Hi
The UK’s new Data (Use and Access) Act 2025 which received Royal Assent on 19 June 2025 promises to reduce paperwork while improving transparency and . Some changes took effect immediately, while others are being phased in over the next 12 months.
It’s the
biggest shake-up of data rules since GDPR. But don’t panic—many of the changes are designed to be more practical, especially for smaller businesses.
Here’s what you need to know without wading through dozens of pages of legislation.
Quick Overview of What’s Changing
- Simpler, more proportionate responses to data access requests.
- Relaxed rules around low-risk cookies.
- More flexibility for using automation and
AI.
- Broader circumstances when you can rely on “legitimate interests.”
- Clearer obligations to explain what you do with personal data.
- Enforcement and fines remain as high as before.
Phase-by-Phase Compliance Checklist
Here’s a timeline you can use to plan ahead:
| What’s changing | Action to
take | When |
| Data requests must be “reasonable and proportionate.” | Review your data request process. Train staff. | Now – in force since June 2025 |
| Cookie consent reforms: implied consent for low-risk cookies becomes enforceable. | Update your cookie banners and policies. | August
2025 |
| New rules for automated decision-making transparency. | Update privacy notices. Create opt-out process for automation. | December 2025 |
| Expanded “legitimate interest” recognition (fraud prevention, system security, safeguarding). | Document your rationale for relying on legitimate interests. | December
2025 |
| Final rules for international transfers and administrative data sharing across group companies. | Review contracts and any overseas processing arrangements. | June 2026 |
Key Areas You Need to Look At
Cookies: Implied Consent Gets the Green Light
Until now, every website needed clunky pop-ups
to get explicit consent for most cookies.
Soon, you can rely on implied consent for low-risk cookies (like analytics), provided you:
- Clearly explain what you’re doing.
- Give people an easy way to say no.
✅ Action: Review your cookie banner before August 2025.
Automated Decisions: More Flexibility, Still Your Responsibility
Automation is increasingly common—think chatbots,
verification checks, or marketing tools. Whether you use chatbots, recruitment software, or email marketing that adapts to user behaviour, automated decision-making is becoming standard.
The Act relaxes previous restrictions but doesn’t remove your obligations. If you make decisions that have a significant effect on someone (like rejecting a job application automatically), you must:
- Tell them clearly that automation is involved.
- Offer a way to request human review.
✅ Action: You’ll need to update your privacy policy notice by December 2025 to explain how you use
automation.
Data Requests: Simpler, But Not Optional
Anyone can ask for a copy of the data you hold about them. This isn’t new. But the process is now easier:
- You still have one month to respond.
- You can now
pause the clock if you need to clarify what the person wants.
- Searches must be reasonable, not exhaustive.
✅
Action: Review and simplify your process immediately.
Privacy Notices
The Act demands transparency in plain English. No legal waffle. Your privacy notice must cover:
- What you collect.
- Why you collect it.
- Who you share it with.
- How long you keep it.
- How people can exercise their rights.
✅ Action: Rewrite your privacy notice. before December 2025 and make it the first thing users see when they sign up.
Legitimate Interests: Easier to Justify
You can now rely on legitimate interests more confidently, for things like:
- Fraud prevention
- Security
testing
- Safeguarding vulnerable people
✅ Action: Keep a record of why each purpose is necessary and proportionate by December 2025.
Quick Reference Table
Area | Change | | Action needed |
Cookies | Implied consent allowed for low-risk
cookies | | Update banners by August 2025 |
Automated Decisions | More flexibility, transparency required | | Update privacy notices by December 2025 |
Data Requests | Simpler, proportionate search rules | | Review your process now |
Privacy Notices | Must be clearer and
detailed | | Rewrite by December 2025 |
Legitimate Interests | Broader recognition | | Document rationale by December 2025 |
Fines | Still at GDPR levels | | Ensure compliance and training is up to date |
If you’ve been putting off reviewing your data policies, now is the time. The good
news is the Act makes compliance more practical. Clearer policies and simpler processes will save you time - and build trust with your customers and clients.
And don’t forget to review your privacy notice and update your cookie banner to remain compliant.
Noel Guilford
