernising data compliance for firms, updating existing laws, including the UK GDPR, Data Protection Act 2018 and the Privacy & Electronic Communications Regulations (PECR).

Government hopes the Act will make life easier for businesses, while the Information Commissioner’s Office (ICO) emphasised that the changes present opportunity for companies to re-examine compliance processes without needing to overhaul existing systems.

Helen Brain, partner and head of commercial at Square One Law, said: “The new Act is a signal from Government that its serious about supporting innovation while maintaining high standards of privacy protection. Many changes will be welcomed by firms, particularly those involved in scientific research or international transfers, but it’s important that the fundamentals of accountability and fairness remain unchanged.

“Companies should take the rollout of the legislation updates as an opportunity to review their data policies, refresh data protection training programmes and ensure they are ready to demonstrate compliance in accordance with the updated framework. We recommend that businesses look out for the ICO’s updated guidance and seek legal advice where necessary to ensure they’re making the most of the flexibilities the Act offers.”

Key changes introduced by the Act:

• Improved individual rights: Companies can “stop the clock” on data subject access requests (DSARs) if they require further information from the data subject and are only required to conduct reasonable and proportionate searches.
• Simplified international transfers: Transfers of personal data overseas are assessed under a new test requiring that the standard of protection is “not materially lower” than the UK’s, replacing the previous stricter “essentially equivalent” standard.
• Easier for research: Businesses can more easily reuse data for scientific and public health research, with clear rules around consent and reduced notification burden.
• Recognised legitimate interests: Introduces a new Annex to the UK GDPR listing certain recognised Legitimate Interests. For these, firms are exempt from carrying out and documenting Legitimate Interests Assessments (LIAs), but the necessity test remains.
• Flexibility for Automated Decision Making (ADM): Companies can rely more readily on ADM for non-sensitive data, provided they continue to offer adequate notice and right to human oversight and appeal.
• Relaxed cookie rules: Some e-privacy rules are eased, with consent no longer required for cookies which improve website functionality and carry out analytics. However, breach penalties have significantly risen, with maximum fines of up to £17.5m.
• Greater child protection: businesses offering online services likely to be accessed by children must now consider child safety in their design.

The ICO is expected to release updated guidance to help organisations navigate these changes.

Square One Law’s team is ready to help organisations interpret how the new Act will affect their operations and support them in adapting their policies and practices.