Changes to GDPR – what solicitors need to know
Parts of the UK GDPR have been changed and replaced by the Data (Use and Access) Act 2025. Find out what this means for your legal practice and what you need to do to stay compliant.
The Data (Use and Access) Act 2025 (DUAA) amends the:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003
The changes in the Act aim to:
- grow the UK economy
- improve UK public services
- make people’s lives easier
What has changed
The DUAA does not fully replace the UK GDPR, but there have been some important changes.
Data processing
The DUAA clarifies a new data processing purpose is compatible with the original purpose where:
- the organisation has consent
- processing is made for research or archiving purposes
For example, a client gives you consent to use their data in a legal case. They then agree to let you use the same data for a training session for junior solicitors. In this scenario, you can reuse the data because you have consent.
The DUAA also created a new list of ‘recognised legitimate interests’ as a lawful basis for processing data.
As long as the processing is necessary, organisations can now process personal data under the following conditions without conducting a legitimate interests assessment (LIA):
Disclosures to public bodies
For example, a firm handling conveyancing could share suspicious transaction data with the National Crime Agency, if the agency confirms it needs the data to investigate financial crime.
National security, public security and defence
For example, a firm representing a whistleblower may be required to share communications with authorities investigating a national security breach.
Emergencies
For example, a firm representing tenants in a high-rise may share occupancy data with the fire service during an evacuation or rescue operation.
Crime
For example, a firm may receive a police request for transaction records related to a suspected money laundering case.
Safeguarding vulnerable individuals
For example, a solicitor representing a child in a custody dispute could share school attendance records with social services to support a safeguarding assessment.
Data subject rights
When responding to data subject access requests (SARs), you will only need to provide information based on ‘reasonable and proportionate searches’.
For example, a former client requests access to their personal data. In this scenario, searching their case file, billing records and correspondence folder would be considered ‘reasonable and proportionate’.
Under the DUAA, data subjects now also have the legal right to complain to the data controller.
You should make sure you have a complaints process in place.
Read our handling complaints practice note.
Automated decision-making
Automated decision-making (ADM) is now easier under the DUAA.
ADM is any process where decisions are made by automated systems without significant input from a human.
For example, a lender may use an automated system to review and approve online applications for a loan.
The DUAA has relaxed the need for individual consent. Organisations can now rely on legitimate interests as a lawful basis for ADM, as long as there are appropriate safeguards in place.
ADM cannot be used for significant decisions that involve special category data.
Information Commissioner’s Office (ICO)
The ICO will now be called the ‘Information Commission’.
Its powers remain the same, subject to changes made by the DUAA.
The DUAA has increased the Information Commission’s fining powers under Privacy and Electronic Communications Regulations (PECR). PECR fines will now match UK GDPR fines.
For example, breaches of cookie and marketing rules could potentially lead to fines of up to £17.5m or 4% of worldwide turnover.
International data transfer
The DUAA introduces a new legal test for assessing whether personal data can be transferred from the UK to another country.
Under the DUAA, a country does not need to have identical data protection laws to the UK. It only needs to offer protections that are not significantly worse than UK standards.
This makes it easier for the UK government to approve international data transfers.
Scientific research
The definition of ‘scientific research’ has also been updated.
The new definition aims to makes it easier to conduct scientific research. It now covers a wider range of activities and provides greater clarity for businesses.
This may be relevant to solicitors advising universities, research institutions or clients engaged in research and development (R&D).
What you need to do
If you already comply with the UK GDPR, you have until June 2026 to make sure you comply with changes in the DUAA.
You should:
- review the lawful basis for the ways you’re processing personal data. There may be new ways you could collect or use data under the DUAA data processing rules
- make sure you have a suitable complaints process in place. Data subjects now have the legal right to complain to data controllers. You must acknowledge complaints within 30 days and take steps to respond as soon as possible
Resources and training
- Read our handling complaints practice note
- Review our GDPR for solicitors guide
- Browse our upcoming data protection training
Legislation timeline
- June 2026 – Data (Use and Access) Act 2025 comes into force. You should make sure your firm or organisation complies with the changes in the DUAA
- December 2025 – EU-UK data adequacy will expire
- June 2025 – Data (Use and Access) Act 2025 receives royal assent. It will take up to one year for the law to fully come into force
- October 2024 – Data (Use and Access) Bill introduced to Parliament. The Law Society provided briefings to its stages of passing
- June 2023 – EU Law (Revocation and Reform) Act 2023 retained post-Brexit and received royal assent
- June 2021 – EU confers data adequacy