UK GDPR and the Data (Use and Access) Act 2025: staff training
UK data protection law changed on 5 February 2026. The Data (Use and Access) Act 2025 amends the UK GDPR, the Data Protection Act 2018 and PECR, with further reforms phasing in by regulation. The UK GDPR has not gone away, it has been changed. This is what your team needs to know now.
Talk to usUK GDPR still applies
The DUAA does not replace the UK GDPR. It amends it. Your core duties remain, with a set of targeted changes layered on top.
What changed on 5 Feb 2026
The main data protection changes in Part 5 of the Act came into force on 5 February 2026, with more provisions commencing in stages by regulation.
What staff must know
Lawful basis, automated decisions, data transfers and complaints handling all shifted. Everyday staff need the new ground rules, not just the DPO.
Five things to train your team on
1. Recognised legitimate interests
The Act adds a list of recognised legitimate interests with a presumption of legitimacy, changing how some processing is justified under the legitimate interests basis.
2. Automated decision-making
A more permissive framework for solely automated decisions with legal or similar effects, subject to safeguards, so staff need to know when those safeguards apply.
3. International data transfers
The transfer test moves from the EU's essentially equivalent standard to a new not materially lower data protection standard, changing transfer assessments.
4. Complaints and access handling
Updated rules on how organisations handle data subject complaints and access requests, including the steps and timelines staff must follow.
5. A reconstituted regulator
The Information Commissioner's Office is being reconstituted as the Information Commission, with updated powers your governance should reflect.
What the DUAA changed
| Area | UK GDPR before | Under the DUAA, from 5 February 2026 |
|---|---|---|
| Legitimate interests | Case-by-case balancing test | A list of recognised legitimate interests with a presumption of legitimacy |
| Automated decisions | Tightly restricted by default | More permissive, with required safeguards |
| International transfers | Essentially equivalent test | Not materially lower data protection standard |
| Regulator | Information Commissioner's Office | Reconstituted as the Information Commission |
Old training is now teaching the wrong law
If your data protection training predates 5 February 2026, parts of it now describe a version of UK law that has changed. The risk is not abstract: a member of staff applying the old rules on automated decisions, transfers or lawful basis can create the breach. Training that names the Data (Use and Access) Act 2025, the change, and the date it took effect is what keeps everyday decisions on the right side of the line.
Three levels, current to the Act
1. Foundation for everyone
Every employee gets the everyday rules: lawful basis, handling personal data, and what changed under the DUAA.
2. Intermediate for those who handle data
Staff who run processes, requests and transfers get the operational level on the new framework and the safeguards.
3. Advanced for DPOs and leads
Data protection officers and compliance leads get the audit-grade level on recognised legitimate interests, transfers and the reconstituted regulator.
4. Kept current as it commences
With provisions phasing in by regulation, Auren revises content within 30 days of each change and version-dates every course.
UK GDPR and DUAA training, common questions
Did the Data (Use and Access) Act 2025 replace UK GDPR?
No. The DUAA amends the UK GDPR, the Data Protection Act 2018 and PECR. The UK GDPR still applies, with a set of targeted changes layered on top, so your existing framework continues with adjustments rather than starting again.
When did the changes take effect?
The DUAA received royal assent on 19 June 2025. The main data protection changes in Part 5 came into force on 5 February 2026, and further provisions are commencing in stages by regulation.
What changed for everyday staff?
The most visible changes are a list of recognised legitimate interests, a more permissive framework for automated decisions with safeguards, a new international transfer standard, and updated complaints and access handling. Staff who handle personal data need the new ground rules.
Does this affect EU or Maltese data?
The DUAA changes UK law only. If you handle EU or Maltese personal data, the EU GDPR still applies to that data, so a business operating across the UK and the EU now manages two frameworks that are diverging. Auren covers both.
Go deeper
- UK GDPR and DUAA 2025, Foundation course
- GDPR Foundations, UK and Malta
- The Course Catalogue
- Customisation and Advisory
Get your team current on UK data law
Tell us who handles personal data in your business, and we will map the Foundation, Intermediate and Advanced levels to your team.
Talk to us
Compliance, Done Right.
Auren Institute is a compliance training partner for HR and L&D leaders at SMEs and mid-market employers in the UK and Malta. Eleven compliance domains. Three levels in each. UK and Maltese variants where the law differs. Updated within 30 days of legislative change.
Get in touch
sales@aureninstitute.com
UK Office
Tel: +44 7505706062
Malta Office
92, No. 1, St Edward Street,
Qormi, QRM 2136
Tel: +356 9999 1039
VAT No: MT20967027
CPD Reg. No: 22536
UK FSB No: 65539277