UK Data Protection Regulations – Changes from August 2025

1 – Background

Data processing in the UK is covered by 3 pieces of legislation:
  • UK General Data Protection Regulation (“UK GDPR”)
  • Data Protection Act 2018
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
However, the Data (Use and Access) Act 2025 (“DUAA”, “the Act”) received Royal Assent on 19 June 2025 and will be implemented between August 2025 and August 2026.

Note: The DUAA does not completely replace the existing legislation. Instead, it amends certain clauses and introduces new provisions for clarity. The UK Government is expected to update the legislation to reflect these changes within approximately two months of Royal Assent.

Text shown below in black italics is taken directly from the various guidance documents and webpages from www.gov.uk.

Text shown below in black is taken directly from relevant legislation.

The aims of this act are to create a more permissive framework under the UK GDPR for organisations to make decisions based solely on automated processing that have legal or similarly significant effects on individuals. Organisations will be able to make such decisions in wider circumstances but must implement certain safeguards. These include:

·         providing people with information about significant decisions made about them

·         enabling them to make representations about and to challenge such decisions

·         and enabling them to obtain human intervention in respect of such decisions

This article focuses on the DUAA changes that directly affect Clinical Research, amendments not relevant to this field are not included.

Several of the DUAA changes were previously included in UK GDPR recitals – these are additional guidance provided by the UK government at the time that the UK GDPR regulations were implemented. Data protection steps taken by organisations should already take these recitals into account, even though they are not legally binding.

Contents

1 – Background

2 – Summary of Changes

3 – Changes in Detail

3.1 – Subject Access

3.2 – Scientific Research

3.3 – Safeguards for Processing for Research Purposes

3.4 – Subject Consent

3.5 – International Data Transfers

2 – Summary of Changes

2.1 – Subject Access Requests

The DUAA clarifies the time limits for organisations to respond to subject access requests (requests by individuals to access and receive a copy of their personal data). It includes a “stop the clock” rule, allowing organisations to pause the response time if they need more information from the requester. Once they get the information they need, the response time continues. Organisations need to make reasonable and proportionate searches when responding to requests

2.2 – Definition of Scientific Research

The DUAA clarifies that scientific research may include commercial research. It allows researchers to seek consent for broad areas of related research and clearly outlines the safeguards required for using personal data in research.

2.3 – Safeguards for Processing for Research Purposes

This measure brings together the conditions which must be met for processing under the research provisions. These safeguards include respect for the principle of data minimisation, as well as preventing processing which leads to decisions being made about, or substantial harm caused to, data subjects.

2.4 – Subject Consent

This measure allows researchers to rely on broad consent, subject to certain conditions such as consistency with relevant ethical standards. If a researcher is unclear of the precise purpose of a study at its start, they can ask for consent for an area of scientific research (e.g. the study of certain diseases). While consent is not often used by researchers as their lawful basis under the UK GDPR, this will give those that do want to rely on broad consent more legal certainty.

2.5 – International Data Transfers

The Act simplifies the rules and provides necessary clarification for transferring personal data internationally.

3 – Changes in Detail

3.1 – Subject Access

Under UK GDPR Article 15, data subjects have the right to obtain confirmation from the controller as to whether their personal data is being processed and, if so, to access that data along with related information about its processing. The changes outlined below impact the timelines for responding to such requests.

3.1.1 – Impact of Change

UK GDPR required a response to be made “within one month of receipt of the request”, this has been replaced with “within the applicable time period”. Previously, the one-month deadline to respond to a Subject Access Request (SAR) started as soon as the request was received, regardless of whether data controllers had all the information they needed to take the required action. The Act introduces a “stop the clock” provision which will allow organisations to pause the response time – without the risk of missing the deadline – if they need data subjects to clarify or refine their requests or to provide more information. Once the organisation has the information they need, the response time continues. In addition, the previous law did not explicitly state that searches needed to be “reasonable and proportionate”, although this has been established by case law. A mechanism for charging a fee for an SAR, and the ability to refuse a request under certain limited circumstances have also been introduced: You can charge a ’reasonable fee’ for the administrative costs of complying with a request if:
  • it is manifestly unfounded or excessive; or
  • an individual requests further copies of their data following a request./li>
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request.

3.1.2 – Detail: Changes to Timeline for Response to Requests

In UK GDPR Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject) —
  1. in paragraph 3—
    1. for “within one month of receipt of the request” substitute “before the end of the applicable time period (see Article 12A)”, and
    2. omit the second and third sentences,
  2. in paragraph 4, for “without delay and at the latest within one month of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12A),”,
A new section, Article 12A is added:
  1. In UK GDPR Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3.
  2. “The relevant time” means the latest of the following—
    1. when the controller receives the request in question;
    2. when the controller receives the information (if any) requested in connection with a request under UK GDPR Article 12(6);
    3. when the fee (if any) charged in connection with the request under UK GDPR Article 12(5) is paid.
  3. The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
    1. the complexity of requests made by the data subject, or
    2. the number of such requests.
  4. A notice under paragraph 3 must—
    1. be given before the end of the period of one month beginning with the relevant time, and
    2. state the reasons for the delay.
  5. Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under UK GDPR Article 15 relates—
    1. the controller may ask the data subject to provide the further information, and
    2. the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—
      1. the applicable time period, or
      2. the period described in paragraph 4(a).
    3. An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.

3.1.3 – Relevant Sections of UK GDPR

UK GDPR Article 12 paragraphs 3 and 4:

(3) The controller shall provide information on action taken on a request under UK GDPR Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

(4) If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the Commissioner and seeking a judicial remedy.

Two other sections of UK GDPR are referred to above:

UK GDPR Article 12(5) provides that if a data subject’s request is manifestly unfounded or excessive, particularly if it is repetitive, the controller may charge a reasonable fee based on the administrative costs of providing the requested information, communication, or action. The controller may also refuse a request if it is manifestly unfounded or excessive.

UK GDPR Article 12(6) relates to situations where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

3.2 – Scientific Research

Clause 67 of DUAA – Meaning of research and statistical purposes

This updates Article 4 of the UK GDPR, which provides Definitions in use across that legislation.

3.2.1 – Impact of Change

This measure makes it clearer when you can use personal data for scientific research, and statistical purposes. Amongst other things, the measure clarifies that the definition of research is inclusive of commercial scientific research – for instance, a pharmaceutical company conducting vaccine research. Processing that falls under these categories is subject to the research provisions, which include certain exemptions and safeguards detailed elsewhere in the Act.

By clarifying the meanings in the legislation itself rather than in the UK GDPR recitals, this measure gives researchers greater consistency and certainty.

3.2.2 – Detail: Definition of “scientific research purposes”

References in this Regulation to the processing of personal data for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. Such references—
  1. include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but
  2. only include processing for the purposes of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest.

3.2.3 – Detail: Definition of “historical research purposes”

References in this Regulation to the processing of personal data for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research.

3.2.4 – Detail: Definition of “statistical purposes”

References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where—
  1. the information that results from the processing is aggregate data that is not personal data, and
  2. the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.

3.2.5 – Relevant Sections of UK GDPR

As the changes are to the Definitions section, they have impact throughout the UK GDPR. In particular, they relate to processing of anonymous data (Clause 26), consent (Clause 35), further processing for archiving purposes (Clauses 50, 53, 62, 63, 65 and, 156), international data transfers (Clause 113) and the use of data from registries (Clause 157), processing of personal data for research purposes (Clause 159) and processing of data for historical research purposes (Clause 160).

3.3 – Safeguards for Processing for Research Purposes

A new chapter, Chapter 8A (safeguards for processing for research, archiving or statistical purposes) is added to the UK GDPR, after Chapter 8, covering safeguards for processing for research purposes. Articles 84A, 84B and 84C are of relevance.

3.3.1 – Impact of Change

This measure brings together the conditions which must be met for processing under the research provisions.

These safeguards include respect for the principle of data minimisation, as well as preventing processing which leads to decisions being made about, or substantial harm caused to, data subjects.

These safeguards are currently split between the UK GDPR, recitals, and the DPA 2018. Bringing them together will make the law simpler, giving researchers and data subjects greater clarity and consistency.

3.3.2 – Detail: Research, archives and statistics

Article 84A: Research, archives and statistics

  1. This Chapter makes provision about the processing of personal data—
    1. for the purposes of scientific research or historical research,
    2. for the purposes of archiving in the public interest, or
    3. for statistical purposes.
  2. Those purposes are referred to in this Chapter as “RAS purposes”.

3.3.3 – Detail: Additional requirements

Article 84B: Additional requirements when processing for RAS purposes
  1. Personal data may only be processed for RAS purposes if—
    1. the processing consists of the collection of the personal data (whether from the data subject or otherwise),
    2. the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or
    3. without the processing, the RAS purposes cannot be fulfilled.
  2. Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject.

3.3.4 – Detail: Appropriate safeguards

Article 84C: Appropriate safeguards
  1. This Article makes provision about when the requirement under Article 84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied.
  2. The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates.
  3. The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research.
  4. The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see UK GDPR Article 5(1)(c)), such as, for example, pseudonymisation.
  5. In this Article—
“approved medical research” means medical research carried out by a person who has approval to carry out that research from—
  1. a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or
  2. a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—
    1. the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department;
    2. a relevant NHS body;
    3. United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;
    4. an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);
    “relevant NHS body” means—
    1. an NHS trust or NHS foundation trust in England,
    2. an NHS trust or Local Health Board in Wales,
    3. a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,
    4. the Common Services Agency for the Scottish Health Service, or
    5. any of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).

3.3.5 – Relevant Sections of UK GDPR

The DUAA adds a new chapter, 8A, the purpose of which is described above

3.4 – Subject Consent

Clause 68 of DUAA – Consent to processing for the purposes of scientific research

This updates Article 4 of the UK GDPR, which provides Definitions in use across that legislation.

3.4.1 – Detail: Definition of Consent

A data subject’s consent is to be treated as falling within the definition of “consent” in UK GDPR Article 4 point (11) of paragraph 1 if:
  1. it does not fall within that definition because (and only because) the consent is given to the processing of personal data for the purposes of an area of scientific research,
  2. at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed,
  3. seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research, and
  4. so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research.

3.4.2 – Relevant Sections of UK GDPR

The definition of consent under Article 4 of UK GDPR is as follows:

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

3.4.3 – Impact of Change

This extends the definition of consent to cover the specifics relating to research, including the fact that in some circumstances the full purpose of the research may not be known at the time consent is obtained. In line with section 3.3.1, the key provisions are:
  1. Extension of definition – Consent is explicitly extended to include research-related processing of personal data.
  2. Unknown purposes at outset – Consent remains valid even where the full scope or purpose of processing cannot be defined at the time it is obtained
  3. Ethical safeguards – Any such consent must meet established ethical standards, for example through an Ethics Committee–approved Informed Consent Form (ICF).
  4. Partial consent – Where feasible, subjects should be given the opportunity to provide partial consent, such as opting out of their data being used for future research while still consenting to its use for the current study.
The concept of “broad consent” for research purposes was previously found in the UK GDPR recitals. Bringing it into the main text of the legislation will raise awareness of the concept and give researchers greater clarity.

3.5 – International Data Transfers

UK GDPR Article 44 defines general principles for transfers. The wording of this article is replaced entirely by Article 44A (see below). Changes are also made to the appropriate safeguards needed for those transfers (Article 46). Note that these changes impact on the DPA 2018 as well as UK GDPR.

3.5.1 – Impact of Change

The main change is the introduction of a “data protection test”, Article 46(6), which is met if the protection on the data after the transfer is not materially lower than it was before. Prior to these reforms, the data protection test was not set out as clearly for data controllers in the legislation.

3.5.2 – Detail: General Principles for Transfers

Article 44A General principles for transfers
  1. A controller or processor may transfer personal data to a third country or an international organisation only if—
    1. the condition in paragraph 2 is met, and
    2. the transfer is carried out in compliance with the other provisions of this Regulation.
  2. The condition is met if the transfer—
    1. is approved by regulations under Article 45A that are in force at the time of the transfer,
    2. is made subject to appropriate safeguards (see Article 46), or
    3. is made in reliance on a derogation for specific situations (see Article 49).
  3. A transfer may not be made in reliance on paragraph 2(b) or (c) if, or to the extent that, it would breach a restriction in regulations under Article 49A.

3.5.3 – Detail: Appropriate Safeguards

  Article 46 Transfers subject to appropriate safeguards. The first paragraph is replaced entirely by paragraph 1a:   Article 46 (1a): A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only—
  1. in a case in which—
    1. safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and
    2. the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or
  2. in a case in which—
    1. safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and
    2. each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).
Note that part b of the above applies to transfers involving public bodies and is therefore unlikely to be of relevance. Multiple changes are made to paragraphs 2 and 3, the final paragraphs are shown below, changes are highlighted in bold (my bolding): Article 46(2): The safeguards referred to in paragraph 1A(a) may be provided for, without requiring any specific authorisation from the Commissioner, by:
  1. a legally binding and enforceable instrument between a public body and another relevant person or persons;
  2. binding corporate rules approved in accordance with Article 47;
  3. standard data protection clauses specified in regulations made by the Secretary of State under Article 47A(1) and for the time being in force;
  4. standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
  5. an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the safeguards provided by the code, including as regards data subjects’ rights; or
  6. an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the safeguards provided by the mechanism, including as regards data subjects’ rights.
Article 46(3): With authorisation from the Commissioner, the safeguards referred to in paragraph 1A(a) may also be provided for, by:
  1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  2. provisions to be inserted into administrative arrangements between a public body and another relevant person or persons which include enforceable and effective data subject rights.
  Paragraphs 6, 7 and 8 are added to the end of the Article: Article 46(6): For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—
  1. this Regulation,
  2. Part 2 of the 2018 Act, and
  3. Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies.
Article 46(7): For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred. Article 48(8): In this Article—
  1. references to the protection provided for the data subject are to that protection taken as a whole;
  2. “relevant person” means a public body or another person exercising functions of a public nature.

3.5.4 – Relevant Sections of UK GDPR

  Article 44 of UK GDPR is replaced entirely:   Article 44: General principle for transfers Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.   UK GDPR Article 45A relates to authorisation of transfers by the Secretary of State so is not relevant.     UK GDPR Article 46 relates to the safeguards to be in place to cover the transfers.     The first paragraph of Article 46 is replaced entirely.   Article 46 (1): In the absence of adequacy regulations under section 17A of the 2018 Act (DPA 2018), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.   The wording of the 2nd and 3rd paragraphs are amended:   Article 46(2): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from the Commissioner, by:
  1. a legally binding and enforceable instrument between public authorities or bodies;
  2. binding corporate rules in accordance with Article 47;
  3. standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;
  4. standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
  5. an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
  6. an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Article 46(3): With authorisation from the Commissioner, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
  1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  2. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.