Impact of the Data Use and Access Act 2025 on Legal Practices

i. New Definition of Legitimate Interests – One of the key changes is the change to definition of “legitimate interests”. Under the amended UK GDPR, certain legitimate interests – particularly those linked to national security, public health, or economic recovery – are now designated as “recognised legitimate interests,” allowing data controllers to rely on them without needing to undertake a formal balancing test. This change permits greater flexibility but requires the use of proportionality and accountability principles.  Solicitors will need to advise clients about the scope and limitations of these lawful bases, particularly when acting for public bodies or organisations involved in public interest processing.

Whilst this may ease the regulatory burden for some organisations, solicitors must proceed with caution. Firms that handle sensitive categories of personal data, such as health or criminal records, will still need to demonstrate proportionality and necessity in most cases. Moreover, clients may expect solicitors to advise on whether their legitimate interest is one of those pre-approved categories.

ii. Changes to Subject Access Requests – The DUAA introduces provisions allowing data controllers to charge a “reasonable fee” for excessive, repetitive, or manifestly unfounded subject access requests (SARs).

The timeframe for subject access requests remains one month, but it extends the response time to a further two months in complex cases, compared to the previous standard of one month.  This will apply to requests that are complex or where the firm receives several requests from the same individual.  This is likely to be welcomed by solicitors acting for clients with large or complex datasets – such as in employment or regulatory litigation – though care will still be needed in assessing what constitutes “excessive.” Firms should revise their internal policies to reflect the new deadlines and fee regimes. The implementation date for this provision is 1 January 2026.

The Act establishes the principle of “reasonable and proportionate” searches, reducing administrative burden and codifying limits to requests deemed excessive or vexatious.

A new “stop the clock” provision allows organisations to pause response deadlines while awaiting sufficient information from applicants. This change helps legal teams manage SAR workflows more efficiently and defend against complaints regarding search depth or response times.

The DUAA now explicitly excludes communications covered by legal professional privilege LPP from SAR disclosures under the law enforcement regime – a statutory exemption. Where LPP is asserted, controllers must inform the requester (unless doing so would breach privilege), explain the exemption, and notify them of their rights to complain to the ICO or challenge in court.

iii. Data Protection Impact Assessments (DPIAs) – The DUAA largely retains the existing requirements for Data Protection Impact Assessments (DPIAs) under UK GDPR, meaning that DPIAs are still mandatory for processing activities likely to result in high risk to individuals’ rights and freedoms. Despite wider reforms in other areas, the definition of high-risk processing and the obligation to carry out DPIAs remain fundamentally unchanged. Earlier proposals to make the DPIA regime more flexible, or to exempt low-risk processing from DPIAs, were not adopted in the final Act.

However, changes to automated decision making may require firms to reassess DPIAs in the light of the changed emphasis (see below).

iv. Automatic/Algorithmic Decision-Making and Profiling – The Act clarifies and, in some areas, expands the regulation of solely automated decision-making.

The DUAA updates the legal framework governing automated decision-making (ADM) to reflect the increasing use of algorithmic systems across sectors like finance, recruitment, healthcare, and public services. It relaxes some of the restrictions previously imposed by Article 22 of the UK GDPR, which limited the use of fully automated decisions that have legal or similarly significant impacts.

The DUAA revises Article 22, particularly in relation to those processing non-special category personal data for the purposes of automated decision-making (ADM). One of the key changes is that reliance may now be placed on ‘legitimate interests’ as a lawful basis for such processing, provided that appropriate safeguards are put in place by the data controller. These safeguards include the requirement to provide individuals with clear and comprehensive information about how ADM systems are being used, including the logic behind the decision-making and the types of data involved, to ensure greater transparency. Individuals must also be given the right to request a human review of any automated decisions, allowing them to challenge outcomes and ensure decisions are fair. In addition, organisations must carry out impact assessments that consider the risks and benefits of ADM, with particular attention to privacy, fairness, bias, and the potential for discrimination. To support ongoing compliance, accountability mechanisms such as regular audits and internal reviews must also be implemented.

v. Internal Complaints and Statutory Right to Complain – The DUAA introduces a requirement that individuals first submit a complaint to a data controller (the organisation) about their personal data use before escalating the matter to the Information Commissioner’s Office (ICO) as to the regulator. Organisations must now have formal internal complaints procedures, including an accessible (for example electronic) complaints form and must acknowledge complaints within 30 days, investigate thoroughly and without undue delay, and provide a clear outcome.

Only after an internal response can complaints be escalated to the Information Commissioner’s Office (ICO). This prioritisation ensures the ICO’s resources are focused on significant issues and places more responsibility on businesses to address grievances effectively.

Solicitors will need to help clients create, document, and communicate robust complaints procedures and ensure staff are trained to respond diligently, reducing litigation risk and safeguarding reputation.

vi. International Data Transfers – – The DUAA amends rules governing international data transfers outside the UK. Rather than the previous adequacy test, transfers are permissible if the “protection is not materially lower” than UK standards. This could facilitate broader data flows with overseas partners, but requires careful assessment of foreign legal regimes.

i. Soft Opt-In Extended to Non-Commercial Bodies – Previously, the “soft opt-in” for marketing communications applied only to commercial organisations. The new Act amends the PECR to allow charities, trade unions, and membership organisations to rely on the same exemption when marketing to existing supporters or members.

While not directly relevant to most solicitors’ day-to-day work, this may impact firms that work closely with professional associations or that offer events, newsletters, or publications. Where marketing activities are undertaken, firms should still ensure that they offer a clear opt-out and observe data minimisation principles.

ii. Cookie Consent Simplification – One of the most practically significant changes for solicitors is the introduction of a streamlined consent mechanism for non-intrusive cookies. Firms will no longer be required to obtain active consent for cookies used solely for website analytics, service optimisation, or error management.

This reform is aimed at reducing “cookie fatigue” while still protecting privacy. Firms should review their website banners and privacy policies to ensure compliance with the revised rules, which take effect from 1 January 2026.

iii. E-Privacy Breaches and Enforcement – Previously, breaches of e-privacy attracted a maximum fine of £500,000. The DUAA increases potential penalties to match those under the UK GDPR, putting all organisations on alert for more significant regulatory consequences. Thus, the limits will be brought in line with the much more substantial fines which can be levied under UK GDPR – up to a maximum of £17,500,000, or 4% of the organisation’s total annual worldwide turnover from the preceding financial year, whichever is higher.

i. Client Data Management – Solicitors are data controllers for large quantities of sensitive personal data – ranging from financial and medical information to records of criminal proceedings. The reforms will require firms to revisit their data inventories, processing registers, and client engagement letters.

Where automated tools are used – such as document review AI, client intake systems, or e-discovery platforms – firms must ensure they remain within the bounds of the new automated processing rules. Additionally, they must provide clear and accessible privacy notices reflecting the updated law.

ii. Data Protection Complaints – all firms will be required by June 2026 to have procedures for dealing with data protection complaints. New draft guidance has been published by the ICO on how to comply. Although this is still at the consultation stage until mid-October nevertheless it provides useful guidance on the steps firms may wish to take.

Under the new provisions, anyone unhappy with how the firm has handled their personal information will start by making a complaint to the firm rather than to the ICO.  This could be how the firm has handled a subject access request, how long their data has been retained, the impact of a data breach or indeed any other personal data related issue. Under the new provisions firms will be expected to have a procedure for handling data complaints which must include acknowledging the complaint within 30 days, taking the necessary steps to respond to the complaint without undue delay, keeping the complainant updated as to progress and providing the complainant with an outcome without undue delay.

Firms must also ensure that they have a means through which complaints can be made including via form, by telephone, via a complaints portal or in person.

iii. Outsourcing and Supplier Contracts – The DUAA introduces a new obligation on data controllers to undertake “active diligence” on all third-party processors, including regular audits and compliance checks. For law firms, this means renewed scrutiny of IT vendors, cloud services, outsourced support, and marketing platforms.

Template data processing agreements should be revised to include clauses reflecting the revised legal duties. Firms may also wish to include contractual indemnities covering non-compliance by suppliers.

iv. Staff Training and Internal Policies – The new regulatory environment places greater emphasis on demonstrable compliance. Firms will need to ensure that staff at all levels understand the changes and that internal policies — particularly those relating to SARs, data minimisation, and incident response—are updated accordingly.

This may include mandatory training sessions for solicitors, paralegals, administrative staff, and IT teams. Law firm regulators, including the SRA, are also expected to update their guidance in due course.

v. Marketing and Communications – Where firms use client newsletters, event invitations, or website advertising, they must take note of the PECR changes. Although the soft opt-in rules have become more permissive in some areas, the underlying principles of transparency and choice remain paramount.

Client care letters and online sign-up forms should be reviewed to ensure they include appropriate wording around consent, unsubscribe mechanisms, and the lawful basis for processing.

vi. Additional Provisions – In addition to the matters referred to above, firms will be expected to revise data protection policies, privacy notices, staff handbooks, and service agreements for clients, ensuring alignment with the new requirements; reinforce clients’ risk controls and train staff to recognise and respond to potential breaches quickly; strengthen risk assessments, standard contractual clauses, and understand overseas privacy standards to protect cross-border transfers; and update client guidance to reflect changes in automated processing, subject access procedures, internal complaints, legitimate interests, and international data transfers.