UK Data Reform Becomes Reality: What This Means For You And What You Need To Do Next – Privacy Protection

More

We have two things at our core: people – both ours and yours – and a focus on creativity, technology and innovation.
Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.

Delayed from 19 December 2025 due to the festive season, commencement order number 6 for the Data (Use and Access) Act 2025 (DUAA) crept onto the statute books with little fanfare.

United Kingdom
Privacy

To print this article, all you need is to be registered or login on Mondaq.com.

Article Insights

Lewis Silkin are most popular:

within Cannabis & Hemp, Insolvency/Bankruptcy/Re-Structuring and Transport topic(s)
in United Kingdom
with readers working within the Retail & Leisure industries

Delayed from 19 December 2025 due to the festive season, commencement
order number 6 for the Data (Use and Access) Act 2025
(DUAA) crept onto the statute books with little fanfare. In case
you missed it, 5 February 2026, is the day when most of the
remaining provisions of DUAA entered into force.

A swathe of provisions got the green light, including the new
approach to ADM, which unless special category data is involved,
moves to a permission but with safeguards regime, meaning
certain decisions may no longer be subject to the more severe
restrictions on automated decision-making. (For more information
see the ADM section of our article 
here).

The new UK test for data bridges (formerly known as
“adequacy”, pre-Brexit) also enters into force, meaning
the test is now whether the standards of data protection will be
“materially lower” than those applicable in the UK.
(Previously the test was whether the standards were
“essentially equivalent”). You may want to take
advantage of the new test when completing your Transfer Risk
Assessments (TRAs) for transfers from the UK but there is no
urgency to review existing TRAs as they will remain fit for
purpose. (For more information see the Data Transfers section in
our article 
here).

Also in force are the remaining amendments to the Privacy
and Electronic Communications Regulations 2003 (PECR),
including the headline grabbing UK GDPR level fines (i.e. maximum
£17.5 million or 4% of global annual turnover, whichever is
higher), the extension of the cookie consent rules to anyone who
“instigates” the storage or access to stored data, wider
enforcement powers for PECR breaches, soft opt-in for charities,
the relaxation of exemptions for cookie consent where they pose a
low risk to user privacy and the ICO’s task of encouraging
industry to produce codes of conduct. (For more information see our
e-Privacy section in our article 
here). We know the ICO is very active when it comes to PECR
breaches so anyone taking a risk based view on PECR requirements
particularly in respect of marketing campaigns should be
reconsidering their risk profile given the stakes have become
significantly higher for non-compliance!

The remaining data rights, bar one, are also commenced,
clarifying time limits for responding to data subjects’
requests, the information to be provided to data subjects and fees
and reasons for responses to data subjects’ requests about law
enforcement processing. The remaining right, yet to be commenced,
is the new “right to complain” to controllers regarding
general UK GDPR compliance. (For more information see the Data
Rights section of our article 
here). This right will come into force on 19 June
2026 so if you haven’t already reviewed your
complaints process, worked out how to resource it given the likely
increase in direct complaints and revised your privacy notices, the
clock is ticking with little over 4 months to get your house in
order. Keep an eye out for the ICO’s 
final guidance too, which is still expected Winter
2025/2026 (even if we are now, thank goodness, through the 2025
part of Winter!) .

All the new wide-ranging ICO powers are in force, bringing the
ICO into line with other UK regulators. (For more information see
the IC’s new powers section of our article 
here). Again, if you haven’t already familiarised yourself
with the powers, it would be prudent to do so as these will change
how the ICO currently conducts its investigations.

Finally, both the new “recognised legitimate
interests” lawful basis and the purpose limitation
clarification are also brought into force. (For more information
see the relevant sections of our article 
here). We don’t think either provision will have a huge
impact on organisations, rather they provide welcome clarity and
for most of us the legitimate interests assessment (LIA) will still
be necessary, unless you fall within the narrow scope of the new
“recognised legitimate interests”. If this is the case
and you seek to rely on this new lawful basis you will need to
update your privacy notices and ROPAs to reflect this. 

We still await the changes to the ICO’s structure. (For more
information see the IC section of our article 
here). It remains to be seen when the Information Commission
will come into being but with appointments to the new Board well
underway it might be sooner, rather than later. 

So what?

As it was third time lucky before data reform was enacted in the
UK, many compliance teams preferred to wait until DUAA received
Royal Assent and there was certainty about the road ahead. Now with
the majority of provisions in force the direction of travel is
clear, so if you haven’t already refreshed your policies and
privacy notices, considered your TRAs for transfers from the UK,
discussed what the ADM changes mean for your organisation, what the
new PECR reforms mean for your marketing strategy, how the new ICO
powers will impact your approach to regulatory investigations etc.
etc., now is the time to do so.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

[View Source]