Data (Use and Access) Act 2025

Under the current UK GDPR, people have a right to complain directly to the ICO in relation to the processing of their personal data – irrespective of the severity of the complaint. Under the Data (Use and Access) Act 2025, individuals will first be required contact an organisation (data controller) regarding their complaint. If they feel the organisation is not taking this complaint seriously, or the organisation fail to respond in a timely manner, then it should be escalated to the ICO. It is hoped this will reduce the number of complaints to the ICO – meaning they only deal with the more severe cases – it will also give organisations the chance to handle any complaints internally.

This new process will require business owners to establish new processes to ensure they can respond to any complaints within 30 days. Formal records will need to be kept on the number of privacy-related complaints in a specific time period. Failure to respond in this time frame may result in difficult questions from the regulator – and see an increase in enforcement activity from the ICO.

Additionally, there are also plans for the ICO to be replaced by an Information Commission, which will be run in a similar fashion to other regulatory bodies such as the FCA and OFCOM.

Organisations (Data Controllers) will be able to “stop the clock” on Data Subject Access Requests if more information is required, or the identity of the data subject needs verifying. Requests will need to be “reasonable and proportionate”, otherwise they can be declined – it is hoped this will avoid SAR’s being used against an organisation, rather than a genuine request for copies of data.  The parameters for “reasonable and proportionate” will need to be set by the ICO.

Right to Portability

• The direct sharing of data between certain organisations or regulated third parties will be permitted, without you having to consider the risks. This will facilitate the sharing of data for investigations and where there is concern for an individual, or regulatory (but not legal) investigation.

The responsibility of any data being shared lies with the organisation making the request. It is hoped this will aid the sharing of data where there’s an overall public interest.

Right to be Informed

• Article 13 requires full details of the data controller to be provided to the data subject whenever personal data is being collected – most typically in the form of a privacy notice that is readily available.. and relevant! Many privacy notices contain general processing information, but not necessarily relevant to the specific activity.
• Article 14 requires details on the data controller to be provided to the data subject without undue delay in instances where data is collected by a third party. “Undue delay” is usually interpreted as “within 30 days”. This has always been challenging, especially where large volumes of data are collected for marketing purposes. If either of these involves “disproportionate effort”, the organisation will not be obliged to do provide this.

If you rely on legitimate interest for one of the “recognised, pre-approved” reasons, then there is no need to complete a legitimate interest assessment (LIA) to demonstrate you’ve considered the rights of all parties – ie, the data subject and data controller. In instances your use is NOT on the pre-approved list, then you’ll still need to complete an LIA.

The “recognised, pre-approved” legitimate interests are:

• Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
• Disclosures for national or public security or defence purposes, emergencies.
• Disclosures for prevention of detection of a crime, and safeguarding vulnerable individuals.

One of the more significant changes – if you’re a registered charity – you will be permitted to send electronic marketing messages (emails / SMS / WhatsApp) as long as they support or directly express interest in your work.. unless they specifically object. If you have obtain a contact from a 3^rd party, you’ll still need to rely on consent.

Legitimate Interest will be accepted as a lawful basis for direct marketing purposes. The direct marketing laws under PECR (Privacy and Communication Regulation 2003) will still apply, so this doesn’t mean this lawful basis can be used as default  This will not be a free-for all.. fines under PECR are also increasing substantially… more on that below!

The Information Commission’s fining powers have increased significantly from a cap of £500,000 to in line with GDPR.

This means, any failures involving marketing – cookie use, email / SMS broadcasting, telemarketing, etc could lead to fines of up to £17.5m or 4% of global turnover.

The ICO are very active in PECR fines, so any organisations undertaking mass direct marketing should carefully review their activities.

We have a whole page dedicated to Marketing Legislation (PECR) support on the Privacy Helper website.

Historically, PECR investigations for spamming have been based on the number of DELIVERED messages. Any investigation will now be based on the number SENT messages – so based on the original intention of the organisation.

New categories have been introduced, such as Neurodata which is information gathered from devices or technologies that interact with the human brain or nervous system, such as smartwatches.

It will be permissible to drop cookies and similar technologies on websites for the purposes of analytics and optimising content – but an opt-out must be provided. This will allow owners of websites to track users and their activity to improve the experience and success of the site, without the need for consent.

Complaints must, in the initial instance, be directed to the data controller, who must have a complaints procedure in place, and keep a full record of these.  Controllers must acknowledge complaints within 30 days and respond without undue delay. If they fail to address the complaint, it can be escalated to the ICO – who may look at it far more seriously as the initial “triage” was unsuccessful.

If you provide an online service that is likely to be used by children, the DUA Act 2025 explicitly requires you to take their needs into account when you decide how to use their personal data. Much of this should already be addressed if you conform to the ICO’s Age Appropriate Design Code (AADC).

The DUA Act 2025 makes it clearer when you use personal information for the purposes of scientific research, including commercial scientific research. It clarifies that people can give “broad consent” to an area of scientific research.

Similar to the changes to legitimate interest, in certain cases, personal data can be re-used without the controller having to complete an assessment. This includes disclosing personal information for the purposes of archiving in the public interest, even if you only got consent for a different purpose.

One of the more significant divergence from the EU laws – automated decision making only applies where the decision is based entirely, or partly on special category data. The safeguards of human review and transparency will continue to be required for all solely automated decisions.

You can re-use people’s personal data for scientific research without giving them a privacy notice if the efforts are disproportionate.  As long as you protect their data throughout and publish a privacy notice on your main website, the privacy notice does not have to be served directly.