Data protection reforms to go live at short notice
It was announced on Tuesday that the main data protection reforms contained in the Data (Use and Access) Act 2025 (DUAA) are coming into force on Thursday 5 February 2026.
Key changes coming into effect
1. New ‘recognised’ legitimate interests lawful basis with no balancing test needed.
2. Narrow new exemptions to the cookie consent requirements in PECR.
3. Charities can now rely on a new soft-opt-in for marketing.
4. Increase in fines for PECR breaches to align with UK GDPR fine amounts.
5. Clarification of the right for controllers who ‘reasonably require’ further information to identify the relevant personal data required by a subject access request which pauses the clock.
6. Relaxation of the prohibition on solely automated decisions so the prohibition only applies to significant solely automated decisions that result from the processing of special category personal data (provided that safeguards are put in place).
7. For international transfers of personal data transfers there is a new test which considers whether the standard of data protection in the destination country / organisation is ‘not materially lower’ than in the UK.
8. The ICO has new investigative and enforcement powers.
Still not in effect – the right for data subjects to complain to controllers (and obligations on controllers to respond to these) and changes at the ICO which will become the Information Commission.
Read more here.
