July 01, 2025

Reform of the GDPR in the UK

Share

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). It aims to streamline and modernise the UK's data protection framework. This article focuses on the changes that the DUA Act makes to the UK GDPR. See our article on the changes the DUA Act makes to PECR.

Changes to Lawful Bases for Processing

  • The DUA Act introduces a non-exhaustive list of processing activities that can constitute a legitimate interest for processing personal data under Article 6(1)(f) UK GDPR.
  • These bases are named "recognised legitimate interests" and are contained as a new Article 6(1)(ea) in the UK GDPR. For companies processing under these bases, there will no longer be a requirement to carry out a Legitimate Interest Assessment ("LIA"), which is a lighter form of a data protection impact assessment that has to be carried out when relying on the legitimate interests legal ground to process personal data in the UK.
  • The list of new lawful bases include: safeguarding national security; protecting public security and defence; responding to an emergency; investigating crime; and safeguarding vulnerable individuals.
  • The expansion of processing activities that constitute legitimate interests might be relied upon by a broad range of industries, such as financial services firms combatting or investigating financial crime as well as social media and other businesses operating online in relation to safeguarding individuals from online harm and retail companies in relation to security.
  • Additionally, the DUA Act sets out a list of processing activities that "may" be processed under the existing legitimate interests lawful basis. These activities include direct marketing; sharing data within groups of companies for internal administrative purposes; and ensuring the security of network and information systems. An LIA is still required for processing personal data for these purposes. Nonetheless, with respect to conducting direct marketing to consumers, it remains best practice for businesses to still seek consent before carrying out those activities in light of previous European Data Protection Board guidance relating to direct marketing.

 

International Data Transfers

  • The DUA Act introduces a change to the UK's data transfer regime, as it amends Article 45 of the UK GDPR so that the UK's adequacy framework compromises of transfers "approved by regulations,” as opposed to “transfers on the basis of an adequacy decision”. Under the new standard, the Secretary of State will determine whether the destination country's standard of data protection is "not materially lower" than the standard in the UK. This marks a slight loosening of the standard that has to be considered in order to get an adequacy assessment of transfers from the UK, which previously was that the destination country must offer "essentially equivalent" protections.
  • The effect of this change is unclear. Previous UK governments discussed that the DUA Act could enable transfers of data from the UK to a greater range of countries, such as the USA and India, which have less stringent data protection standards than the UK. However, there is no indication that the current government will use the DUA Act to permit data transfers to jurisdictions with notably lower data protection frameworks than the UK, although the effect of this change remains to be seen.
  • In terms of transfers to the UK from the EU, the EU's adequacy decision for the UK is subject to renewal on 27 December 2025 and the European Commission will consider the changes the DUA Act makes to UK data protection law when assessing whether the UK has an adequate data privacy framework.

 

Purpose Limitation

  • The DUA Act potentially loosens the purpose limitation principle under the UK GDPR. The new Article 8A outlines the conditions where further (i.e. different) processing is compatible with the original purpose of processing for which personal data were collected (and practically speaking, it may not be necessary to identify a new legal basis or provide a privacy notice to the data subject to conduct the further processing).
  • The conditions include: where the data subject has given fresh consent to the new purpose; where the processing is for scientific or historical research; where archiving is in the public interest; or where the processing is for any of the purposes specified in Annex 2. As with Article 6(1)(ea) UK GDPR, the Secretary of State may add, vary, or omit provisions to Annex 2.

 

Automated Decision Making ("ADM")

  • The DUA Act relaxes restrictions on the use of ADM under Article 22 of the UK GDPR for the purposes of ADM. The DUA Act sets out that significant decisions based entirely or partly on processing special categories of data may not be taken based solely on automated processing. In addition, the DUA Act outlines that a decision based on ADM is one with no meaningful human involvement.
  • This marks a divergence to the EU GDPR, as personal data that is not classed as special category data is, under the DUA Act, no longer subject to restrictions on processing such as the requirement of explicit consent from the individual.

Scientific Research

  • The DUA Act broadens the definition of scientific research to encompass any research that can “reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. This expands the list of exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The amendment gives companies greater flexibility when conducting scientific research.

Data Subject Access Requests ("DSARs")

  • The DUA Act amends the time period for controllers to respond to DSARS, to bring the UK GDPR in line with the current ICO guidance. Controllers can extend the initial one-month period for responding to a DSAR to a further two months where it is deemed necessary due to the complexity or number of DSAR requests.
  • The DUA Act also clarifies controllers' obligations related to DSARs. Controllers need only to conduct a "reasonable and proportionate" search in response to a DSAR. However, the DUA Act does not provide further guidance as to what constitutes a "reasonable and proportionate" search.
  • A change that the DUA Act makes to DSARs is that when organisations withhold information based on legal professional privilege or client confidentiality, organisations must inform the data subject about the specific exemption being applied and the reason for applying this exemption. The data subjects will also have a right to request that the ICO review how these exemptions have been applied to their case.

Changes to the Structure of the ICO

  • The DUA Act restructures the ICO and the body will be known as the Information Commission.
  • The DUA Act replaces the role of the Information Commissioner with a Chair and a board of directors consisting of executive and non-executive members.

Comment

The DUA Act makes significant amendments to the UK GDPR, largely clarifying obligations under the UK GDPR and aligning data protection law with existing guidance. The main changes relate to the inclusion of the "recognised legitimate interests" regime, which presents businesses with a list of new bases to rely on for personal data processing, and the amendment to the UK's data transfer regime, which has the potential to lower the standard for international data transfers. The tone of the DUA Act is to make it easier for businesses operating within the UK to process personal data and aligns with the broader pattern across Europe of loosening regulations around business to foster more innovation and flexibility, most notably with the EU's Omnibus Packages. Following the enactment of the DUA Act, businesses should review their current practices and policies in line with the changes.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe