Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

Something Is Better Than Nothing: UK and EU GDPR Reform Finally Arrives

Skadden Publication / Cybersecurity and Data Privacy Update

Nicola Kerr-Shaw Aleksander J. Aleksiev William E. Ridgway David A. Simon Susanne Werry

In recent weeks, the EU and UK have both introduced changes to their respective versions of Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). These reforms mark the first substantial updates to the GDPR since it came into force in 2018. While both the EU and UK’s reforms hint towards much-needed simplification of the GDPR, both reforms are less ambitious than companies might have hoped for. This alert describes, and compares, the key changes for businesses from these reforms.

UK Reforms – The Data Use and Access Act

The UK’s Data Use and Access Act (DUAA) received Royal Assent on 19 June 2025 and has now become law. The bill brings targeted amendments to the existing UK GDPR regime, intended to lessen data protection burdens on organizations in keeping with the government’s focus on encouraging economic growth. Those changes include:

  • Data subject rights. Companies’ obligations in relation to data subject access requests have been relaxed so that only “reasonable and proportionate” searches need be conducted. This is a welcome change as complex data subject access requests can be costly to respond to. However, since this relaxation reflects existing UK regulatory guidance, this change is more of formalization of existing policy than a substantial shift.

  • Cookies. There has been a minor relaxation of cookie consent rules, removing the obligation to obtain consent for certain low-risk cookies such as service-improvement or website-appearance cookies. Again, this is a welcome change, though in practice organizations may find it operationally cumbersome to maintain separate UK cookie banners.

    The DUAA also brings penalties under the UK’s cookie rules (the Privacy and Electronic Communications Regulation) in line with the UK GDPR, raising maximum penalties from £500,000 to the greater of £17.5 million or 4% of global turnover. This is significant shift as cookie enforcement has proven a high priority for the UK regulator.

  • Recognised legitimate interests. Certain activities, such as responding to emergencies, safeguarding individuals and detecting crime, will be considered “recognised legitimate interests” and no longer require a legitimate interests assessment to be conducted. This is a welcome change, though the scope of these recognised legitimate interests is narrow enough that it will not significantly dent the number of legitimate interests assessments companies are legally required to conduct.
  • Scientific research. The DUAA broadens existing UK GDPR exemptions for scientific research, including in relation to the reuse of personal data for scientific research.

While these changes are welcome, they represent a relatively modest reduction in regulatory burden, and are even less ambitious than the previous government’s stalled attempt to reform the GDPR. In the absence of large changes to the UK GDPR’s text, the most significant UK shifts will instead likely come through the UK regulator’s relatively pragmatic and innovation-friendly guidance on, and interpretations of, the GDPR — a difference that will only be reinforced by the DUAA’s introduction of new duties on the Commissioner to “have regard to … the desirability of promoting innovation.”

What does the DUAA mean for adequacy?

The UK’s post-Brexit adequacy decision — which enables the free flow of data between the UK and EU — had previously been due to lapse on 27 June 2025. To give the European Commission time to assess the implications of the newly finalized DUAA before deciding whether to renew the UK’s adequacy decision, the Commission temporarily extended the decision on 24 June; it now lapses on 27 December 2025.

While the prospect of the UK’s adequacy status lapsing in December raises the specter of a frantic Christmas remediation effort, in practice the relatively limited changes in the DUAA, coupled with improving post-Brexit relations between the UK and EU, mean that the Commission is extremely unlikely to allow the UK’s adequacy status to lapse.

GDPR Reforms in the EU

Meanwhile, the European Commission, through its “Fourth Omnibus” reform package launched on 21 May 2025, has proposed alterations to the EU GDPR as part of a broader suite of “simplification” measures introduced to boost the EU’s business competitiveness following last year’s Draghi Report. Although there had been some hope for substantive reform to the GDPR after the Draghi Report found that the “complexity” of the GDPR had “undermined development” and imposed “high GDPR compliance costs,” the proposed changes consist only of a minor tweak to remove companies with fewer than 750 employees from the obligation to keep a record of processing activities (ROPA).

Separately, the European Commission and European Parliament announced on 16 June 2025 that they had agreed on reforms to the GDPR’s cross-border enforcement procedure. These reforms are intended to streamline and unify the procedure for cross-border GDPR enforcement cases, including by:

  • Setting stricter deadlines for enforcement (with most investigations to be concluded within 15 months).
  • Requiring cooperation between EU countries’ GDPR regulators through the investigation process (previously, a company’s lead GDPR regulator would only inform other regulators of its decision after an investigation was concluded).
  • Unifying claimants’ and defendants’ procedural rights to be heard throughout an investigation (previously, procedural rights varied considerably by member state).

Efforts to make cross-border GDPR enforcement more streamlined and uniform are welcome given the delays and inconsistencies involved in the current GDPR enforcement process, though the changes will primarily affect the relatively small number of GDPR cases that involve significant disputes between EU member states’ GDPR regulators — a topic that the European Court of Justice is also set to consider in the coming months1.

What To Do Now, and What’s Coming Next

While the EU’s and UK’s GDPR reforms are both narrow in scope, they set the stage for further divergence between the UK and EU GDPR regimes. Organisations should revisit their GDPR programmes in light of this ongoing divergence, assessing whether to take advantage of the (generally less onerous) UK standard or instead maintain a consistent compliance programme aligned with the EU GDPR standard.

_______________ 

 

1 See, in particular, upcoming case C-97/23 and recently decided case T-319/24.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP