The Data (Use and Access) Act 2025 became law on 19^th June and amends elements of the existing law[1] – albeit much of it is yet to come into effect. We think many of the updates are practical and business-friendly, but the regulator’s powers have also been increased, so getting it wrong carries greater risk.

This brief piece focuses on the following updates:

• DSARS – making burdensome or repetitive requests less onerous
• “Legitimate interest” ground for processing – easier to rely on in some circumstances
• Cookies – certain requirements removed
• International transfers – strict equivalence replaced by “not materially lower” standard
• New requirement for organisation to have a complaints policy
• Stronger enforcement powers for the regulator, ICO

1. DSARs: mitigating the most onerous elements

 The DUAA makes it easier for organisations to manage “vexatious or excessive” data subject access requests.

Key updates include:

• Clearer definitions of “manifestly unfounded or excessive” requests;
• Extended time limits for complex cases;
• The ability to ask for clarification on broad requests; and
• ICO guidance on when the response clock starts ticking.

2. Recognised Legitimate Interests: a new lawful basis for doing what makes sense

The DUAA introduces recognised legitimate interests, which are pre-approved data processing purposes that no longer require a detailed balancing test each time. These include:

• Direct marketing;
• Transferring personal data intra-group for internal administration purposes; and
• Ensuring network and information security.

3. Certain “low-risk” cookies are now allowed without consent:

The DUAA allows the use of some non-essential cookies without consent, where they serve limited, low-risk analytical purposes. These include:

• Analytics cookies (e.g., for website performance tracking);
• Functional cookies (e.g., to record language preferences); and
• Security cookies (e.g., for fraud detection).

This should promote a better user experience and be less onerous for website operators.

 International transfers:

Rather than requiring a strictly equivalent level of data protection in the destination country, the new standard requires that protection is “not materially lower” overall, and transferring organisations can apply this test “reasonably and proportionately.

It remains to be seen whether this will ease international data flows and if it will impact the UK’s EU adequacy rating.

5. New requirement re complaints process:

New rules place greater obligations on organisations to handle data protection complaints effectively. These include:

• Provide an accessible means for individuals to complain;
• Acknowledge complaints within 30 days; and
• Resolve issues “without undue delay”.

In practice, this means that even organisations that are not required to have a Data Protection Officer will likely need a dedicated person/function to oversee the complaints procedure.

6. The regulator’s new powers:

While most of the changes reduce the compliance burden, falling foul of the law now comes at a greater cost, with greater powers for the ICO (now the Information Commission). It can now:

• Compel witnesses to attend interviews;
• Request technical reports and audits; and
• Impose fines of up to £17.5 million or 4% of global turnover under PECR as well as UK GDPR (previously the maximum PECR fine was £500,000).

How we can help

We’ve been on your side as in-house lawyers/compliance function and we know that privacy compliance can be a headache. Let us help!

We can help work through what the changes mean for your business, including: reviewing your internal data processing/data governance framework, updating your cookies and/or privacy policies and training your team. Do contact us if you wish to discuss anything further.

Jacqueline Drury (Partner)

Email: [email protected]

Phone: 01256 854675

Fiona Skelton (Associate Solicitor)

Email: [email protected]

Phone: 01256 854671

[1] UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Act AKA PECR