Campaign (awareness, themed)

Data (Use and Access) Act 2025: what the UK GDPR reforms mean for your business

The Data (Use and Access) Act 2025 introduces phased reforms to UK GDPR from early 2026. Key changes include a new recognised legitimate interest basis, relaxed automated decision-making rules, extended soft opt-in marketing for charities, cookie consent exceptions, and mandatory complaint-handling procedures from summer 2026. Businesses must review their privacy notices, DPIAs, marketing practices, and cookie mechanisms.

Change event: Data (Use and Access) Act 2025 reforms UK GDPR from early 2026 Effective 1 June 2026

Overview

The Data (Use and Access) Act 2025 received Royal Assent on 19 December 2025 and amends UK GDPR and related data protection legislation in several phases from early 2026. While the changes are broadly deregulatory — removing some compliance burdens — they require active updates to your existing data protection documentation and processes.

The Act is being commenced in stages. Some provisions take effect from early 2026, with further changes (including mandatory complaint-handling procedures) expected from approximately June 2026. The Information Commissioner's Office (ICO) is also being restructured under the Act with a new governance board.

Royal Assent
19 December 2025
Phase 1 (early provisions)
Early 2026
Phase 2 (complaint handling, Section 103)
Approximately June 2026
Complaint acknowledgement deadline
30 days
Enforcing regulator
Information Commissioner's Office (ICO)

Phase 1: recognised legitimate interest and automated decisions

The Act introduces a new recognised legitimate interest lawful basis for processing personal data. For specified purposes — including safeguarding, national security, and democratic engagement — organisations can process data without conducting the traditional three-part balancing test required under the standard legitimate interest basis.

This does not replace the existing legitimate interest basis. It creates an additional, simplified route for a defined set of purposes. You must still identify which lawful basis you rely on and document it in your records of processing activities.

The Act also relaxes restrictions on solely automated decision-making under Article 22 of UK GDPR. The previous near-blanket prohibition is replaced with a more flexible framework. If you use automated decision-making systems (including AI-based tools), review whether your current safeguards and transparency measures remain appropriate under the new rules.

Phase 1: marketing and cookie consent changes

The soft opt-in exemption for electronic marketing is extended to charities and non-commercial organisations. Previously, only commercial businesses could rely on soft opt-in to send marketing communications to existing customers without explicit consent. Charities can now market to supporters who have previously engaged, provided they offer an easy opt-out.

The Act also introduces new exceptions for cookies and similar tracking technologies. Certain categories of cookies — such as those used for security, fraud prevention, or audience measurement — may no longer require prior consent. Review your cookie consent mechanisms to determine which cookies now fall under the exemptions and update your cookie banners accordingly.

Phase 2: mandatory complaint-handling procedures (from summer 2026)

Section 103 of the Act requires organisations to establish formal complaint-handling procedures for data protection complaints. This provision is expected to take effect from approximately June 2026.

Under these requirements, you must:

  • acknowledge data protection complaints within 30 days
  • investigate complaints without undue delay
  • have a documented procedure that individuals can easily access

This effectively creates a mandatory internal complaints process that sits between the individual's initial concern and a complaint to the ICO. The ICO may expect to see evidence that you have followed your own complaints procedure before it takes regulatory action.

ICO governance changes

The Act restructures the Information Commissioner's Office with a new governance board. The office transitions from a corporation sole (headed by a single Commissioner) to a body with a board structure, a chief executive, and non-executive members.

For businesses, the practical impact is limited in the short term. The ICO will continue to be the enforcing regulator for UK GDPR and PECR. However, the new governance structure may lead to changes in enforcement strategy and priorities over time.

What you need to do

Review and update the following:

  • Privacy notices — ensure they reflect any new lawful bases you rely on, including recognised legitimate interest
  • Data protection impact assessments — revisit DPIAs for automated decision-making systems to check alignment with the relaxed Article 22 rules
  • Marketing practices — if you are a charity or non-commercial organisation, assess whether the soft opt-in exemption applies to your supporter communications
  • Cookie consent mechanisms — update cookie banners to remove consent prompts for newly exempt cookie categories
  • Complaint-handling procedures — before summer 2026, establish a documented process for acknowledging and investigating data protection complaints within 30 days
  • Records of processing activities — update to reflect any changes in lawful basis or processing purposes

⚠️ Enforcement and penalties

UK GDPR enforcement powers remain unchanged. The ICO can still issue fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious breaches. The new complaint-handling requirement (from summer 2026) adds an additional compliance obligation — failure to acknowledge complaints within 30 days could be used as evidence of inadequate data protection governance.

ℹ️ UK-only changes

These reforms apply to UK GDPR only. If your business also processes personal data of individuals in the EU or EEA, you must continue to comply with EU GDPR separately. The recognised legitimate interest basis and cookie consent exceptions do not apply under EU GDPR. Ensure your compliance framework distinguishes between UK and EU data protection requirements where relevant.