UK GDPR: UK privacy reform is finally going live – what does your business need to do now?

The main data protection reforms contained in the UK’s reform law, the Data (Use and Access) Act 2025 (“DUAA”), are now rapidly coming into force on Thursday 5 February 2026, nearly eight months after becoming law. As there are only 2 days between the delayed online publication of the Data (Use & Access) Act 2025 (Commencement No. 6) Regulations 2026 and  commencement, these provisions will be in effect before most have opportunity to react. With memories potentially hazy on the changes made by the DUAA, here are the key updates that businesses subject to UK data laws need to know about today.

Want to see the detail yourself? You can access our Keeling Schedules showing the changes made to the UK GDPR, the UK Data Protection Act 2018 (“DPA 2018”) and PECR 2003 here.

Want to hear about the UK reforms affecting HR Data? You can still join our international webinar on 4 February 2026 – register here.

Update notices and ROPAs to rely on new ‘recognised’ legitimate interests 

The DUAA creates a new lawful basis, Article 6(1)(ea) UK GDPR, that permits processing necessary for certain ‘recognised’ legitimate interests, with no requirement to balance these against the rights of data subjects. The list of recognised interests, which the UK government can amend through regulations, is contained in new Annex 1 to the UK GDPR. This list includes some common purposes pursued by many controllers, such as processing necessary to detect, investigate or prevent crime, to disclose personal data to public authorities making public task requests and to safeguard vulnerable individuals. 

Controllers wishing to rely on this new basis need to update their UK privacy notices and records of processing accordingly. 

While full balancing tests are not required, it would still be prudent to document the necessity of decisions taken to process data for these purposes: this type of processing can easily become contentious. 

Eagle-eyed observers will spot that the right to object also extends to these recognised legitimate interests. Most controllers will hope that it is straightforward to demonstrate such processing is compelling enough to permit ready refusals. 

Identify whether cookies or e-marketing changes are worth updating your approach and keep an eye on increased enforcement risks

Back when UK DP reform was first proposed on the eve of Brexit, legislators said that cookie banners were the big EU-derived bugbear that needed to be fixed. The changes the DUAA actually makes won’t achieve this. Instead, it introduces new but narrow exemptions to the cookie consent requirement. These include exemptions for cookies:

• used in connection with providing an information society service and where strictly necessary, including for ensuring device security, preventing or detecting fraud or technical faults, or facilitating the selections and auto-authentication of a user.
• used solely for the purpose of analytics with a view to improving a service, or solely for storing visual or functional user device preferences, or to permit some other enhancement of this nature.

The usefulness of this second set of amendments is questionable, as consent is replaced by a requirement to offer an informed, simple and free opt out at the point of first use. For UK-audience websites that only use analytics cookies, this might feasibly allow for a simpler cookie approach: but for those who don’t differentiate for visitors from other countries, or who will also place cookies that still need consent like advertising cookies, continuing with an existing blanket consent-based approach is likely more practical.

Email marketing rules change only for charities, who can now rely on a new soft-opt-in for marketing about their own charitable purposes to individuals that have expressed interest or support. This won’t assist where marketing is tied to promotion of third parties, such as co-branded campaigns with corporate partners: consent will still be needed here.

Rules for telecommunications companies see limited tweaks – the main point to note is the harmonisation with UK GDPR timescales on breach reporting.

Otherwise, the headline PECR changes relate to enforcement risk, which increase substantially from commencement:

• On cookies, ‘instigators’ are now equally directly responsible for consent as the service that places or reads a cookie, expanding the ICO’s potential targets to a wider set of AdTech market participants.
• Most of the ICO’s investigation and enforcement powers in Parts 5 to 7 of the DPA 2018 are pulled across by reference to apply equally to PECR. Particularly important is the increase in potential fines from the pre-DUAA max of £500,000 to the familiar UK GDPR fining regime caps, up to a maximum of 4% worldwide turnover.

Check the effect of research and reuse tweaks: take particular care before relying on consent for research or processing for “statistical” purposes

While a lot of the DUAA’s changes on this topic involve moving existing provisions around, several changes are impactful:

Purpose limitation rewrite is especially restrictive for those who have historic consents

One of several entirely remodelled provisions, the DUAA amends UK GDPR to require all further processing of personal data to be compatible and makes consent the main method to ensure compatibility unless one of a list of derogated purposes in a new Annex 2 to UK GDPR applies. This list is very similar to the Annex 1 list of recognised legitimate interests. Other laws pursuing Article 23 objectives can also provide derogations. 

The key compatibility risk for researchers is in Article 8A(4), which practically requires reconsenting for research if consent was the original lawful basis, as the available derogations in this case do not cover this type of reuse. This is true even where that consent was obtained pre-GDPR. Going forward, UK researchers should take particular care not to confuse consents obtained on ethical or confidentiality grounds as the appropriate lawful basis for studies or trials. 

New notice exemption for directly collected data further processed for research

This is the main boon for research, contained in a new specific exemption to Article 13 UK GDPR. A new notice is not required where the data will be validly further processed for scientific or historical research, public interest archiving or statistical purposes, provided that supplying such a notice would be impossible or involve disproportionate effort. Specific criteria provided in Article 13(6) explain what needs to be considered when evaluating disproportionate effort, and there is still a need to include the relevant information in a public facing notice. This will particularly assist in the reuse of historic data sets (unless, of course, these relied on consent as their lawful basis).

New, narrow definition of processing for statistical purposes

A new definition is supplied for processing for statistical purposes, which limits its scope as a valid basis for processing. It can only cover processing that seeks to produce statistical surveys or results that are aggregated, where neither the original data nor the outputs will be used to take decisions in relation to anyone whose data was used in the process. Both the limitation on using the underlying original data for decision-making and the choice to use aggregate, rather than simply anonymous, data as the minimum deidentification standard particularly limits the types of processing for which this basis remains useful.

Data subject rights – a new right to complain coming in June, but relaxations on DSAR clarification and significant automated decisions may help now

A new right to complain – but not yet…

The DUAA’s clearest change to data subject rights was the introduction of a brand-new right to complain, with its own bespoke response deadline requiring controllers to acknowledge a complaint within 30 days, with a full response ‘without undue delay’. This, however, is a key part of the DUAA’s DP reforms that is still waiting for its moment in the sunlight. This will come into force instead on 19 June 2026. 

By this time, we should have the ICO’s final guidance on this new right. Its autumn draft recommended, but did not propose insisting, that controllers produce and publish complaints procedures, with information made available for individuals on how to submit complaints and how complaints will be processed. In practice, this new right may well feel like a continuation of existing practices, albeit that there will be no need for individuals to attempt to exercise another right like an access request to give a general compliance complaint teeth. 

Small subject access adjustments with a new controller right to seek clarification when holding a large amount of personal data

UK legislators had initially considered amendments to alleviate the burden on controllers receiving tactical DSAR in the context of disputes, much like the Commission in its original EU Digital Omnibus proposals. In contrast to the final proposed Digital Omnibus text, nothing on this was finally retained in the DUAA. Instead, it introduces:

• a new power for courts to require controllers to provide data for inspection where a determination on disclosure is needed on an access or portability request (a power they arguably already held, if minded to follow the CJEU’s judgment in C-203/22, Dun & Bradstreet Austria.)
• a wider ability for controllers to clarify expansive requests.

This second point is of potential interest to those in receipt of expansive requests for “all” personal data. Previously, the UK GDPR contained no specific right to delay compliance with requests, bar an acknowledgement of a need to confirm the identity of the data subject. In practice, long-standing ICO subject access guidance has acknowledged that clarification may also be required where a request cannot not be properly understood. This was of limited use to most controllers, with the ICO’s guidance also clear that such clarification could not force an individual to narrow their request, or extend the timeline if clarification wasn’t strictly needed.

Now, as well as legislating to confirm that an identity check (if genuinely needed) pauses the clock on compliance with any data subject right, the DUAA also introduces a new Article 12A UK GDPR. As well as confirming (without changing) the way in which a month is calculated, it adds a clarification right for controllers who ‘reasonably require’ further information to identify the relevant personal data required by a DSAR and allows them to pause the clock while they await a response. Article 12A(6) explains that an example of when such information may be reasonably required includes where the controller holds ‘a large amount of information concerning the data subject’. 

In practice, some controllers may well see this as an opportunity to push individuals into narrowing their requests, or at least to buy themselves a little more time while individuals consider their options. Some may even be tempted to argue that an individual who refuses to clarify their request could be refused a response on the grounds that the request is therefore manifestly excessive. This would be risky - the ICO’s recently updated subject access guidance, published quietly in December 2025, says that, in such circumstances, a controller ‘should’ still comply by making reasonable searches based on their own judgements. The updated guidance also suggests, perhaps controversially, that whether a controller holds a ‘large amount of information’ should be assessed based on the controller’s own size and resources.

A substantial relaxation on significant solely automated decisions

There is a major rewrite of Article 22 UK GDPR, which is replaced by four new Articles 22A-22D. What is a ‘solely’ automated decision is clarified, to explain that it is a decision with ‘no meaningful human involvement’. Such significant automated decisions are also prohibited where they are based on the new ‘recognised legitimate interest’ ground. 

The most noteworthy change, however, is that it is only such significant automated decisions that result from the processing of special category data that retain the GDPR’s original narrow permissive routes, requiring the explicit consent of data subjects or contractual necessity. Instead, where special category data is not involved, new Article 22C reverts the UK regime to a position similar to the one under the old Data Protection Act 1998, with such significant decisions permitted, provided that safeguards involving clear notice to data subjects and rights to contest, make representations and seek human intervention in such decisions are put in place. For those seeking to make use of AI tools in various settings, from recruitment to fraud detection, this relaxation is genuinely helpful in removing a barrier to innovation, provided other privacy obligations are met.

A rewritten exemption to Article 14 notices, giving proportionality criteria

As redrafted, this is a little clearer, and de-coupled from an emphasis on research purposes, although neither the courts nor the ICO had previously treated these provisions as being limited in this way. Those relying on disproportionate effort, like researchers seeking to rely on the new Article 13 exemption, now have specific grounds to consider when assessing the proportionality of that effort.

Adjust for the initial data transfer regime changes, but watch for potentially simplification over time

There are initially marginal changes to the UK data transfer regime, which may lead to further divergence from the EU in future. The familiar structure is retained: adequacy decisions first, safeguards second, and derogations last. The obligation for exporters to risk assess transfers remains too. The language has shifted, however, and the overall approach is more explicitly risk based. 

The most visible change is on terminology, and this ought to be included when updating notices and ROPAs. “Adequacy decision” gives way to the “data protection test” – a term that also replaces transfer risk or impact assessment. Adequate countries are now countries approved by regulation. Controllers relying on adequacy to make transfers may wish to update their privacy notices to instead refer to transfers to countries passing the data protection test or approved by regulations. 

The new test asks whether the standard of data protection in the destination country or organisation is “not materially lower” than in the UK. This will be an assessment for the UK government, involving more flexible considerations than those under EU GDPR. Over time this may lead to divergence in “adequate” countries in relation to the UK versus the EU.

As for transfer impact assessments, exporters from the UK will also need to apply the new test when assessing their own transfers (although since the test is more flexible, existing assessments won’t need to be revisited immediately). The test for exporters is less detailed than that for the UK Government. Crucially, it includes an explicit “reasonable and proportionate” standard whereby exporters can take account of the nature and volume of data being transferred (under Art. 46(1A and (6-7). This should allow UK exporters to streamline and simplify their transfer risk assessments.

Finally, the UK Government is empowered to approve new clauses which of themselves would ensure the data protection test is met. This would remove the need for any exporter risk assessment – but is not a power being used immediately.

Pay heed to new ICO powers – but it still isn’t the Information Commission yet

All the new investigative and enforcement powers granted to the Information Commissioner under the DUAA are being commenced. Importantly, while the investigative powers can be used to investigate old conduct prior to commencement, new enforcement powers have limited application to old conduct. Key updates to powers include:

• Expanded information notice rights to permit a notice requiring specific documents to be provided.
• A new power to require a controller or processor to appoint an approved person to prepare a report for the Commissioner on a specified topic (e.g. a forensic report on the causes of a data breach)
• A new power to require personnel employed by or involved in managing a controller or processor suspected of wrongdoing to attend an interview. This doesn’t allow specific individuals to be summoned, and exemptions for privilege and against self-incrimination, but there is an offence for providing a known or reckless false statement and a power to penalise the relevant organisation where they do not comply with interview notices.

Final changes to the ICO’s structure, and conversion to the Information Commission, are still to follow.

Keep an eye on non-DUAA changes that may appear in DUAA-prompted ICO guidance

The ICO has a lengthy to-do list to update its guidance as a result of DUAA changes. The ICO’s updated subject access guidance, mentioned above, is an example of such guidance.  While some of those changes, mentioned above, are certainly DUAA prompted, it is important to watch updated guidance to assess any other wider change to ICO approaches. 

In the case of subject access, the ICO’s new guidance has been updated to take account of the judgment in Harrison v Cameron & Anor [2024] EWHC 1377 (KB), published in June 2024.  The High Court is a first instance jurisdiction, but its decisions nonetheless bind the ICO unless and until higher precedent comes along – which no longer automatically includes post-Brexit CJEU judgments. This case took an oddly selective view of the available CJEU on the right of access to the identity of specific recipients under Article 15(1) GDPR, adopting from C-145/21 ‘Austrian Post’ a determination that specific information about the recipients of personal data ought to be disclosed following a subject access request, unless this is disproportionate or impossible, but silently disregarding C-579/21 ‘Pankki’, which held that under the identical wording of EU GDPR, employees of a controller are not to be considered recipients. Without commenting or clearly being aware of that case, Steyn J argued in Harrison that such arguments were ‘not supported’ by the language of Article 15(1), and that employees should be considered recipients. The ICO guidance has been updated to reflect this approach, at odds with the position under the EU GDPR. Businesses should pay attention for other subtle ways that UK data protection approaches might yet diverge.

If you need help updating your approaches to meet the revised UK GDPR obligations, or in understanding what changes might allow you to do more, reach out to your usual Bird &Bird privacy contacts today or the Bird & Bird International Privacy & Data Protection team here or contact a global member of the team here.