- Royal assent – 19 June 2025
- Introduces reforms to UK data protection framework to assist organisations in using personal data responsibly
- Makes changes to:
- United Kingdom General Data Protection Regulation
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003 (PECR)
- Minor relaxation of data protection requirements- streamline data protection laws
- Most reforms to be introduced in 2026
- ICO issuing guidance and codes in relation to the same
Changes in relation to Data Protection law :
- New lawful ground ‘recognised legitimate interests’- need to carry out balancing assessment is removed;
- Removal of explicit consent requirements for non-intrusive cookies such as statistical data collection and remembering viewing preferences and user locations
- Bringing enforcement powers under PECR, including fines, in line with UK GDPR. PECR fines were previously limited to £500,000
- Widening of grounds that can be relied upon for solely automated decisions- includes being be able to rely on legitimate interests where special category data is not being processed
- Simplification of scientific research provisions
- Clarifications on dealing with subject access requests such as time limits and the scope of searches
- New requirement to help individuals who want to make a complaint to you
Other changes introduced by DUAA- provisions about access to customer data and business data
- Smart Data Schemes: new initiatives to enhance data sharing and innovation across industries;
- Digital Verification Services: establishment of a framework for secure and efficient digital identity verification;
- National Underground Asset Register: creation of a digital register of underground infrastructure to improve the management and safety of underground assets
| Introducing a 7th lawful basis for processing personal data: “Recognised legitimate interests”
– Separate to existing “legitimate interests” basis under Art 6(1)(f) – Before DUAA if an organisation relied on legitimate interests, it had to carry out a balancing test weighing interests of organisation against individual’s rights and freedoms |
Timeline for imposing changes:
| 19 June 2025 | · Receives royal assent
· S142(2): provisions that come into force immediately: S78: reasonable and proportionate searches in response to DSARs S126: addresses retention of biometric data and recordable offences S127: concerns retention of pseudonymised biometric data |
| 19 August 2025 | |
| 20 August 2025 | |
| 2 September 2025 | |
| 4 and 5 September 2025 | |
| 30 September 2025 | |
| 17 November 2026 | |
| 19 December 2025 | |
| 27 December 2025 | |
| 19 March 2026 | |
| Mid-June 2026 | · All DUAA changes should be in force. ICO guidance to be published in final form. |
ICO has advised that the law will be applied as it stands at the time the infringement took place, rather than the date any complaint or report was received or when the infringement was detected.
What should businesses do?
- Engage with ICO draft guidance on data protection complaints and new lawful basis for processing personal data ‘recognised legitimate interest’
- Look out for updated ICO guidance
- Conduct a review of cookies policies (relaxed rules in relation to cookies)
- Check DSAR procedures reflect latest rules
- Start work on procedure for data protection complaints that comply with DUAA requirements. Staff may need training.
- Be aware that fines for breach of PECR are increasing (carry out audit of direct marketing activities)
- Consider whether amends are required to existing or template data sharing agreements (eg include obligation on service provider to support complaints from data subjects. If transferring data outside of the UK and will need to update transfer risk assessments.)