You are on our United Kingdom site

ASAP

Key Provisions of the Data (Use and Access) Act 2025 Are Now in Force – What’s Coming Next?

Significant provisions of the Data (Use and Access) Act 2025 came into force on 5 February 2026.

By Deborah Margolis and Hannah Drury

Further to our update here, several significant provisions of the Data (Use and Access) Act 2025 (the ‘Act’) which are relevant for employers came into force on 5 February 2026, with further measures scheduled for 19 June 2026. We summarise these below.

What Changes are Now in Force?

The following changes came into force on 5 February 2026:

  • Changes to the existing lawful basis of ‘legitimate interests’ for processing personal data, specifically the introduction of a new lawful basis of ‘recognised legitimate interest’ and the provision of a non-exhaustive list of types of processing that may be considered ‘legitimate interests’. However, as discussed in our previous article, these changes have a limited practical impact on the current ‘legitimate interest’ test for employers, so we do not expect any changes to existing practice in light of this change coming into force.
  • Codification in statute of the existing ability to ‘stop the clock’ when responding to data subject access requests, although we expect this change will have limited practical impact given this corresponds to the existing ICO guidance.
  • Narrowing of the restriction on using automated decision-making to restrict its use “only where significant decisions are based entirely or partly on the processing of special category data” unless certain conditions are met (although certain safeguards continue to apply). This is a significant shift in approach from the EU approach under GDPR and makes it significantly easier for employers to use automated decision-making in their internal processes in the UK than in the EU. The difference in approach to AI between the EU and UK is further highlighted by the significant regulatory obligations with which employers using AI in the EU will soon be required to grapple by virtue of the EU AI Act (with obligations for ‘high-risk’ AI systems coming into force on 2 August 2026). For further commentary on the changes coming into force under the EU AI Act, see our article here.
  • Lowering the test for data transfers from the UK to third countries to permit data transfers to countries where the protection is ‘not materially lower’ than that provided by UK data privacy laws. In practice, we do not expect this to have a significant impact on the ability to transfer personal data out of the UK, but this slightly adjusts the process that needs to be followed. The ICO has recently published updated guidance on international data transfers to seek to make this process simpler for employers. 

In addition, the new Information Commission has been established and the process of transferring regulatory responsibility from the Information Commissioner’s Office (‘ICO’) to the Information Commission has started but is not yet complete. As part of this process, the Information Commission has been granted new powers (for example, to prepare reports and issue interview and penalty notices) from 5 February 2026.

Finally, employers should keep in mind that the new ‘right to complain’ (i.e. individuals will be able to make a complaint directly to their employer if they consider there has been a breach of UK data privacy laws in respect of their personal data) comes into force on 19 June 2026.

Practical Next Steps

Although we do not expect that all these changes will require employers to update their data privacy processes, employers may wish to:

  • Consider whether they wish to expand the use of AI and automated decision-making in HR processes in the UK given the relaxation of the rules as set out above. However, employers should still be mindful of the other employment and data protection considerations in relation to the use of automated decision making, including discrimination issues (see our article for further information);
  • Review their international data transfer processes to ensure they comply with the current frameworks; and
  • Prepare for the new ‘right to complain’ coming into force on 19 June 2026, including developing a complaints form and procedure and updating their privacy notice to ensure compliance with the requirements under the Act. We highlighted the specific steps employers need to take to comply with this new right in our previous article.

If you have any questions on the new requirements under the Act or what you should be doing to prepare, please contact Deborah Margolis, Hannah Drury or your usual Littler contact.

Authors:

Deborah Margolis
Deborah Margolis

Senior Counsel

London

Hannah Drury
Hannah Drury

Associate

London

Related Topics:

Data Protection AI

Related Practice Areas:

Related Products & Services:

Recent Insights

If you found this interesting, please take a look at some other recent insights from our team.

Subscribe to our Newsletter

We publish a monthly newsletter and share details of our events. If you'd like to receive these sign up here.

For information about how we process your data, please see our privacy policy.

Want to know more about our Training services?

If you would like to know more about our Training service, please contact us today and a member of our team will be in touch directly.

For information about how we process your data, please see our privacy policy.

Want to know more about the Redundancy Toolkit?

If you would like to know more about our Redundancy Toolkit service, please contact us today for a no-obligation quote provided to you within 24 hours.

For information about how we process your data, please see our privacy policy.