02920 829 100 
Changes to the UK’s data protection laws are coming: what this means for organisations
September 2, 2025
The DUAA updates several areas of the UK GDPR and the Data Protection Act 2018, with a focus on reducing administrative burdens, improving flexibility, and helping organisations make better use of data in a secure and lawful way. Our expert, Stephen Thompson outlines some of the key changes that organisations need to be aware of.
Automated Decision-Making (ADM)
The rules on ADM have been overhauled. Organisations can now rely on fully automated decision-making without human involvement. This includes decisions that have a significant impact on individuals, for example rejecting a job applicant, refusing someone a loan, or limiting access to a service.
This ability is, however, subject to important safeguards being put in place. If you’re using ADM, you must:
These provisions give organisations more flexibility, while still allowing individuals to be involved in decisions that affect them. It is, however, important to revisit the changes in this area, as the government will have the ability to introduce additional regulations as technology develops.
Subject Access Requests
Changes have also been made to the way organisations handle subject access requests (SAR).
If a SAR is unclear or if the identity of the requester is in doubt, you can now pause the one-month response deadline while awaiting clarification. Once the necessary information is received, the timescale starts to run again.
Also, the organisation is now only expected to carry out “reasonable and proportionate” searches when locating the requested data. This change brings the legislation in line with the principles established in case law, and is intended to reduce the burden on organisations, particularly where SARs are overly broad or vague.
Dealing with unfounded or excessive requests
The Information Commissioner’s Office’s (ICO) has the power to refuse or charge a fee for requests from data subjects or data protection officers that are considered “manifestly unfounded” or “excessive”.
This power, which previously applied to requests from data subject or data protection officers, has been extended to cover requests from any person. However, the ICO must still justify the refusal, and individuals can challenge the outcome. The aim is to allow the ICO to manage its recourses effectively and to prevent unnecessary requests.
Children’s data protection
Children’s privacy continues to be a key concern. Under the DUAA, existing principles have been extended in relation to certain online services that are likely to be accessed by children.
The DUAA provides further emphasis of the point that service designers must now take children’s needs into account at the design stage. This means building in protections by default — for example, limiting data collection or making privacy settings stronger for child users as well as reflecting their needs at different ages.
This builds on the principles set out in the “Age Appropriate Design Code” and is a move towards making children’s online safety a statutory requirement for service design.
Scientific research
The DUAA also broadens the definition of scientific research to include commercial research. This is a significant change as it means that companies and organisations carrying out private or for-profit research (for example, a big pharma organisation conducting research into a vaccine) may now benefit from the same flexibilities as academic or public-sector bodies.
It also introduces the ability to use “broad consent”. This is consent given for a general area of research, even if the exact purpose isn’t known at the time that the data is originally provided by the data subject. An example of this would be a medical technology company using health data for future health research, without specifying exactly what it will be researching at the outset.
Safeguards still apply to make sure personal data is used responsibly, but this update reflects the way many modern research projects operate, especially in areas such as AI, biotech, and health data.
A broader shift in the Regulator’s role
The Act also changes the structure and remit of the ICO itself. The ICO will be replaced by a new board-led “Information Commission” with wider powers, a clearer strategic framework, and a duty to balance data protection with innovation, public safety, and economic growth.
The new organisation must publish a strategic plan, performance metrics, and annual reports, and follow a more transparent process when issuing statutory codes of practice.
The Regulator also gains new enforcement powers, including the ability to compel interviews, require technical audits, and demand evidence from organisations which could be particularly useful when investigating serious breaches or non-compliance.
Final thoughts
The DUAA is designed to ease some of the more burdensome elements of data protection compliance, while improving how data can be used, especially in areas such as research, innovation, and automated systems. However, the Act still expects organisations to be transparent, accountable, and fair in how they handle personal data.
If you’re responsible for data protection within your organisation, it’s worth reviewing your policies and procedures now, especially those relating to SARs, ADM, children’s services, and how you respond to requests. While the changes bring greater flexibility, they also come with greater responsibility.
If you wish to discuss the new changes with us, you can contact us using the contact form or on 02920 829 100 to see how we can help.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
