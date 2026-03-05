Further to our update here, several significant provisions of the UK's Data (Use and Access) Act 2025 (the "Act") that are relevant for employers came into force on February 5, 2026, with further measures scheduled for June 19, 2026. We summarize these below.

What Changes are Now in Force?

The following changes came into force on February 5, 2026:

Changes to the existing lawful basis of "legitimate interests" for processing personal data, specifically the introduction of a new lawful basis of "recognised legitimate interest" and the provision of a non-exhaustive list of types of processing that may be considered "legitimate interests." However, as discussed in our previous article, these changes have a limited practical impact on the current "legitimate interest" test for employers, so we do not expect any changes to existing practice in light of this change coming into force.

Codification in statute of the existing ability to "stop the clock" when responding to data subject access requests, although we expect this change will have limited practical impact given this corresponds to the existing ICO guidance.

Narrowing of the restriction on using automated decision-making to restrict its use "only where significant decisions are based entirely or partly on the processing of special category data" unless certain conditions are met (although certain safeguards continue to apply). This is a significant shift in approach from the EU approach under GDPR and makes it significantly easier for employers to use automated decision-making in their internal processes in the UK than in the EU. The difference in approach to AI between the EU and UK is further highlighted by the significant regulatory obligations with which employers using AI in the EU will soon be required to grapple by virtue of the EU AI Act (with obligations for "high-risk" AI systems coming into force on August 2, 2026). For further commentary on the changes coming into force under the EU AI Act, see our article here.

Lowering the test for data transfers from the UK to third countries to permit data transfers to countries where the protection is "not materially lower" than that provided by UK data privacy laws. In practice, we do not expect this to have a significant impact on the ability to transfer personal data out of the UK, but this slightly adjusts the process that needs to be followed. The ICO has recently published updated guidance on international data transfers to seek to make this process simpler for employers.

In addition, the new Information Commission has been established and the process of transferring regulatory responsibility from the Information Commissioner's Office (ICO) to the Information Commission has started but is not yet complete. As part of this process, the Information Commission has been granted new powers (for example, to prepare reports and issue interview and penalty notices) from February 5, 2026.

Finally, employers should keep in mind that the new "right to complain" (i.e., individuals will be able to make a complaint directly to their employer if they consider there has been a breach of UK data privacy laws in respect of their personal data) comes into force on June 19, 2026.

Practical Next Steps

Although we do not expect that all these changes will require employers to update their data privacy processes, employers may wish to:

Consider whether they wish to expand the use of AI and automated decision-making in HR processes in the UK given the relaxation of the rules as set out above. However, employers should still be mindful of the other employment and data protection considerations in relation to the use of automated decision making, including discrimination issues (see our article for further information);

Review their international data transfer processes to ensure they comply with the current frameworks; and

Prepare for the new "right to complain" coming into force on June 19, 2026, including developing a complaints form and procedure and updating their privacy notice to ensure compliance with the requirements under the Act. We highlighted the specific steps employers need to take to comply with this new right in our previous article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.