Data (Use and Access) Act 2025: what the UK GDPR reforms mean for your business

Overview

The Data (Use and Access) Act 2025 received Royal Assent on 19 December 2025 and amends UK GDPR and related data protection legislation in several phases from early 2026. While the changes are broadly deregulatory — removing some compliance burdens — they require active updates to your existing data protection documentation and processes.

The Act is being commenced in stages. Some provisions take effect from early 2026, with further changes (including mandatory complaint-handling procedures) expected from approximately June 2026. The Information Commissioner's Office (ICO) is also being restructured under the Act with a new governance board.

Phase 1: recognised legitimate interest and automated decisions

The Act introduces a new recognised legitimate interest lawful basis for processing personal data. For specified purposes — including safeguarding, national security, and democratic engagement — organisations can process data without conducting the traditional three-part balancing test required under the standard legitimate interest basis.

This does not replace the existing legitimate interest basis. It creates an additional, simplified route for a defined set of purposes. You must still identify which lawful basis you rely on and document it in your records of processing activities.

The Act also relaxes restrictions on solely automated decision-making under Article 22 of UK GDPR. The previous near-blanket prohibition is replaced with a more flexible framework. If you use automated decision-making systems (including AI-based tools), review whether your current safeguards and transparency measures remain appropriate under the new rules.

Phase 1: marketing and cookie consent changes

The soft opt-in exemption for electronic marketing is extended to charities and non-commercial organisations. Previously, only commercial businesses could rely on soft opt-in to send marketing communications to existing customers without explicit consent. Charities can now market to supporters who have previously engaged, provided they offer an easy opt-out.

The Act also introduces new exceptions for cookies and similar tracking technologies. Certain categories of cookies — such as those used for security, fraud prevention, or audience measurement — may no longer require prior consent. Review your cookie consent mechanisms to determine which cookies now fall under the exemptions and update your cookie banners accordingly.

Phase 2: mandatory complaint-handling procedures (from summer 2026)

Section 103 of the Act requires organisations to establish formal complaint-handling procedures for data protection complaints. This provision is expected to take effect from approximately June 2026.

Under these requirements, you must:

• acknowledge data protection complaints within 30 days
• investigate complaints without undue delay
• have a documented procedure that individuals can easily access

This effectively creates a mandatory internal complaints process that sits between the individual's initial concern and a complaint to the ICO. The ICO may expect to see evidence that you have followed your own complaints procedure before it takes regulatory action.

ICO governance changes

The Act restructures the Information Commissioner's Office with a new governance board. The office transitions from a corporation sole (headed by a single Commissioner) to a body with a board structure, a chief executive, and non-executive members.

For businesses, the practical impact is limited in the short term. The ICO will continue to be the enforcing regulator for UK GDPR and PECR. However, the new governance structure may lead to changes in enforcement strategy and priorities over time.