UK data protection reform, key updates from the Data Use and Access Act

Significant reforms to UK data protection and ePrivacy law take effect on 5 February 2026 under the Data (Use and Access) Act 2025 (DUAA). The Act amends rather than replaces the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). While core data protection principles remain intact, several material changes affect lawful bases, subject access rights, automated decision making, cookies, international transfers, and regulatory enforcement powers.

This document summarises the key changes and highlights practical implications for organisations subject to UK data protection law.

Background overview

The DUAA represents the UK Government’s targeted reform of UK GDPR and related legislation. Its stated aim is to clarify areas of legal uncertainty, reduce administrative burden, support innovation and research, and maintain high standards of data protection.

Many provisions reflect established ICO guidance but now have statutory footing. However, certain changes, particularly in relation to PECR fines, international transfers, and automated decision making, are substantive and require careful review.

What are the key changes?

1. Recognised legitimate interests

The DUAA introduces a new category of lawful processing under Article 6(1)(ea), permitting processing necessary for specified recognised legitimate interests. These include purposes such as crime prevention and fraud detection, safeguarding vulnerable individuals, public security, emergency response, and assisting public authorities.

Where processing falls strictly within the statutory list, organisations are not required to conduct a balancing test between their interests and the individual’s rights. However:

Processing must still be necessary for the stated purpose. Transparency obligations continue to apply. This basis does not replace Article 6(1)(f), it operates alongside it.

What organisations need to do

Update lawful basis assessments and internal guidance. Clearly document reliance on Article 6(1)(ea) in records of processing activities and privacy notices. Ensure teams do not extend this basis beyond the defined statutory purposes.

2. Subject access request reforms

The DUAA formalises several clarifications regarding data subject rights.

(a) Reasonable and proportionate searches

Organisations are now required to conduct reasonable and proportionate searches. There is no obligation to conduct exhaustive searches of archives where this would be disproportionate. This reflects long standing ICO guidance and applies to all ongoing and future subject access requests.

(b) Stop the clock mechanism

A new Article 12A allows organisations to pause the response deadline where clarification of scope is genuinely required or proof of identity is reasonably necessary. The response period is paused between the clarification request and receipt of a response.

What organisations need to do

Update SAR policies, procedures, and workflow tools. Train staff on lawful use of stop the clock provisions. Ensure decisions on scope and proportionality are documented and auditable.

3. Amendments to scientific research definition

The definition of scientific research has been broadened to explicitly include commercial and private sector research.

Key implications include the ability to rely on broad consent for related research areas, relaxed compatibility assessments for further processing, and facilitation of research innovation in commercial environments.

Organisations relying on research exemptions should review research governance frameworks, update consent language where relying on broad research consent, and ensure privacy notices clearly distinguish research from operational processing.

4. Cookie consent exemptions (PECR)

The DUAA introduces additional exemptions from cookie consent requirements under PECR. Consent is no longer required for cookies used solely for delivering a requested service, first party analytics for performance measurement, storing visual or functional user preferences, or fraud detection, security, or device integrity.

Third party advertising and tracking cookies still require consent. Transparency requirements remain, and users must still be informed and provided with clear opt out mechanisms where applicable.

PECR maximum fines increase from £500,000 to 4 percent of worldwide turnover, significantly increasing enforcement exposure for cookies, email marketing, and electronic communications.

What organisations need to do

Re audit cookie categorisation. Update cookie banners and consent management platforms. Review email and electronic marketing practices.

5. Flexibility around AI and automated decisions

The changes replace Article 22 of the UK GDPR with a more permissive framework. Automated decision making with legal or significant effects is permitted using any lawful basis, provided safeguards are implemented.

Safeguards include informing individuals, allowing representation, providing human review, and enabling contest of decisions.

Organisations should identify automated decision making systems, ensure safeguards are operational, update AI governance and DPIA processes, and establish clear human review escalation pathways.

6. International data transfers

The DUAA reforms Chapter V by focusing transfer assessments on the receiving organisation’s legal jurisdiction rather than server location.

This may require reclassification of transfers, review of transfer risk assessments, and updates to contractual safeguards.

Organisations should re map international data flows, reassess transfer risk assessments, update SCCs and vendor contracts, and update transfer risk assessment templates.

7. Charitable marketing soft opt in

Charities may rely on a new soft opt in for marketing communications relating to their own charitable purposes where individuals have expressed support or interest.

This does not extend to third party marketing. Clear opt outs must still be provided, and charities should segregate charitable and third party marketing activities.

8. Enhanced ICO enforcement powers

The Information Commissioner’s enforcement powers are strengthened. The Commissioner may require organisations to appoint and fund external experts, compel interviews with staff, and exercise broader investigative powers.

Combined with higher PECR fines, enforcement risk is materially increased.

What organisations need to consider

Organisations should review and update privacy notices, records of processing, and lawful basis assessments. Subject access request procedures should be refreshed to incorporate stop the clock provisions.

International data transfers should be reassessed under the revised framework. Automated decision making governance and safeguards should be reviewed. Cookie consent mechanisms and marketing compliance under PECR should be updated.

Although the DUAA reduces administrative burden in certain areas, it does not diminish accountability. Organisations must continue to demonstrate lawful, fair, and transparent processing and be able to evidence compliance to regulators.

Sources

Data Use and Access Act 2025, February 2026 changes paper.