8 things you should know about upcoming changes to data protection laws

The Data (Use and Access) Act 2025 (DUA Act) establishes a new framework designed to make the UK’s data protection and privacy rules clearer and easier to follow. Most of the provisions are not yet in force and will be introduced gradually. The new law will have significant implications for businesses. It’s wise to start preparing now. Below, you’ll find the key changes you need to be aware of.

Privacy notice

If you process and re-use personal data for research purposes, you will not have to give a privacy notice to the relevant individuals, if providing the privacy notice would be a disproportionate effort. You must, however, protect the individuals’ rights in other ways, and make a privacy notice publicly available, for example by posting it on your website.

Purpose limitation

It will be easier to reuse personal data for new purposes. Currently, it is only possible to reuse personal data for a new purpose, if this is compatible with your original purpose, you get the data subject’s consent, or you have a clear obligation or function set out in law. Soon, you can assume that specific re-uses of personal data are compatible with the original purpose you collected it for, without having to do a compatibility test. These compatible new purposes include the purposes of archiving in the public interest or protecting vital interests of data subjects and others. If the personal data was originally collected under the lawful basis of consent, then this new rule only applies if it is not reasonable to expect you to obtain new consent.

New “recognised legitimate interests” lawful basis

You may be able to use personal data for “recognised legitimate interest”, which will be a new lawful basis for processing personal data. Recognised legitimate interests are, for example, public security or safeguarding vulnerable individuals. While you will still need to assess if the use of the personal data is necessary for the purpose you have identified, this new lawful basis does not require you to carry out an additional balancing test to balance the benefits of this processing against the impact on the rights and freedom of the people whose personal data you are using.

Direct marketing

The Act clarifies that specific types of processing of personal data may count as legitimate interests: these are direct marketing, intra-group transfers for administrative purposes; and ensuring the security of network and information systems. Previously, these examples were listed as possible legitimate interests in the recitals of the UK GDPR. However, recitals are not legally binding and merely provide guidance on how to interpret the law. These examples have now become legally binding and thus, companies will have greater clarity about what may count as a legitimate interest. When it comes to direct marketing, it is important to note that while this clarifies the GDPR, the rules under PECR will still apply to individual subscribers. Relying on legitimate interests for direct marketing will therefore only be an option, where direct marketing is directed at corporate subscribers. Under the PECR rules, as a general rule, a company can only send direct marketing to individual subscribers, if they have previously consented to receiving direct marketing. An exception, the so-called “soft-opt in” applies only, where the company has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient, and the direct marketing is in respect of the company’s similar products and services only, and the recipient has been given a simple means of refusing the use of his contact details for the purposes of such direct marketing (i.e. opting-out or unsubscribing).

Scientific research

Collection of personal data for scientific research might be made easier in the future. In the future, individuals will be able to consent to their personal data being used for a broad “area of scientific research”. The definition of scientific research itself will also be clarified. It can include commercial research, processing for technological development or demonstration, fundamental or applied research, and public health research.

Subject access requests

The Act gives guidance on procedures that should be followed if you receive a subject access request. The time limit you have to respond to subject access requests starts when you receive either the request; or – if required– any information requested to confirm the requester’s; or a fee – if required– for responding to a manifestly unfounded or excessive request. Controllers may pause the time limit to ask for clarification related to the request – this is called “stopping the clock”. The time limit is paused until the controller receives the necessary information. When dealing with subject access requests, you will now only have to carry out reasonable and proportionate searches for relevant information.

Data subject complaints

Individuals now have the right to complain to controllers in relation to the use of their personal data. If you receive a complaint, you will need to support individuals to make these complaints, for example by providing an electronic complaints form. You must also acknowledge complaints within 30 days and advise the complaining individual of the outcome without undue delay.

“Automated decision‑making” refers to decisions made entirely by automated means, without any human input – this can include profiling. You will soon be able to use personal data to make significant automated decisions about data subjects more easily. Currently, automated decision-making is restricted unless it is necessary for the purposes of a contract, permitted by UK law, or done with the consent of the data subject. Soon, companies will be permitted to make automated decisions in a wider range of circumstances as long as they have appropriate safeguards in place. However, special category data will continue to enjoy greater protection in this regard.

Charities will soon be able to rely on a “soft opt-in” for electronic marketing. If charities collect personal data from supporters or donors who have offered support or shown interest in their charitable purposes, they may send those individuals marketing emails. However, the charities must give the individuals the possibility to object or “opt‑out” if they do not wish to receive further direct marketing.

Currently, you are allowed to set strictly necessary cookies without having to get consent. In the future, you will also be able to set cookies for statistical or functional purposes without having to get consent. You will need to provide clear and comprehensive information about the purposes of the tracking done by the cookies, and you will ned to provide a new right to object or “opt-out” free of charge.

The Privacy and Electronic Communications Regulations (PECR) include specific rules on electronic marketing, the use of cookies (and similar technologies); and security of public electronic communications services. The maximum fine that can be imposed by the ICO will soon be raised to up to a maximum of £17.5m for certain failures, or 4% of the total worldwide annual turnover of the preceding financial year.

There will be stricter rules for providers of online services that are likely to be used by children. These providers must make certain considerations when setting up technical and organisational measures to comply with data protection rules. These include how they can best protect and support children using the services, the fact that children merit specific protection with regard to their personal data, because they may be less aware of the risks and consequences involved’ and the fact that children have different needs at different ages and at different stages of development.

Over the next year, as the rules of the Act come into force, companies should ensure that they still comply with updated data protection laws.

For this purpose, companies should review:

• their privacy policies and related data protection policies and documents;
• their procedures for dealing with subject access requests and data subject complaints;
• their current cookie practices;
• any procedures for processing personal data for research purposes or by means of automated-decision making.

The IP, Data and Contracts team at MBM Commercial can give legal as well as commercial advice on data protection matters. We can help with general compliance as well as privacy notices, consent forms and appropriate contract provisions. Seeking legal advice is crucial to help with compliance, so get in touch with us today and we can get you set on the right path going forward.