UK Data Protection in 2026: The Data (Use and Access) Act 2025, GDPR Compliance, ICO Fines, and What Businesses Must Do

The UK's data protection regime has undergone its most significant transformation since the country left the European Union. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, has introduced a series of reforms that alter how organisations collect, process, store, and share personal data. With key provisions having taken effect on 5 February 2026 and further changes expected by mid-2026, businesses operating in or serving customers in the United Kingdom must understand the new rules or risk substantial penalties. This article examines the current state of UK data protection law, the specific changes introduced by the DUAA, and the practical steps businesses should take to remain compliant.

The Legal Framework: UK GDPR, DPA 2018, and the DUAA

UK data protection law currently rests on three pillars. The first is the UK General Data Protection Regulation (UK GDPR), which is the retained EU law version of the GDPR, adapted for the UK after Brexit. The second is the Data Protection Act 2018 (DPA 2018), which supplements the UK GDPR and provides additional provisions for law enforcement processing, intelligence services, and other matters. The third, and newest, is the Data (Use and Access) Act 2025, which amends both the UK GDPR and the DPA 2018 in several important respects.

Together, these three instruments create a data protection regime that is broadly similar to the EU GDPR but is now diverging from it in meaningful ways. Organisations that operate across both the UK and the EU will need to maintain compliance with both regimes, which is becoming an increasingly complex task.

Key Changes Introduced by the DUAA

The DUAA introduces several reforms that will affect most businesses. The first concerns automated decision-making. Under the previous regime, Article 22 of the UK GDPR imposed a general prohibition on decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals. The DUAA has narrowed this prohibition. The restriction now applies only where the automated decision involves special category data, such as health information, racial or ethnic origin, religious beliefs, or biometric data. For automated decisions that do not involve special category data, the blanket prohibition has been removed, though organisations must still ensure that such processing is fair and transparent.

The second significant change is the introduction of "recognised legitimate interests" as a new lawful basis for processing. The UK GDPR requires organisations to have a lawful basis for processing personal data, and legitimate interests has always been one of the available bases under Article 6(1)(f). However, the DUAA creates a category of recognised legitimate interests for which the usual balancing test against the data subject's rights is not required. These include processing necessary for crime prevention, safeguarding vulnerable individuals, responding to emergencies, safeguarding national security, and assisting bodies carrying out public interest tasks. Businesses whose processing falls within these categories now have a simpler compliance path.

The third change relates to data subject complaints. The DUAA imposes a new obligation on organisations to maintain a formal complaints process for data protection matters. Organisations must provide individuals with a way to raise complaints, acknowledge receipt within 30 days, and investigate complaints without undue delay. This is a new procedural requirement, and the ICO is expected to produce guidance on what constitutes an adequate complaints process. The deadline for organisations to implement this requirement is June 2026.

The fourth change concerns Subject Access Requests (SARs). The DUAA codifies a "reasonable and proportionate" standard for searching for and retrieving personal data in response to SARs. This means that organisations are no longer expected to conduct exhaustive searches of every system and backup for every request. Instead, the search must be proportionate to the nature of the request and the resources of the organisation. This is a welcome clarification for businesses that have struggled with the cost and burden of responding to broad SARs.

Cookie Consent and PECR Reforms

The Privacy and Electronic Communications Regulations 2003 (PECR) govern electronic marketing and the use of cookies and similar technologies. The DUAA makes two important changes to PECR. First, it aligns the maximum penalty for PECR breaches with those under the UK GDPR. Previously, the maximum fine under PECR was capped at 500,000 pounds. Under the new provisions, the ICO can now impose fines of up to 17.5 million pounds or 4% of global annual turnover, whichever is higher, for PECR violations. This change elevates cookie compliance and electronic marketing compliance to the same level of financial risk as core data protection obligations.

Second, the DUAA introduces exemptions from the cookie consent requirement for certain categories of cookies. Cookies used for analytics, preference management, website optimisation, or security purposes may no longer require explicit opt-in consent. This is a departure from the EU approach, which continues to require consent for most non-essential cookies. Businesses operating in both the UK and the EU will need to maintain separate cookie consent mechanisms for each jurisdiction.

International Data Transfers

The DUAA modifies the framework for international data transfers. Under the previous regime, transfers of personal data outside the UK were permitted only if the destination country had been assessed as providing an "essentially equivalent" level of data protection. The DUAA replaces this standard with a new test: the third country's protections must be "not materially lower" than those provided under UK law. This lower threshold is intended to make it easier for the UK to grant adequacy decisions to more countries, facilitating international trade and data flows.

For businesses, this change may simplify cross-border data transfers in some cases, but it also means that the UK's adequacy status with the EU could come under scrutiny. The EU's adequacy decision for the UK, which currently allows data to flow freely from the EU to the UK, is due for review, and any perception that UK standards have been lowered could jeopardise that decision.

ICO Enforcement and Fines

The Information Commissioner's Office (ICO) remains the primary regulator for data protection in the UK. The DUAA restructures the ICO, which will be rebranded as the "Information Commission" and will operate under a new governance structure with a board of commissioners rather than a single commissioner. This structural change is intended to improve accountability and oversight.

The ICO's enforcement powers remain substantial. For serious breaches of the data protection principles, the ICO can impose fines of up to 17.5 million pounds or 4% of annual worldwide turnover, whichever is higher. For less serious breaches, the standard maximum is 8.7 million pounds or 2% of worldwide turnover. The record fine of 14 million pounds imposed on Capita in 2025 for data security failures signals that the ICO is willing to use its full enforcement powers against large organisations.

The ICO has published guidance on its fine calculation methodology, which takes into account the nature, gravity, and duration of the infringement; the number of data subjects affected; the degree of negligence or intent; any mitigating steps taken; the categories of personal data affected; and the organisation's financial position. Cooperation with the ICO during an investigation is treated as a mitigating factor, while obstruction or repeated non-compliance can increase the penalty.

Children's Data

The DUAA codifies additional protections for children's data. If an organisation provides an online service that is likely to be accessed by children, it must take the needs and rights of children into account when deciding how to process their personal data. This builds on the existing Age Appropriate Design Code (Children's Code) issued by the ICO, which sets out 15 standards for online services that are likely to be used by children under 18. The DUAA gives these protections a statutory footing, increasing the legal risk for organisations that fail to comply.

Practical Steps for Businesses

Businesses operating in the UK should take several immediate steps to ensure compliance with the new regime. First, review and update your data protection complaints process. The June 2026 deadline for implementing formal complaints handling is approaching, and organisations should ensure they have an electronic complaints form, a system for acknowledging complaints within 30 days, and a process for investigating and resolving them promptly.

Second, review your lawful bases for processing. If any of your processing activities fall within the new "recognised legitimate interests" category, update your privacy notices and records of processing activities accordingly. If you rely on automated decision-making, assess whether the narrowed prohibition under the DUAA affects your operations.

Third, review your cookie consent mechanisms. If you currently seek consent for analytics, preference, or security cookies, you may be able to simplify your consent mechanisms under the new PECR exemptions. However, if you also serve EU users, you will need to maintain EU-compliant consent mechanisms for those users.

Fourth, review your international data transfer mechanisms. The new "not materially lower" standard may open up new transfer routes, but you should not assume that existing mechanisms are automatically compliant. Standard contractual clauses, binding corporate rules, and transfer risk assessments remain relevant tools.

Fifth, ensure that your SAR response process reflects the "reasonable and proportionate" standard. Document your search methodology and the systems you search for each request, so that you can demonstrate compliance if challenged.

The UK data protection regime is evolving rapidly. The DUAA represents a deliberate decision to diverge from the EU approach in several areas, creating both opportunities and challenges for businesses. Those that stay ahead of the changes will be well positioned; those that do not risk enforcement action, reputational damage, and the loss of customer trust.