Updates to UK GDPR: What Solicitors Should Know
Overview
The Data (Use and Access) Act 2025 makes several amendments to key UK data protection laws, including:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003 (PECR)
These updates aim to:
- Strengthen the UK economy
- Enhance the efficiency of public services
- Simplify data use to make life easier for businesses and individuals
Key Changes in the DUAA
While the DUAA does not replace the UK GDPR entirely, it introduces several notable updates that solicitors should understand.
1. Data Processing Rules
The DUAA clarifies when personal data can be reused for a different purpose. A new processing activity is now considered compatible with the original purpose if:
- You have obtained the individual’s consent, or
- The data is used for research or archiving purposes.
Example:
If a client allows you to use their personal information in a legal case and later agrees for that same data to be used in a training session for junior solicitors, this reuse is now clearly permitted under the DUAA.
Additionally, the Act introduces a new list of “recognised legitimate interests” — meaning certain activities no longer require a formal Legitimate Interests Assessment (LIA), provided the data use is necessary. These include:
- Sharing data with public authorities – e.g., providing transaction data to the National Crime Agency during a fraud investigation.
- Matters of national or public security – e.g., cooperating with authorities on a security breach case.
- Emergency situations – e.g., sharing building occupancy data with emergency services during a fire.
- Crime prevention – e.g., responding to police requests for information in a money laundering investigation.
- Protecting vulnerable individuals – e.g., sharing a child’s school attendance data with social services during a custody case.
2. Data Subject Rights
When responding to subject access requests (SARs), organisations now only need to conduct “reasonable and proportionate” searches.
Example:
If a former client requests their data, it’s sufficient to check their case files, invoices, and correspondence — rather than every company record.
Data subjects now also have a new right to lodge a complaint directly with the data controller, so every firm must have an effective complaints-handling process in place.
(See the Law Society’s “Handling Complaints” practice note for guidance.)
3. Automated Decision-Making (ADM)
The DUAA relaxes the rules around automated decision-making, where a system makes decisions without major human input.
Previously, consent was required for most ADM activities. Now, organisations can rely on legitimate interests as the lawful basis, as long as suitable safeguards exist.
However, ADM cannot be used for major decisions that involve special category data (such as health or biometric data).
4. Information Commission
The Information Commissioner’s Office (ICO) will now operate under a new name — the Information Commission.
Its overall powers remain largely the same, though the DUAA strengthens its ability to issue fines under PECR.
This means that breaches of marketing or cookie regulations could result in penalties of up to £17.5 million or 4% of global turnover, aligning PECR penalties with those under the UK GDPR.
5. International Data Transfers
A new legal test now determines whether personal data can be sent to another country.
Instead of requiring identical data protection laws, the destination country must simply offer protection not significantly lower than UK standards.
This change is designed to simplify and accelerate international data transfer approvals.
6. Scientific Research
The definition of “scientific research” has been broadened to cover a wider range of legitimate activities, providing more flexibility and legal certainty.
This update is particularly relevant to solicitors working with universities, research institutions, or clients involved in R&D projects.
What Solicitors Should Do Next
Firms that are already compliant with the UK GDPR have until June 2026 to meet the new DUAA requirements.
Here’s what you should do:
- Review your lawful bases – Check how you collect and use data, as the DUAA may provide new lawful grounds for processing.
- Update your complaints process – You must now allow individuals to submit complaints directly to you and respond within 30 days.
- Train your team – Ensure staff understand how these new rules affect everyday operations.
Key Dates and Implementation Timeline
| Date | Milestone |
|---|---|
| June 2026 | DUAA comes into full effect. All firms must be compliant. |
| December 2025 | EU–UK data adequacy agreement expires. |
| June 2025 | DUAA receives Royal Assent. Up to one year allowed for full implementation. |
| October 2024 | Data (Use and Access) Bill introduced to Parliament; Law Society provides input. |
| June 2023 | EU Law (Revocation and Reform) Act retains data laws post-Brexit. |
| June 2021 | EU grants the UK data adequacy status. |
In Summary
The Data (Use and Access) Act 2025 builds on the UK GDPR framework, modernising it to encourage innovation, streamline compliance, and support national growth — without compromising personal data protection.
Solicitors should start reviewing internal data handling processes now to ensure a smooth transition before the June 2026 deadline.
