Nearly a year has passed since the Data (Use and Access) Act 2025 was brought into law, and important legislative changes to the UK GDPR took effect on 5 February 2026. Whilst some of the changes are simple codifications of existing guidance and best practice, others could pose a significant data security compliance risk for health and social care organisations.

It is, therefore, important that all processes and procedures for dealing with information requests are reviewed in light of the changes. 

Some key areas to consider include:  

Automatic recognition of some legitimate interests and changes to purpose limitation

Section 70 of the Act amends the UK GDPR to introduce ‘recognised legitimate interests’. These legitimate interests create automatically lawful grounds to process personal data without the need for a Legitimate Interests Assessment. The legitimate interests given include preventing crime, safeguarding vulnerable people, responding to emergencies and delivering tasks in the public interest as required by law.

Remember that having a recognised legitimate interest as a reason for processing personal data does not mean that other interests shouldn’t be examined in an LIA, nor does it negate the need to assess whether processing is necessary. Public authorities should also be mindful that legitimate interests won’t apply as a legal basis for processing personal data where they are undertaking a public function or acting in the public interest.

Clarifying response times for Data Subject Access Requests (DSARs)

Section 76 of the Act introduces a new timescale system for data subject access requests (DSARs). The new time limit is now given in Article 12A of the UK GDPR, which states that a response should be made within an ‘applicable time period’. The time period given is one month from when the data controller receives an information request or is asked to confirm the identity of a person making an information request. It is also stated that any fee charged for manifestly unfounded or excessive requests must be fully paid before responding to the request.

This legislative change helpfully codifies existing ICO guidance and clarifies the time constraints involved in making or processing DSARs. However, data controllers should still aim to respond to most requests within 30 days, and request ID information promptly.

The soft opt-in rule for charities

For charities, the soft opt-in rule introduced under section 114 of the Act could prove crucial in expanding the scope and effectiveness of fundraising materials. However, the new rule needs to be treated with caution when applied in practice. For example, it is very easy to use the wrong data when issuing marketing material under the new rule, and making this mistake could invoke an investigation by the ICO and/or the Fundraising Regulator.

International data transfers – a new UK-centric regime

International data transfers will soon be governed by a more simplified and flexible regime, which could become more valuable as the UK sets its own data protection standards. The most important change is made in the new schedules 7 and 8 of Chapter 5 of the GDPR, which replace the adequacy model of acknowledging data security in third-party countries, with a new approvals mechanism managed by the Government. The standard for making a restricted transfer is that the protections for a UK data subject in the destination country are ‘not materially lower’ than in the UK.

Mandatory data complaints policies

For data controllers, there will soon be a new requirement to have a data protection complaints process in place by 19 June 2026. For some organisations, this will involve drafting a separate policy specifically to handle such complaints, whilst others will be able to incorporate this into wider processes for data handling and data disclosure. Organisations should consider putting these processes in place now and update their privacy notices to ensure that data subjects have access to clear information about how to raise a complaint.

Whilst many of the changes introduced by the Act are in line with expectations, organisations can’t afford to be complacent. There are new provisions under the UK GDPR which will require careful consideration, and tighter regulatory control of complaints processes is on the way.

If you would like to discuss how these changes affect your organisation, please get in touch.