UK GDPR Changes: What the New Rules Mean for Businesses in 2025/2026

The Data Use and Access Act (DUAA) has introduced targeted updates to UK GDPR and Privacy and Electronic Communications Regulations (PECR), modernising how UK organisations handle personal data. Although not a full overhaul, the changes are widely seen as the most significant for the UK since Brexit – introducing new permissions, responsibilities, and expectations around transparency, automation, and consent. 

The DUAA is being implemented in phases, with many provisions expected to come into force between late 2025 and mid-2026, depending on government commencement regulations. While there is still time to prepare, businesses that don’t adapt may face compliance challenges, increased scrutiny, and growing pressure to maintain trust with changing data regulations. 

As organisations adapt to these changes, structured governance and a clear understanding of data risk are becoming increasingly important. That’s where ISO/IEC 27001 – the international standard for information security management systems – plays a valuable role. 

Here’s what the new rules mean in practice, and how aligning with international standards like the ISO 27001 can help support readiness. 

One of the most visible changes is a relaxation of cookie consent requirements for specific low-risk purposes. 

Businesses may no longer need consent for: 

• Website analytics 
• Performance monitoring 
• Functional diagnostics 

Consent will still be required when cookies are used for: 

• Targeted advertising 
• Behavioural profiling 
• Cross-site tracking or third-party marketing 

The DUAA aims to streamline legitimate business use where risk is demonstrably low and transparency is maintained. Effective governance of cookies, including documentation of their use and assessment of privacy risks, plays a critical role in maintaining compliance as the rules evolve. 

Alongside cookies, changes to automation rules are reshaping digital operations. The DUAA updates UK GDPR provisions on solely automated decision-making that produces legal or similarly significant effects, i.e. computer software making important decisions. 

These decisions will be permitted under more lawful bases, allowing more situations where businesses can let software make decisions on its own, provided businesses meet clear safeguard requirements: 

• Individuals must be able to request human involvement 
• Decisions must be explainable 
• A challenge or appeals process must be in place 

For businesses using AI, these changes reinforce the need for transparency and responsible governance. Whether it’s an eligibility score, product recommendation or automated screening tool, the emphasis is on oversight and fairness. 

The DUAA will introduce clearer legal provisions for the use of personal data in scientific, statistical and commercial research – an area previously governed by less formal guidance under UK GDPR. 

A key change is the recognition of “broad consent”, which allows individuals to agree to general areas of research without needing to authorise each specific study in advance. This is particularly important for sectors where flexibility and long-term data use are often critical.  

Under the new rules, maintaining clear purpose documentation, role-based access to research data, and appropriate legal justifications remains essential. Businesses that already adopt a risk-based, documented approach will be better equipped to align with the DUAA’s updated expectations. 

The DUAA also introduces more structured expectations for Data Subject Access Request (DSAR) and complaints. 

Key updates include: 

• Complaints must be acknowledged within 30 days 
• SARs must follow a “reasonable and proportionate” search standard 
• A “stop-the-clock” option is allowed while waiting for requester clarification 
• Electronic submission methods should be available (e.g. online forms) 

These aim to balance individual rights with operational feasibility. Businesses with defined processes, timelines, and clear ownership of data requests will be better positioned to meet expectations. 

The regulator, expected to be renamed the Information Commission, will have expanded responsibilities under the DUAA. These will include promoting innovation and encouraging fair competition – alongside its existing enforcement role. 

Organisations are also expected to: 

• Keep privacy notices up to date and easily accessible 
• Maintain records of processing activities (as previously required under UK GDPR Article 30) 
• Cooperate with regulatory audits and compliance notices 

While some duties are new, many build on familiar GDPR-era obligations. Clear documentation, internal visibility, and governance structures will remain key to meeting compliance expectations. 

While the DUAA introduces new legal expectations for UK data protection, many of its core principles, including accountability, transparency, and risk-based decision-making, are already embedded in the structure of ISO/IEC 27001:2022, also referred to as the ISO 27001 standard. 

As the internationally recognised standard for Information Security Management Systems (ISMS), ISO 27001 provides requirements for businesses to support them in building and maintaining an ISMS that helps to identify and manage data risks.  

ISO 27001 Certification supports: 

• Clear assignment of roles and responsibilities 
• Ongoing internal audits and performance evaluation 
• Documented controls for data access, use, and retention 
• A commitment to continual improvement through regular review 

While ISO 27001 is not a privacy-specific standard, its emphasis on structured governance and continual oversight complements the requirements of UK GDPR and the DUAA, particularly in areas such as transparency, data minimisation, lawful processing, and the management of subject rights and automated decision-making. 

Contact our team today to learn how ISO 27001 can support responsible data governance and evolving legal expectations.