Further to our update here, several significant provisions of the Data (Use and Access) Act 2025 (the ‘Act’) which are relevant for employers came into force on 5 February 2026, with further measures scheduled for 19 June 2026. We summarise these below.
What Changes are Now in Force?
The following changes came into force on 5 February 2026:
- Changes to the existing lawful basis of ‘legitimate interests’ for processing personal data, specifically the introduction of a new lawful basis of ‘recognised legitimate interest’ and the provision of a non-exhaustive list of types of processing that may be considered ‘legitimate interests’. However, as discussed in our previous article, these changes have a limited practical impact on the current ‘legitimate interest’ test for employers, so we do not expect any changes to existing practice in light of this change coming into force.
- Codification in statute of the existing ability to ‘stop the clock’ when responding to data subject access requests, although we expect this change will have limited practical impact given this corresponds to the existing ICO guidance.
- Narrowing of the restriction on using automated decision-making to restrict its use “only where significant decisions are based entirely or partly on the processing of special category data” unless certain conditions are met (although certain safeguards continue to apply). This is a significant shift in approach from the EU approach under GDPR and makes it significantly easier for employers to use automated decision-making in their internal processes in the UK than in the EU. The difference in approach to AI between the EU and UK is further highlighted by the significant regulatory obligations with which employers using AI in the EU will soon be required to grapple by virtue of the EU AI Act (with obligations for ‘high-risk’ AI systems coming into force on 2 August 2026). For further commentary on the changes coming into force under the EU AI Act, see our article here.
- Lowering the test for data transfers from the UK to third countries to permit data transfers to countries where the protection is ‘not materially lower’ than that provided by UK data privacy laws. In practice, we do not expect this to have a significant impact on the ability to transfer personal data out of the UK, but this slightly adjusts the process that needs to be followed. The ICO has recently published updated guidance on international data transfers to seek to make this process simpler for employers.
In addition, the new Information Commission has been established and the process of transferring regulatory responsibility from the Information Commissioner’s Office (‘ICO’) to the Information Commission has started but is not yet complete. As part of this process, the Information Commission has been granted new powers (for example, to prepare reports and issue interview and penalty notices) from 5 February 2026.
Finally, employers should keep in mind that the new ‘right to complain’ (i.e. individuals will be able to make a complaint directly to their employer if they consider there has been a breach of UK data privacy laws in respect of their personal data) comes into force on 19 June 2026.
Practical Next Steps
Although we do not expect that all these changes will require employers to update their data privacy processes, employers may wish to:
- Consider whether they wish to expand the use of AI and automated decision-making in HR processes in the UK given the relaxation of the rules as set out above. However, employers should still be mindful of the other employment and data protection considerations in relation to the use of automated decision making, including discrimination issues (see our article for further information);
- Review their international data transfer processes to ensure they comply with the current frameworks; and
- Prepare for the new ‘right to complain’ coming into force on 19 June 2026, including developing a complaints form and procedure and updating their privacy notice to ensure compliance with the requirements under the Act. We highlighted the specific steps employers need to take to comply with this new right in our previous article.
If you have any questions on the new requirements under the Act or what you should be doing to prepare, please contact Deborah Margolis, Hannah Drury or your usual Littler contact.
