Data protection is a central and critical legal obligation for all UK organisations handling personal data. General Data Protection Regulation (GDPR) compliance is also not a one-off task. Following Brexit, the UK has operated under a revised version of the General Data Protection Regulation, known as UK GDPR. While most core principles have remained the same, the UK government continues to actively work on reforming GDPR compliance.
Regulations continue to evolve, which means that whether you are a small business, large corporation, or non-profit organisation, staying informed about the latest GDPR reforms is essential. Here’s what you need to know now.
1. Use and Access: Recognised Legitimate Interests
The Data (Use and Access) Act 2025 (The Data Act) was passed on 19 June 2025 with the aim of unlocking data sharing in the wider public interest and broadening third-party access to consumer data as follows:
- The introduction of a new ‘recognised legitimate interests’ lawful basis for data processing.
- It is not necessary to balance the rights and freedoms of individuals against the legitimate interests of the data controller when relying on a ‘recognised legitimate interest’.
- The Data Act provides a statutory list of what would qualify as a ‘recognised legitimate interest’ lawful basis for processing under the UK GDPR, including processing necessary for the purposes of direct marketing and intra-group transfers of personal data for internal administrative purposes.
What to do:
- Review existing privacy policies and procedures and consider whether the new ‘recognised legitimate interests’ lawful basis applies to any processing activities.
- Ensure that documentation such as privacy notices and Records of Processing (ROPAs) reflect the relevant lawful bases relied upon.
- Keep an eye out for updated ICO guidance on ‘recognised legitimate interests’ lawful basis, which is due for publication in Winter 2025/26.
2. Automated Decision Making: Reduced Restriction
The Act qualifies certain restrictions on automated decision-making (ADM). Whereas previously, individuals had a general right not to be subject to decisions based solely on automated processing (including profiling) where such decisions produced legal or similarly significant effects. The Data Act permits solely automated decision-making provided that appropriate safeguards are in place. These safeguards include the right for individuals to:
- Make representations regarding the decision,
- Obtain meaningful human intervention, and
- Challenge the decision.
The previous restriction and associated exemptions will apply only to ADM involving ‘significant’ decisions based on special category data.
What to do:
Review existing privacy policies and procedures and update them to reflect changes to automated processing.
2. Children: Stricter Controls
The act seeks to provide further safeguards for children in relation to digital marketing and online services with a new requirement to consider children’s ‘higher protection matters’ which include:
- How children can best be protected and supported when using the services; and
- The fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with the processing of personal data and of their rights in relation to such processing; and
- Have different needs at different ages and at different stages of development.
What to do:
- Review and develop a robust policy which considers children’s higher protection matters when interacting with digital marketing and online services.
- Look out for further guidance on safeguarding children and young people due for publication by the ICO in Winter 2025/26.
3. Cookies and Consent: Stricter Enforcement
The Data Act aligns with the enforcement regimes under the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), meaning there will be a dramatic increase in the fines that may be imposed for breaches of PECR.
The Data Act has however removed the consent requirement under PECR in respect of cookies placed for specified purposes, for example, to collect information for statistical purposes to make improvements to the service, provided that the user is provided with information about the purpose for placing these cookies.
What to do:
- Conduct a review of your organisation’s use of cookies.
- Ensure its cookie banner provides explicit information about the purpose of the cookies.
- Update the cookie policy with plain language and full transparency.
- Keep an eye out for the updated guidance on PECR due for publication by the ICO in Winter 2025/26.
4. Subject Access Requests (SARS): Know your deadlines
The volume of Subject Access Requests has increased and many businesses are struggling to meet the one-month deadline. The Data Act introduces several important updates to the handling of Data Subject Access Requests (DSARs) aimed to provide greater clarity and statutory support for organisations while maintaining individuals’ rights to access their personal data. The ICO has reminded organisations that delays, vague responses or failure to act can result in enforcement action.
What to do:
- Train staff on how to identify and respond to SARs.
- Create a documented SAR process.
- Avoid delaying responses unless an extension is justified and communicated in time.
- Look out for updated guidance on the right of access due for publication by the ICO in Summer 2025.
5. Third-party Processors: Shared risk, shared responsibility
If you share data with suppliers, cloud providers, or marketing agencies, you must have clear data processing agreements in place. The ICO has increased focus on the use of processors who may operate outside the UK or EU.
What to do:
- Review all third-party contracts.
- In the case of international transfers of data, ensure data protection standards in the recipient country meet UK GDPR standards or are not materially lower than in the UK.
- Conduct due diligence before onboarding any new service provider.
- Look out for updated guidance on international transfers due for publication by the ICO in Spring 2026.
6. Charities: Soft Opt-ins
Charities can rely on a soft opt-in for direct marketing via email where individuals have previously donated or expressed an interest in the charity’s work and are given a clear and easy way to opt out at any time. The communication must be for the sole purpose of furthering the charity’s purpose.
What to do:
- Audit the website’s use of cookies.
- Update the cookie policy with plain language and full transparency.
- Ensure the cookie banner provides a clear and easy way to opt out at any time.
- Look out for updated direct marketing guidance due for publication by the ICO in Winter 2025/26.
7. Scientific Research: Broader Consent
The Data Act introduces a statutory definition of ‘scientific research’ to the UK GDPR. Scientific research is now defined as any research that can reasonably be described as scientific, identifying the scope of lawful processing for research purposes. Also, it removes the requirement to conduct a public interest assessment when processing personal data for scientific research.
What to do:
- Ensure the lawful processing of data is used solely for scientific research, and it is genuinely not possible to fully define all purposes at the outset.
- Ensure the required consent still adheres to widely accepted ethical standards in the relevant research field.
- Provide individuals with the option to consent to specific parts of the research so far as reasonably practicable rather than requiring an individual to accept or decline the entire scope.
- Look out for updated guidance on Research, Archiving and Statistics Provisions due for publication by the ICO in Spring 2026.
8. Cybersecurity: Continued Focus
Data breaches, whether from phishing attacks or human error, remain one of the biggest threats to compliance. The ICO continues to fine organisations that fail to put adequate technical and organisational measures in place.
What to do:
- Review your security protocols regularly.
- Encrypt personal data where appropriate.
- Maintain an incident response plan.
- Train employees on cyber hygiene and data handling.
Contact Us
Staying compliant with GDPR means being proactive, not reactive. Organisations should act now to review how the new measures apply to their data control procedures and update their compliance processes accordingly. This is likely to include making any required changes to documents such as their DSAR response protocols, ROPAs and cookie policies.
At Harold and McCormack Law, our data protection specialists can support your business to stay compliant. Contact our team today for expert advice tailored to your business.
For more information on practical steps to take, please see the ICO’s published guidance.
Disclaimer: This blog is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances.