Data (Use and Access) Act: changes to UK data protection law come into effect

Important changes to UK data protection law, some of which were first proposed in 2021, finally came into effect.

The reforms were part of a wider package of data laws in the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, but would be commenced in stages over a 12-month period.

The latest and sixth set of commencement regulations were published on 29h January 2026, bringing of the following changes to UK data protection law into force from 5 February 2026:

• Changes to the lawful basis provisions under Article 6 of the UK GDPR, including introducing “recognised legitimate interests” such as sharing personal data with government regulators;

• Clarifying the purpose limitation principle in the UK GPDR, including a list of types of processing which may be treated as compatible with the original purpose;

• Changes to facilitate research including a new definition of consent for scientific research;

• Changes to what the legislation says about responding to data subject requests, updating the UK GDPR to reflect ICO guidance. These include updating the legislation to clarify the extent of searches that must be undertaken for personal data and inserting a ‘stop the clock’ provision so that controllers can seek clarification for a subject access request (SAR) where needed;

• Relaxing the restrictions on using certain personal data for automated decision making in some circumstances;

• Changes to rules on cookies including allowing certain cookies to be used without consent;

• Increased maximum fines under the Privacy and Electronic Communications Regulations from £500,000 to £17.5 million or 4% of annual global turnover;

• A more risk-based approach to international transfers of personal data outside of the UK via the introduction of a new test for the UK government to consider when deciding whether another country has adequate data protection laws; and

• Information standards for health and adult social care published under the Health and Social Care Act 2012 being expanded to apply directly to IT providers as well as health and social care providers.

The following changes come into force later in the year on 19 June 2026:

• Individuals have a new right to complain about the handling of their personal data and controllers have certain obligations to facilitate and deal with complaints, including acknowledging complaints within 30 days.

The government intends that the reforms will make data protection rules simpler for organisations, encourage innovation, and allow responsible data-sharing while maintaining high data protection standards. However, the reforms are evolutionary, rather than revolutionary – there are no dramatic changes in approach to any specific area, or data protection rules generally. Therefore, the relevance and benefits of these changes will depend greatly on your organisation, sector and use of data.

For further information or support on the changes, please contact us.

Our latest in-house lawyers webinar on Thursday 26 February will discuss these latest developments and touch on data issues such as class actions, pseudonymisation, DSARs, and more. If you would be interesting in attending this session, register here.