The implementation of most changes to data protection law caused by the Data Use and Access Act 2025 (DUAA) have now come into force, with the last change – the need for a data protection complaints regime – coming into effect in June 2026.

Most changes to the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) came into force from 5 February 2026. These included:

• Giving a statutory basis for ‘stop the clock’ principles in relation to subject access requests and other data subject rights. The time period for SARs starts running once ID (if sought) has been provided and the request has been clarified, if necessary.
• Confirming that only a reasonable and proportionate search need be undertaken in response to a SAR.
• The introduction of “recognised legitimate interests”, which apply primarily to private-sector organisations. The DUAA establishes that legitimate interest assessments will no longer be required in relation to “recognised legitimate interests, such as sharing personal data when requested for exercise of public task or official functions, safeguarding vulnerable individuals or responding to emergencies. Public authorities are unable to rely on legitimate interests themselves for any processing that falls within performance of their public task. However, suppliers, contractors and other commercial third parties have greater flexibility to share information with the public body if they request it.
• Amendments to e-privacy laws (PECR). The DUAA also amended PECR to extend the "soft opt-in" exemption to charities, allowing them to send fundraising emails/texts without explicit consent to supporters who previously engaged with them. It also increased the maximum fines for breaches of PECR, by raising the current limit of £500,000 to become the higher of either £17.5m or 4% of global annual turnover (the same level as the UK GDPR). Public bodies should continue to have regard to the ICO’s guidance on whether electronic messages sent in the course of their functions may constitute ‘marketing’ and therefore subject to PECR.
• Requirements around Automated Decision-Making (ADM) are made more permissive. The DUAA narrows the general prohibition on significant ADM which now only applies when using special category data. ADM using general personal information is no longer ‘prohibited’, with further lawful basis that organisations can rely on (including legitimate interests), provided that certain safeguards (such as transparency and contestability requirements) are observed. Most public bodies will handle large volumes of special category data in the exercise of their functions, and so any ADM will require a legal justification under data protection laws.

A further change, taking effect on 19 June 2026, is a further right for data subjects to complain directly to controllers in relation to infringements of data protection law. All data controllers, including public authorities must facilitate the making of such complaints, for example by providing a complaint form “which can be completed electronically and by other means”, and must acknowledge complaints within 30 days, take appropriate steps to resolve the complaint without undue delay, and inform the data subject of both progress and the outcome. The ICO recommends organisations have a policy, and where organisations are already subject to another complaints regime (e.g. the LGO, PHSO or the Housing Ombudsman), the interface between the existing ‘general’ complaints regime and ‘data protection complaints’ will need to be considered.

Summary

In summary, the introduction of the DUAA seeks to simplify data protection requirements. It aims to strike a balance between consumer rights and business interests, for the purposes of facilitating expansion whilst ensuring fairness and compliance with existing data protection regulations. Largely, it makes ‘statutory’ what was already good practice in case law.

How Capsticks can help

Our specialist data protection lawyers advise public bodies, charities and private‑sector partners on navigating the practical impact of the Data Use and Access Act 2025. We can help you understand what the changes mean for your organisation, update your internal processes, and ensure you remain compliant while continuing to deliver high‑quality services. Contact Tana Dryden-Strong or Megan Tam for more information.