What the UK Data (Use & Access) Act 2025 means for your privacy policy
UK Data (Use & Access) Act 2025: What Business Owners Need to Know
What the UK Data (Use & Access) Act 2025 means for your privacy policy
The UK Data (Use and Access) Act 2025 (the ‘DUA A’) has now received Royal Assent the first provisions came into force 19–20 Aug 2025, and the next set came into force on 05 February 2026 (with more expected later). This is a good time to review your privacy policy to understand what changes may be needed to remain compliant.
This article focuses on some of the key changes required to privacy policies as a result of the DUA A, and address how businesses should prepare.
1.Changes to cookie requirements
The new law eases cookie consent requirements for certain types of low-risk cookies, such as those used for analytics or functional purposes. Consent for strictly necessary cookies has never been required, and this remains unchanged. Clear information regarding the types of cookies used along with their associated data uses.
These changes offer organisations some breathing space if they are collecting only minimal data through cookies. However, organisations should still include this information in their privacy or cookie policies and update any other relevant documentation where necessary.
2. Fines under Privacy and Electronic Communications Regulations (PECR)
The fines under PECR will increase to align with UK GDPR — from a maximum of £500,000 to £17.5 million or 4% of annual worldwide turnover, whichever is higher. For example, if opt-in is required for the electronic marketing you’re intending to carry out, failing to obtain consent would now take the potential fine much higher.
Now is the perfect opportunity to revisit your privacy policy and check that it reflects your current marketing preferences setup you have and making sure it’s in accordance with PECR.
3. Automated Decision Making (ADM)
At present, individuals in the UK and EU have the right not to be subject to Automated Decision Making (ADM). Under the changes, the UK is allowing ADM as long as certain safeguards are in place. The key point is that organisations are permitted to perform ADM as long as it is transparent and gives individuals the ability to contest the decision — including access to human intervention. This should be clearly outlined and included in any relevant policy. Remember that staff privacy policies, should be updated to inform staff how their information is used.
Stay ahead with expert data protection tips
Get practical advice, legal updates, and exclusive insights.
4. The IC Oh?
The Information Commissioner’s Office (ICO) is to be replaced by a new body called the Information Commission. The name change may not seem significant, but it comes with substantial structural and functional reforms. This new body will have expanded powers, including the ability to require expert reports, which the processor or controller must pay. In addition, it will have the power to issue interview notices, which can be issued to anyone in an organisation, as well as former employees. How far their reach will extend in doing this is yet to be seen.
It also replaces the Commissioner’s role with a Chair, and a board of executive and non-executive members. Finally, complaints can only be brought to the Information Commission when an organisation hasn’t dealt with the issue satisfactorily — potentially reducing the number of complaints reaching the regulator.
5. The right to complain
The new legislation introduces a new right: the right to complain. This gives the controller 30 days to respond to a complaint before an individual can escalate the matter to the Information Commission.
It’s worth noting that this only applies to UK GDPR matters. For example, if an individual is unhappy with how a Subject Access Request (SAR) has been handled, or believes their data has been misused or lost, they can enforce this right.
However, it does not override any existing rights outside of the UK GDPR. For instance, under the Landlord and Tenant Act 1985, individuals can use a Complaints Handling Procedure to address service charge disputes or communication issues. That procedure remains separate and individuals would still need to follow it for matters falling outside the scope of data protection law.
The immediate impact is that controllers should reference this right in their privacy policies and provide clear, accessible channels for individuals to submit complaints.
6. Data (Use & Access) Act reworded definitions and terminology
Terminology used under the current UK GDPR is being aligned with broader definitions. For example, personal data remains defined as relating to a living individual, but Records of Processing Activities (RoPA) are being replaced with “appropriate records of processing” (ARoP) — and will only be required for high-risk processing.
Reviewing and rewording sections where the lawful basis or processing purposes are referenced will help keep organisations aligned with the new legislation.
7. International data transfers
If you conduct international data transfers, you may need to amend your privacy policy to explain the legal mechanisms you rely on. Under the new DUA A, the UK is relaxing some of the transfer rules.
Under the new legislation, organisations must ensure that recipients of the data do not offer materially lower protection than that provided in the UK. This is known as the ‘Data Protection Test’.
For example, let’s imagine that Westbrook Data Protection Services outsources its payroll to the US. Under the current rules, it would need to sign SCCs with the payroll provider and conduct a Transfer Risk Assessment (TRA). Under the new UK rules, organisations can apply the Data Protection Test to assess whether certain countries — such as the US — provide sufficient protection. If they meet the test, WDPS would not need to implement Standard Contractual Clauses or conduct a Transfer Risk Assessment to transfer this data.
8. Senior Responsable Individual
Previously, organisations that handled large volumes of data or special category data in the UK were required to appoint a Data Protection Officer (DPO). This is now being replaced — for UK-only compliance — by a Senior Responsible Individual (SRI). The SRI requirement applies only in the UK, and is particularly relevant to sectors such as healthcare and HR, which routinely process sensitive personal data.
If you operate within the EU the current rules regarding appointment of a DPO will still apply.
It’s worth noting that you cannot appoint both an SRI and a DPO for the same purpose. The distinction is important: the SRI oversees UK data protection compliance under the Data Protection and Digital Information Act (DPDI Act), while the DPO is responsible for EU GDPR compliance.
You must ensure that, if you appoint one or both roles, their details are included in your privacy policy, along with a brief explanation of their responsibilities.
Example wording:
“Our DPO is X and oversees compliance with the EU GDPR. They can be contacted at email@example.com.”
“Our SRI is a member of our senior management team and is responsible for UK data protection compliance. They can be contacted at email@example.com.”
If your DPO is also your SRI you only need to state one individual.
9. Data subject access requests (DSARs)
Organisations can breathe a sigh of relief knowing that DSARs are now limited to searches that are “reasonable and proportionate.” This change is intended to reduce the time and cost involved in responding to complex or excessive requests.
This also means that individuals will be expected to be more specific in the scope of their request. However, if the search returns information requiring further investigation, the individual will still be entitled to access that data.
The DUA A also extends the timeframe for responding to a DSAR: while the standard response time remains one month, controllers may now take an additional two months where the request is considered complex or excessive, or where multiple requests have been made. Adding this change into your policy will keep you ahead of the curve.
10. Children’s data
If your services are accessed by children under 18, the Data (Use & Access) Act imposes additional safeguards. You must now conduct a child-specific risk assessment that identifies unique risks to minors. You should also have privacy by design built in to ensure your services meet higher, age-appropriate standards, and you must document the enhanced safeguards you have in place.
Explaining this in your policy help trust and SEO rankings. See our blog post on SEO Rankings for more details.
Conclusion
Having witnessed the evolution of privacy policies over the past 25 years, this change truly highlights how quickly the landscape is now shifting. This reform will likely become a driving force in the government’s push for economic growth and innovation, particularly within the tech sector.
If you’re unsure whether your current privacy policy meets legal requirements—or you’re starting from scratch—WDPS can help. We specialise in creating tailored, compliant, and practical privacy policies that protect your business and build trust with your customers. Get in touch with us today to make sure your privacy practices—and your search rankings—are on solid ground.
