How much does the Data (Use and Access) Act reform UK GDPR? Let me count the ways

The long-awaited reform of the UK GDPR finally received Royal Assent on 19 June 2025. The Data (Use and Access) Act 2025 ("DUA Act 2025") was the UK Government's third attempt at GDPR reform (after two previous failed incarnations of the Data Protection and Digital Information Bill ("DPDI Bill") proposed by the conservative government), and it endured five rounds of parliamentary "ping-pong" between the House of Lords and the House of Commons before finally being agreed. But does the final version of the legislation represent the overhaul of the UK data protection regime that was once envisioned?

In this article we consider some of the key changes proposed by the legislation and the extent to which they will have any significant impact on the data privacy landscape in the UK.

What hasn't changed?

First of all, a quick note about what hasn't changed. The previous bills that were proposed included some amendments that didn't make it through to the final DUA Act 2025:

• Definition of personal data: The DPDI Bil proposed limiting the definition of personal data to perhaps prevent organisations from being overly cautious in their interpretation of personal data and allow more data to be considered anonymised. This proposal did not form part of the DUA Act.
• GDPR admin: The DPDI Bill tried to strip away some of the administrative burden of complying with the GDPR. For example, it proposed getting rid of the requirement to have a ROPA or a UK representative in certain circumstances. Perhaps because of concerns about the UK's ongoing adequacy, these proposals did not make it through to the DUA Act 2025, but it is interesting to note that some of them (e.g. the relaxation of the ROPA requirement) are not dissimilar to what is currently being proposed by the EU Commission with respect to GDPR reform in Europe.
• DSAR responses: The proposal to allow controllers to refuse to respond to vexatious or excessive DSARs did not survive the DPDI Bill.

What is changing?

Whilst it is fair to say that the DUA Act 2025 does not represent a wholesale reform of the UK GDPR and is perhaps more akin to tweaks around the edges, there are nonetheless some changes which organisations should be aware of. We have set out below a description of some of these key changes and the impact they may have on business in the UK.

1. Automated Decision Making ("ADM")

Section 80 of the DUA Act 2025 sets out the rules relating to ADM and is perhaps the biggest change made to the UK GDPR by the Act. It amends the principles involved so that instead of being a prohibition on ADM with limited exceptions, the legislation now permits ADM but subject to certain rules and guardrails. The prohibition remains for ADM involving special category data but for ADM not involving special category data, this is now permitted provided that certain safeguards are in place, being requirements to:

• provide people with information about significant decisions made about them (i.e. transparency);
• enable people to make representations about and to challenge such decisions; and
• enable people to obtain human intervention in respect of such decisions.

In the context of ever-increasing use of AI tools, this relaxation of the rules around ADM could be significant for many organisations. However, given that it is a relaxation, it is also likely to be the subject of scrutiny by the EU Commission when considering whether or not to renew the UK adequacy decisions.

2. Subject Access Requests

Although, as mentioned above, the original DPDI Bill proposals to allow controllers to refuse to respond to vexatious DSARs did not make it into the DUA Act 2025, there are nonetheless some DSAR changes in the legislation.

Sections 75 – 79 of the DUA Act 2025 make certain amendments, including clarifying that controllers:

• can "stop the clock" on the time limit for responding to DSARs if they reasonably need more information from the requester in order to confirm the scope of the DSAR (e.g. where the controller processes a large amount of personal data about the requester); and
• only need to make reasonable and proportionate searches in response to a DSAR.

Although these changes largely reflect current regulatory guidance in the UK, they are likely to nonetheless be welcomed by organisations, particularly in the context of the ever-increasing use of DSARs by data subjects. However, the legislation missed its opportunity to limit the DSARs that controllers have to respond to, which will be a source of frustration for many organisations.

3. Recognised legitimate interests

Like the DPDI Bill before it, the DUA Act 2025 includes a list of "recognised" legitimate interests for the purpose of Article 6(1)(f) UK GDPR.

The list set out in Section 70 of the DUA Act 2025 is fairly limited in scope and includes where processing is necessary for:

• safeguarding national security, protecting public security or for defence purposes;
• the purposes of responding to an emergency; and
• detecting, investigating or preventing crime or apprehending or prosecuting offenders.

Perhaps more helpfully for commercial organisations, the DUA Act also includes examples of interests that might be legitimate, including direct marketing and intra-group transfers. However, these interests still require application of the balancing test and so don't reflect a big change to current practice (given direct marketing is already cited as an example of a legitimate interest in the recitals to the GDPR).

4. International data transfers

Schedule 7 of the DUA Act 2025 amends Chapter V of the UK GDPR, being the provisions relating to international data transfers. The legislation introduces the so-called "data protection test" for both controllers and UK Government to apply when considering whether or not a data importer jurisdiction has appropriate safeguards in place to protect personal data.

Under the DUA Act 2025, the relevant test to apply is whether the standards of protection in the importing jurisdiction are "materially lower" than the protections in the UK. This is in contrast to the GDPR which requires third country protections to be "adequate" with all that that entails.

Although this does not, on the face of it, appear to be a big change to current law, it is likely to be heavily scrutinised by the EU Commission in its consideration of UK adequacy and in the face of concerns that the UK could become a hub for EU companies to transfer data out of jurisdiction more easily than directly from Europe.

5. Right to complain

Section 103 of the DUA Act 2025 amends the UK Data Protection Act 2018 to include a right for data subjects to make a complaint to controllers if they believe there has been a breach of the GDPR. The legislation then introduces statutory timeframes for controllers to respond to any such complaints, with a requirement to acknowledge receipt within 30 days and respond to the complaint without undue delay. It is perhaps important to note that this is a different timeframe to that required when responding to DSARs (one calendar month).

Although, as with other changes described above, this change effectively reflects current regulatory practice – which is often to direct individuals to try and resolve their complaint with the controller in the first instance – the introduction of statutory timelines for responses will require organisations to ensure that they have appropriate processes and procedures in place to be able to deal with complaints about data processing.

6. Cookie consent rules

Section 112 of the DUA Act 2025 introduces a slight 'relaxation' of the cookie consent rules. It provides that consent is not required for cookies (or similar technologies) that are low privacy risk (e.g. certain analytics cookies). However, users must still be given the ability to opt-out of such cookies, which puts them on a slightly different footing to strictly necessary cookies where no ability to opt-out is required. As such, the new rules may have complicated rather than simplified the current regime to create three different types of cookie rules:

• strictly necessary cookies: no consent and no opt-out required;
• low risk (e.g. analytics cookies): no consent but ability to opt-out required;
• other cookies: opt-in consent required.

Given the complex web of cookie consent solutions and the apparent focus of regulators both in Europe and the UK on enforcement of cookie consent rules, this relaxation of consent requirements for analytics cookies may be welcomed by some but does not provide the much hoped-for solution for companies in the adtech value chain. In addition, the DUA Act 2025 has confirmed that fines for breaches of the cookie rules are now aligned with UK GDPR (i.e. an increase from £500,000 to a maximum £17.5 million or 4% of global annual turnover, whichever is higher), meaning that the consequences for getting it wrong could be much more severe.

Whilst the DUA Act 2025 does not signal the end of data protection law as we know it in the UK, some of the changes will be welcomed by business even if only as a way of putting regulatory best practice onto a statutory footing. The UK Government is seemingly confident that nothing in the new legislation will endanger the EU Commission's adequacy renewal process for the UK but some of the changes, particularly around ADM and international data transfers may well come under scrutiny from an EU Commission keen to ensure that the UK does not deviate from the path of GDPR. The current adequacy decisions for the UK have been extended to the end of the year and so we will need to wait and see what the impact of the UK's "reform" might be in Europe.