As part of the government’s proposals to reform the data protection regime in the UK, the Data (Use and Access) Act 2025 (the Act) received Royal Assent on 19 June 2025. In February 2026, a key phase of this reform was implemented as the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82) came into force.

We set out below some of the key changes which might impact your business.

Data Subject Access Requests (“DSARs”)

Data controllers often use a lot of resource ensuring that they deal with DSARs in a compliant manner. However, over time it has become more common for DSARs to be used in employment disputes as a way for employees to gather evidence to support their case and/or to cause nuisance to their employer. Some elements of DSARs have been changed so that they are less onerous in practice on data controllers.

  • Organisations are only required to conduct reasonable and proportionate searches when responding to DSARs, there is no requirement for a more exhaustive search.
  • The one-month deadline to respond to a DSAR starts when an organisation receives the DSAR, but it stops if the organisation requests further information to verify the identity of the data subject until such information is received.
  • If the DSAR is excessive or manifestly unfounded, the controller may request a fee in relation to the DSAR. The one-month deadline will not start until any such fee has been paid.

International transfers

The threshold when assessing the risk of transferring personal data outside of the UK is now whether the country to which the data is being sent has a protection standard ‘not materially lower’ than the standard of protection provided for data subjects under UK GDPR. Formerly, an exactly equivalent standard was required.

This change might make it easier for third countries to be deemed adequate for the purposes of data transfer and could enable your business to transfer personal data to more places globally.

Automated Decision-Making (“ADM”)

The use of ADM is tightly controlled under the UK GDPR because of the potentially serious harms its misuse could cause to data subjects. The Act makes changes which may permit wider use of ADM techniques.

  • Organisations may now rely on any lawful basis when deploying ADM, provided that mandatory safeguards are in place.
  • ADM is now only prohibited where the personal data being processed is wholly or partly based on special category data, meaning sensitive personal information such as ethnic origin, sexual orientation, religious beliefs, biometrics, health data, political opinions and trade union membership.
  • Special category data may only be processed with explicit consent or in cases where the processing is contractually or legally necessary and there is a substantial public interest.

These changes might make it easier for you to deploy ADM for processing of non-special category data.

ICO enforcement powers

The Information Commissioner’s Office (ICO) has been granted enhanced powers under the Act, including:

  • the ability to compel witness interviews from staff of controllers and processors to support ICO investigations; and
  • increased fines under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) (which deals with electronic marketing communications), authorising the ICO to impose fines of up to £17.5 million, or 4% of an organisation’s global turnover (whichever is higher) for breaches of PECR.

How 3CS can help

We recommend reviewing your data processing documents, governance and practices to determine whether anything needs to be amended or updated as a result of these changes. We have experience assisting clients understand their data privacy obligations and taking steps to ensure compliance under regulations including GDPR and UK GDPR, so we can help you with this assessment.

We regularly provide training and workshops for staff as well as conducting privacy compliance audits and drafting documents including privacy policies and notices, records of processing activity, contracts for transfer of personal data overseas and cookies policies. We also advise on data breach management and responses to data subject access requests.

For advice or guidance on data privacy and how these changes might impact your business, please get in touch.

Atiq Bhagwan

GET IN TOUCH

3CS Corporate Solicitors

Providing solutions, not just legal advice
Contact Us

GET IN TOUCH

Contact Us

3CS Corporate Solicitors Ltd


London Office English (United Kingdom)
60 Moorgate, London EC2R 6EJ
+44 (0)20 4516 1260
info@3cslondon.com
To view a map of where to find us, please click here.


Japan Representative Office Japanese
The Japan Representative Office does not provide legal services, whether under the laws of England and Wales, Japan, or any other jurisdiction.
Level 20, Marunouchi Trust Tower – Main
1-8-3 Marunouchi Chiyoda-ku, Tokyo, 100-0005
+81 (0) 3 5288 5239
info@3cstokyo.com
To view a map of where to find us, please click here.

 

 

Please enter your name
Please enter your phone number
Please enter your email
Invalid Input
Invalid Input
Please enter how you heard about 3CS

Sample Clients

We have advised more than 600 international clients – see others here
The Legal 500 - Leading Firm 2025

Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935

Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935