Katten Associate Anita Hodea recently authored an article about the UK Data (Use and Access) Act 2025 (the Act) in Business Reporter. She explains that the Act introduces modest reforms to UK data protection law by amending the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).
Anita then lays out the reforms that will span several key areas, including the addition of recognised legitimate interests, which permits processing for specific, high-priority purposes, such as national security; relaxed restrictions on certain forms of automated decision-making (ADM); the codifying of existing case law and regulator guidance on handling subject access requests; aligning PECR penalties with the UK GDPR; shifting away from the previous "essentially equivalent" standard for international data transfers; replacing the corporation sole model of the Information Commissioner's Office (ICO) with a new body corporate, the Information Commission; and the introduction of specific requirements for information society services likely to be accessed by children.
Anita also describes the current stage of the Act, which received Royal Assent on 19 June 2025, with implementation following a four-staged commencement plan through to Summer 2026. She also provides key action items for UK businesses to ensure their policies and practices reflect the new framework.
"The UK Data Use and Access Act," Business Reporter, February 2026
London
