The UK amends its data laws… but there’s more to come!

The latest phase of the Data (Use and Access) Act 2025 (DUAA) was implemented on 05 February 2026 brough in by The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026. This is the latest stage of the phased implementation plan which was outlined by the UK Government to help ensure a smooth adoption of the DUAA’s provisions by both businesses and regulators. It introduces many of the remaining data protection provisions with the final stage of the DUAA’s implementation on Sections 103 and Schedule 10 (the requirement for organisations to have a complaints procedure) expected to commence on 19 June 2026.

For a quick refresher on what the DUAA covers, you can read our previous blogs on the DUAA here and here.

Key features of the latest implementation phase of the DUAA

Recognised Legitimate Interests

As reported in our previous blog here, the DUAA introduces the new lawful basis of ‘recognised legitimate interest’ (Article 6(1)(ea) UK GDPR). The new lawful basis of ‘recognised legitimate interest’ allows organisations to process personal data necessary for certain ‘recognised’ legitimate interests with no obligation to balance the processing activities against the rights of data subjects under a Legitimate Interests Assessment. Annex 1 UK GDPR lists the following as ‘recognised’ legitimate interests:

• safeguarding national security;
• protecting public security;
• defence purposes;
• responding to an emergency;
• detecting, investigating or preventing crime;
• apprehending or prosecuting offenders; and
• safeguarding a vulnerable individual.

While Legitimate Interest Assessments are not strictly required for processing carried out on grounds of recognised legitimate interests, these assessments still remain a useful tool for controllers to document their decision to process personal data relying on recognised legitimate interests as their legal basis and helps to ensure processing of personal data remains necessary for the purpose(s) it was collected.

Data subjects still have a right to object to a controller’s processing on the basis of recognised legitimate interests in the same way they do for processing based on legitimate interests.

The ICO is set to release updated guidance on recognised legitimate interests in Winter 2025/2026 and the right to object in Summer 2026.

Cookie Consent

The requirement to obtain cookie consent has been relaxed in the latest phase of the DUAA. Organisations are no longer required to obtain cookie consent for using cookies where deployment and use of such cookies are non-intrusive and pose a low risk to user privacy. However, organisations must still provide the user with the right to opt out of such cookies which separates them from ‘strictly necessary cookies’ which do not require consent or a right to opt out. Examples of  non-intrusive cookies include:

• statistical data analytics cookies for website improvement;
• functional cookies for user experience or website appearance; and
• security cookies or cookies used for the prevention or detection of fraud.

The ICO is due to release new and updated guidance on Cookies in Spring 2026.

Data Subject Access Requests

The DUAA now codifies certain aspects of UK case law and regulatory guidance. These include:

• Chapter 3, Section 1, Article 12A – ‘stop the clock’, when awaiting clarificatory information from the data subject, the one month deadline to respond to a DSAR is put on pause (the ICO has guidance on this here); and
• Chapter 3, Section 2, Article 15 – the data subject is only entitled to personal data that the controller is able to provide based on a “reasonable and proportionate” search for their personal data. This amendment ensures that while individuals have a right of access, controllers are not obligated to conduct exhaustive searches if doing so is disproportionate or unreasonable. However, there remains a high threshold regarding the personal data a data subject may access and what constitutes a reasonable and proportionate search. For example, an organisation using social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams for business purposes, would be expected to search these platforms for any personal information if it falls within scope of the DSAR.

Automated Decision Making

Perhaps the most impactful change resulting from this phase of implementation of the DUAA is the removal of the previous blanket prohibition on automated decision making. The change shifts the law from strict prohibition to a more flexible approach that permits automated decision provided that certain safeguards are observed. This opens up new strategic opportunities for organisations to use automated decision making and AI in their businesses in the UK.

Organisations who carry out automated decision making must adhere the following safeguards:

• provide the data subject with information about decisions;
• enable the data subject to make representations about such decisions;
• enable the data subject to obtain human intervention on the part of the controller; and
• enable the data subject to contest such decisions.

It is important to note that the prohibition of automated decision making remains in effect for ‘significant’ decisions involving special category data. ’Significant’ decisions are defined as decisions that produce a legal effect or similarly significant effect for the data subject.

ICO updated guidance

The ICO is expected to release updated guidance throughout this year. Please see the ICO website here for the full list of new and updated guidance expected.

We will continue to monitor developments closely and provide updates on the remaining stages of implementation of the DUAA and the release of new and updated guidance published by the ICO.

Feel free to subscribe to our blogs here for all the latest insights and updates.

If you have any questions or would like to discuss any of the topics in this article, please contact Selina Clifford in our Intellectual Property team.