UK data protection

UK GDPR and the Data (Use and Access) Act 2025: staff training

UK data protection law changed on 5 February 2026. The Data (Use and Access) Act 2025 amends the UK GDPR, the Data Protection Act 2018 and PECR, with further reforms phasing in by regulation. The UK GDPR has not gone away, it has been changed. This is what your team needs to know now.

Talk to us

UK GDPR still applies

The DUAA does not replace the UK GDPR. It amends it. Your core duties remain, with a set of targeted changes layered on top.

What changed on 5 Feb 2026

The main data protection changes in Part 5 of the Act came into force on 5 February 2026, with more provisions commencing in stages by regulation.

What staff must know

Lawful basis, automated decisions, data transfers and complaints handling all shifted. Everyday staff need the new ground rules, not just the DPO.

The key changes

Five things to train your team on

1. Recognised legitimate interests

The Act adds a list of recognised legitimate interests with a presumption of legitimacy, changing how some processing is justified under the legitimate interests basis.

2. Automated decision-making

A more permissive framework for solely automated decisions with legal or similar effects, subject to safeguards, so staff need to know when those safeguards apply.

3. International data transfers

The transfer test moves from the EU's essentially equivalent standard to a new not materially lower data protection standard, changing transfer assessments.

4. Complaints and access handling

Updated rules on how organisations handle data subject complaints and access requests, including the steps and timelines staff must follow.

5. A reconstituted regulator

The Information Commissioner's Office is being reconstituted as the Information Commission, with updated powers your governance should reflect.

Before and after

What the DUAA changed

AreaUK GDPR beforeUnder the DUAA, from 5 February 2026
Legitimate interestsCase-by-case balancing testA list of recognised legitimate interests with a presumption of legitimacy
Automated decisionsTightly restricted by defaultMore permissive, with required safeguards
International transfersEssentially equivalent testNot materially lower data protection standard
RegulatorInformation Commissioner's OfficeReconstituted as the Information Commission
The test that matters

Old training is now teaching the wrong law

If your data protection training predates 5 February 2026, parts of it now describe a version of UK law that has changed. The risk is not abstract: a member of staff applying the old rules on automated decisions, transfers or lawful basis can create the breach. Training that names the Data (Use and Access) Act 2025, the change, and the date it took effect is what keeps everyday decisions on the right side of the line.

How Auren trains it

Three levels, current to the Act

1. Foundation for everyone

Every employee gets the everyday rules: lawful basis, handling personal data, and what changed under the DUAA.

2. Intermediate for those who handle data

Staff who run processes, requests and transfers get the operational level on the new framework and the safeguards.

3. Advanced for DPOs and leads

Data protection officers and compliance leads get the audit-grade level on recognised legitimate interests, transfers and the reconstituted regulator.

4. Kept current as it commences

With provisions phasing in by regulation, Auren revises content within 30 days of each change and version-dates every course.

Questions

UK GDPR and DUAA training, common questions

Did the Data (Use and Access) Act 2025 replace UK GDPR?

No. The DUAA amends the UK GDPR, the Data Protection Act 2018 and PECR. The UK GDPR still applies, with a set of targeted changes layered on top, so your existing framework continues with adjustments rather than starting again.

When did the changes take effect?

The DUAA received royal assent on 19 June 2025. The main data protection changes in Part 5 came into force on 5 February 2026, and further provisions are commencing in stages by regulation.

What changed for everyday staff?

The most visible changes are a list of recognised legitimate interests, a more permissive framework for automated decisions with safeguards, a new international transfer standard, and updated complaints and access handling. Staff who handle personal data need the new ground rules.

Does this affect EU or Maltese data?

The DUAA changes UK law only. If you handle EU or Maltese personal data, the EU GDPR still applies to that data, so a business operating across the UK and the EU now manages two frameworks that are diverging. Auren covers both.

Related at Auren

Go deeper

Get your team current on UK data law

Tell us who handles personal data in your business, and we will map the Foundation, Intermediate and Advanced levels to your team.

Talk to us