The UK’s data protection regime is not being rewritten, but it is being adjusted, with legislation introduced last year set to take full effect this summer.
The Data (Use and Access) Act 2025 (DUAA), which has been rolled out in stages since June 2025, and is set to be fully in force by June 2026, is intended to make life easier for organisations while keeping core protections in place.
For many, this will feel less like a step change and more like a loosening of some of the more rigid edges of UK GDPR and the Privacy and Electronic Communications Regulations (PECR). The direction of travel is clear: enable innovation, reduce friction and place more emphasis on proportionate decision-making.
Darcy Lilley, Solicitor in Thrings’ Commercial Dispute Resolution team, looks at the features of the act and how, for businesses and charities, the challenge of knowing where the rules have softened and where responsibilities remain in place.
What is changing
At its core, DUAA is about flexibility and clarity - moving away from technical box-ticking towards a more pragmatic approach. Some of the most notable changes include:
- Research and innovation – The Act supports scientific and commercial research by allowing individuals to give “broad consent” to areas of research, rather than narrowly defined projects. In some cases, organisations can also reuse personal data for research without issuing a new privacy notice, where doing so would involve disproportionate effort.
- Automated decision-making – The restrictions around automated decision-making are being relaxed. Businesses will have more scope to rely on automated processes, provided appropriate safeguards are in place.
- Cookies and online tracking – Amendments to PECR mean certain low-risk cookies (for example, those used for analytics or improving website functionality) may be set without user consent. This should simplify website compliance and user experience.
- Recognised legitimate interests – A new lawful basis removes the need to carry out a balancing test in specific scenarios (such as public security). This offers greater certainty when relying on recognised legitimate interests - but these are narrowly defined and not to be confused with the prior existing (and retained) legitimate interests basis for processing.
- Data sharing with public bodies – Organisations can share personal data with bodies such as the police without having to assess whether the recipient strictly “needs” it for their public task.
- Purpose compatibility – The Act introduces an assumption that some re-uses of personal data are compatible with the original purpose, removing the need for a detailed compatibility assessment in every case.
- Subject access requests (SARs) – It is now clearer that organisations only need to carry out “reasonable and proportionate” searches when responding to SARs.
- Charity marketing rules - From January 2026, charities can rely on a “soft opt-in” for electronic marketing, similar to commercial organisations. This allows contact with supporters who have shown interest, provided opt-out options are clearly given.
Why this matters
For many organisations, the DUAA represents a shift from strict process to practical risk management.
There are clear benefits. Reduced administrative burden, more flexibility in using data, and fewer barriers to innovation will be welcomed by businesses looking to grow or invest in technology. The ability to rely on recognised legitimate interests or assume compatibility of purpose, for example, can streamline decision-making.
However, this is not a relaxation of accountability. Regulators will still expect organisations to handle personal data responsibly, transparently and securely. The changes mean businesses must exercise judgement, not abandon caution.
There is also a reputational angle, with customers and clients remaining sensitive to how their data is used. Even where the law allows more flexibility, trust still needs to be earned.
What you can do
Businesses should already be thinking about how these changes affect their exposure to risk and how their internal processes need to adapt.
Key steps include:
- Revisit your lawful bases – Consider whether any of your processing activities could now rely on recognised legitimate interests. This may simplify your approach, but it should be documented clearly.
- Update privacy documentation – Privacy notices and your Record of Processing Activities should reflect how you are using data under the new rules. If you plan to rely on new flexibilities, say so.
- Review purpose changes – The assumption of compatibility is helpful, but not universal. Check when you can rely on it and when further assessment is still needed.
- Check your SAR processes – Ensure your approach to subject access requests is proportionate. Over-searching can waste time and cost; under-searching can create legal risk.
- Assess automated decision-making – If you use profiling or automated decisions, review your safeguards. Increased flexibility comes with an expectation of appropriate controls.
- Strengthen internal training – Staff should understand what has changed and what has not. This is particularly important for teams handling data requests, marketing and compliance.
- Prepare for charity marketing changes – If you are in the charitable sector, review the January 2026 soft opt-in rules. Update privacy notices, ensure opt-out mechanisms are clear, and train teams to handle queries.
- Consider international transfers – Keep an eye on how the updated data protection test may affect cross-border data flows, particularly if your business operates internationally.
The DUAA is not a complete overhaul, but it is a meaningful recalibration. Businesses that take legal advice earlier on in order to better understand the changes and implement them properly, will be better placed to use data confidently – and avoid disputes further down the line.
The Thrings Commercial Dispute Resolution team has an outstanding track record in achieving success in court, also offering expertise in mediation, pre-action work, settlement negotiations and arbitration to deliver commercially focused solutions to minimise disruption to your business. Contact us to find out more.