This August, the Information Commissioner’s Office (ICO) launched public consultations on proposed amendments to the UK’s data protection regimes. The proposed amendments, introduced by the Data (Use and Access) Act 2025 (DUAA), include the introduction of a new lawful basis for data processing and the implementation of new requirements for handling data protection complaints.
The consultations seek quality responses from individuals and businesses to help shape the ICO’s final guidance on the two significant reforms. With the opportunity to submit comments closing in October, this article offers a summary of the DUAA’s key amendments and their potential impact on UK businesses.
Under Article 6 of the UK General Data Protection Regulation (UK GDPR), businesses acting as data controllers must identify a lawful basis before processing personal data. The current legal bases under Article 6 include:
The DUAA introduces a seventh lawful basis which allows processing where it is necessary for a “recognised legitimate interest”. This new lawful basis closely mirrors article 6(1)(f) but removes the requirement to carry out a balancing test for processing that falls within a predefined list of “recognised legitimate interests”. Under Article 6(1)(f), the purpose of the balancing test is to ensure that the business’ legitimate interests do not override the rights and freedoms of the data subject. In practice, this typically involves conducting a Legitimate Interest Assessment (LIA), a light-touch risk assessment, prior to initiating each processing activity. By contrast, the DUAA's new legal basis effectively bypasses this requirement for certain categories of processing, effectively supplementing Article 6(1)(f) by identifying activities that are deemed to satisfy the legitimate interest threshold without further justification.
Currently, the list of “recognised legitimate interests” includes processing activities that are necessary for security, defence, emergencies and the prevention of crime. However, the Secretary of State has the power to amend and expand this list through secondary legislation.
While the reform appears to reduce administrative burdens and legal uncertainty for UK-based businesses, it could introduce operational complexity for multinational businesses. The new lawful basis represents a departure from the EU General Data Protection Regulation, which continues to mandate a full LIA. As a result, businesses operating across both the UK and EU must navigate diverging regulatory frameworks, potentially complicating cross-border data processing operations.
Although this new lawful basis has been formally incorporated into the UK GDPR through the DUUA, it is important to note that it is not yet in force. Whilst the specific commencement date for this provision has not been confirmed, this amendment is expected to be enforceable by June 2026.
The DUUA amendments also create a new requirement for businesses acting as data controllers to establish a formal process to handle data protection complaints.
Specifically, these businesses must now:
These obligations introduce a formal right for data subjects to raise complaints directly with businesses, something that was previously only encouraged within the guidance provided by the ICO. By codifying these expectations, the DUAA ensures that data subjects are given a clear and accessible route to raise concerns with the businesses that determine the purposes and means of processing their personal data
A key aspect of this reform is that complainants must first raise their concerns with the business before escalating the issue to the ICO. This "first-instance" obligation is designed to ensure that businesses are given the opportunity to resolve complaints directly and at the earliest stage, which should reduce the volume of less serious issues being escalated unnecessarily to the ICO.
In practice, this means that the ICO will be able to prioritise and focus its resources on the most serious or systemic breaches of data protection law, such as those involving large-scale data misuse, repeat offenders, or violations that affect vulnerable individuals or sensitive categories of data.
For businesses acting as controllers, these changes underscore the need to implement a robust internal complaints handling procedure, supported by clear communication channels, trained staff, and documented processes. Failure to comply with these new requirements could expose such businesses to regulatory scrutiny or enforcement action, especially given that the DUAA grants the Secretary of State the power to mandate businesses to notify the ICO of the number of complaints made under their formal procedure.
As with the introduction of the new recognised legitimate interest basis under Article 6, the commencement date for this provision has not been confirmed but it is expected to be in force by June 2026.
If you require assistance with any aspect of data protection compliance, or have questions about your legal obligations, please contact Samantha McManus in our Data Protection and Privacy team on +44 (0)204 600 9907 or email info@culbertellis.com.
