ARTICLE
14 July 2025

Data Protection Updates And Key Considerations For Businesses

RF
Ronald Fletcher Baker

Contributor

Ronald Fletcher Baker logo

For over 75 years, Ronald Fletcher Baker LLP has been providing expert legal advice from its offices in London, Manchester, and Exeter. The firm has considerable experience in acting for medium to large national and international companies, governments, financial institutions, high net worth individuals, families, and corporate investors, many of whom are based overseas.

Explore Firm Details
The UK is committed to maintaining high standards of data protection for individuals, and businesses can suffer severe repercussions for failing to adhere to the relevant laws.
United Kingdom Privacy
Olivia Crolla

The UK is committed to maintaining high standards of data protection for individuals, and businesses can suffer severe repercussions for failing to adhere to the relevant laws. However, this commitment is balanced with the aim of encouraging innovation, which is particularly evident from the introduction of the new Data (Use and Access) Act 2025. In this update we will cover significant changes made by this legislation and other important data protection updates to be aware of, to keep your business compliant.

The UK GDPR and the Data Protection Act 2018

When considering UK data protection regulations, it is essential to consider both the UK GDPR and the Data Protection Act 2018, which form the cornerstone of the UK's data protection regime. These laws dictate how personal data should be stored, processed, and collected.

The UK GDPR was introduced following Brexit and outlines several principles of data processing, including lawfulness, fairness, and transparency. It sets out individuals' rights (including the rights of access and erasure) and rules for international data transfers. It applies to all organisations in the UK and to entities abroad which process the personal data of UK individuals.

The Data Protection Act 2018 complements the UK GDPR and includes provisions such as exemptions from UK GDPR obligations in certain cases.

Data (Use and Access) Act 2025 (DUAA)

The DUAA received Royal Assent on 19 June 2025 and is being rolled out in stages, with some provisions already in effect and others expected to come into force over the next year. The DUAA makes significant changes to the current regime.

The aims of the DUAA are to encourage innovation, to enhance the existing data protection framework in the UK and to allow businesses to improve their services while maintaining the protection of individual rights.

As well as ensuring compliance, touched on below, organisations should consider how they can make use of the changes that support innovation.

Innovation

The ICO welcomes the changes the DUAA makes and notes that the DUAA may assist businesses to innovate in the following ways:

1. Research: clarification that 'broad consent' can be given for an area of scientific research when organisations use personal information for the purposes of research.

2. Privacy notices: if there would be a disproportionate effort in providing a privacy notice for the re-use of personal information for scientific research, organisations will not need to issue a notice again.The notice will still need to be available on the organisation's website and rights still protected as usual.

3. Automated decision-making (ADM): businesses being able to rely on the full range of lawful bases when using people's personal information to make automated decisions about them, when using the relevant safeguards.

4. Cookies: some types of cookies can be set without requiring consent, for example the ones used to collect information for the improvement of website functionality.

Key changes

Key changes made by the DUAA include:

  • Automated decision-making (ADM): allows for organisations to make decisions based only on automated processing in wider circumstances, provided certain safeguards are in place. These safeguards include informing the individual and offering them the right to human intervention in respect of the decision-making. However, there are restrictions on ADM for special categories of data.
  • Subject Access: a 'stop the clock' rule, allowing response deadlines to pause if further information is needed from the requester. In addition, when someone requests access to their data, organisations need only make reasonable and proportionate searches.
  • Recognised Legitimate Interests: a new lawful ground for the processing of personal data. If this lawful ground applies, there is no need to balance the impact on the people whose personal information is being used, against the benefits. Usually this would be done by conducting a Legitimate Interests Assessment (LIA). The DUAA sets out a list of pre-approved bases, which includes national security, responding to emergencies and safeguarding children or individuals at risk.
  • Children's Data Protection: when providing an online service which is likely to be used by children, organisations must consider how to support and protect children when considering how to use their personal information.
  • Complaints: requirement to help people who wish to make complaints about the handling of their personal data and a timeframe for acknowledgement (within 30 days and to respond 'without undue delay').

New ICO powers

Businesses should be aware that under the DUAA, the ICO will be restructured in a way which is comparable to other UK regulators, having a CEO and board. Paul Arnold has been announced as the first to be CEO. The ICO's powers are also extended, with new powers of investigation and enforcement, and the ability to issue penalties of up to £17.5 million or 4% of global turnover. One of the ICO's new powers is the ability to issue 'interview notices' and 'information notices' whereby the ICO will assess whether data protection provisions have been breached. The ICO will need to balance these wider powers with its new duties and reporting requirements.

It is therefore more important than ever to ensure that organisations are compliant and can produce appropriate records and justify their processes. In respect of using AI systems, businesses should understand the risks associated, how to mitigate those risks and the privacy issues which could arise.

The ICO confirms in its guidance that it will continue to operate as a 'trusted, fair and independent regulator' and will focus on continuing to offer advice and services while 'reducing regulatory burdens' and encourage 'innovation and growth'.

Ensuring compliance

Understanding the requirements

Businesses should review all key provisions and be aware of existing and upcoming changes to ensure that relevant policies and practices are updated where necessary. We would also suggest businesses read the appropriate guidance linked below and continue to look out for further commentary and guidance (note that further ICO guidance will be published in due course).

Understanding which of the changes are applicable to your specific business model and which parts of your business will be affected, will be crucial in meeting the requirements.

The DUAA is extensive and it may be worth seeking legal advice to ensure that your business is compliant generally with current data protection regulations and futureproof for upcoming changes.

Updating policies, contracts, training materials and systems

It is also important to consider whether any employee training materials and customer contracts need to be updated. Not only will updating policies and contracts help to ensure compliance, but it can also foster trust with customers and minimise risk.

Business-specific examples of how to update systems and policies:

  • Setting up an adequate system in place to deal with complaints in respect of data use, if not already done.
  • Setting up an adequate system for the safeguarding of children using online systems.
  • Recording and mapping all processing based on recognised legitimate interests and updating privacy policies to reflect this.
  • Scrutinising and recording your organisation's use of AI in automated decision-making, how these systems work, the kinds of data input and the reasoning for the use of automated decision-making.
  • If making changes to your processes to enhance innovation, updating privacy policies and relevant contracts accordingly.
  • Ensuring that policies make clear which safeguards are in place relating to automated decision-making.
  • Consider appointing a Data Protection Officer (DPO) to oversee compliance efforts and act as a point of contact for data-related queries.

ICO guidance: UK organisations stand to benefit from new data protection laws | ICO

Government guidance: Data (Use and Access) Act 2025: data protection and privacy changes – GOV.UK

Other news

23andMe

23andMe, a genetic testing company, has been fined £2.31 million by the ICO for having inadequate security measures in place to protect personal information. This follows a cyberattack in 2023 leading to the exposure of the personal data (including genetic date) of over 150,000 users in the UK and millions worldwide. It was reported that although there were claims of data theft earlier in 2023, which were dismissed as not legitimate, there was no full investigation until the stolen data was up for sale on Reddit in October 2023. This case highlights the importance of having adequate security measures in place, such as multi-factor authentication, and taking extra precautions when holding special category data.

EU extends adequacy decisions for the UK for 6 months

The European Commission has extended its adequacy decisions regarding data transfers with the UK for 6 months, now expiring on 27 December 2025. This will allow time for the assessment of the DUAA. 'Adequacy' is how the EU describes the ability of countries deemed able to provide an 'essentially equivalent' data protection level as the EU.

Internet of Things – updated ICO guidance

The ICO has issued updated guidance in relation to the processing of personal data in consumer Internet of Things (IoT) products, and how UK data protection law and the Privacy and Electronic Communications Regulations 2003. Types of consumer IoT products include smart lightbulbs and smart watches. See the full guidance here: About this guidance | ICO.

Brazil's new AI laws

Brazil proposes a Bill for AI regulation which is focused on risk and establishing individual rights. It deems certain AI systems as being excessively high risk, for example those that are in place for the purpose of 'social scoring' (using AI to assign individuals a value based on their value by monitoring them, determining your rights).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Olivia Crolla
Olivia Crolla
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More