On 19 June 2025, the Data (Use and Access) Act 2025 received Royal Assent, ushering in the most significant update to the UK’s data protection framework in years.
What happens to the Data Protection Act 2018 & UK GDPR?
The Data Protection and Digital Information Act 2025 amends the Data Protection Act 2018, the UK GDPR, and related legislation to modernise the UK’s data framework post-Brexit. It introduces greater flexibility in data processing, streamlines subject access request handling, and enables recognised legitimate interests as a new lawful basis.
The Act also lays the foundation for smart data initiatives and digital identity verification, strengthens enforcement powers of the ICO (soon to become the Information Commission), and updates rules on cookies, privacy, and international data transfers, marking a significant shift in how organisations must manage data responsibly and effectively.
What does this means for your organisation?
| Key Area | Development | Action |
|---|---|---|
| Data Subject Access Requests | Levels of effort must now be proportionate when responding to DSARs, codifying longstanding ICO guidance. | Update policies and procedures |
| Automated Decision Making | The Act narrows rules on ADM, offering clearer guidance on when and how automated processes can be lawfully used | Update policies and procedures |
| Cookies & ePrivacy | New rules allow certain website analytics cookies without consent. | Review consent models and documentation |
| International Data Transfers | The threshold for data transfers shifts from “essentially equivalent” to “not materially lower,” giving the Secretary of State more flexibility. | Monitor EU adequacy developments, review existing transfer agreements in place and prepare fallback clauses. |
| Smart Data & Digital ID | Legal foundations are now in place for Smart Data Schemes (e.g., sector‑wide data sharing like open banking) and Digital Verification Services, making trusted digital IDs legally recognised for uses like renting or age checks. | |
| Children’s Data Protection | Services likely to be used by children now face stricter “higher protection” requirements | Review data protection safeguards including Data Protection Impact Assessments, Privacy Notices and any Data Agreements in place. |
| Recognised Legitimate Interests | Introduces recognised legitimate interests, simplifying approval for activities like internal admin & direct marketing | Review processing activities to ensure lawful basis identified. Update Privacy Notices and DPIAs. |
| PECR Fines | PECR fines now align with UK GDPR (up to 4% of global turnover or £17.5 million), direct marketing changes. | Ensure direct marketing practices have appropriate consent mechanisms in place. |
| ICO Reform | The existing Information Commissioner’s Office will evolve into a statutory “Information Commission,” with expanded enforcement powers including compelling witnesses and issuing technical orders. | Stay alert to new guidance, structures and powers that come into force. |
With greater enforcement powers for the Information Commission and evolving expectations around transparency, it’s more important than ever for organisations to have privacy embedded not just in policies, but in culture, operations, and leadership thinking.
Not sure about the implications for your organisations? Contact us now for bespoke advice.
Jemma Handley
© Copyright JH Data Protection Limited 2025. All rights reserved.
JH Data Protection Limited 