The Data (Use and Access) Act 2025 (DUAA) introduces a number of amendments to UK data protection legislation that law firms should not ignore. While much of the discussion surrounding the Act has focused on reducing regulatory burdens and supporting innovation, the practical reality for solicitors is that there are several changes that will require firms to review existing policies, procedures and governance arrangements.
For COLPs and compliance teams, the key question is not whether the firm's data protection framework remains compliant today, but whether it will remain compliant when the new provisions take effect on 19 June 2026.
This article highlights the actions firms should be taking now.
Review Your Data Protection Complaints Procedure
Perhaps the most significant operational change for law firms is the introduction of a new statutory complaints process.
Under the DUAA, individuals will generally be expected to raise complaints with an organisation before escalating matters to the Information Commissioner's Office (ICO). Organisations must have a mechanism for receiving, investigating and responding to such complaints.
From a compliance perspective, this means data protection complaints should no longer be treated as an informal extension of general complaints handling.
What should COLPs do?
Consider whether your existing complaints policy:
- Identifies data protection complaints as a distinct category of complaint.
- Explains how such complaints can be submitted.
- Allocates responsibility for investigating complaints.
- Specifies response times.
- Maintains an audit trail of complaints received and actions taken.
- Provides for escalation where complaints raise wider regulatory concerns.
Many firms may already have appropriate procedures in place, but these should be reviewed against the new statutory requirements.
Firms may wish to update their existing complaints policies to incorporate wording such as:
Data Protection Complaints
We are committed to protecting personal data and complying with applicable data protection legislation.
Any individual who is dissatisfied with the way in which we have collected, used, stored, shared or otherwise processed their personal data may submit a data protection complaint to the Firm's Data Protection Officer at [insert contact details].
We will acknowledge receipt of the complaint within 30 days and investigate the concerns raised. We aim to provide a substantive response without undue delay.
Where additional information is required to investigate the complaint, we may contact you to seek clarification.
If you remain dissatisfied after receiving our response, you may raise the matter with the Information Commissioner's Office.
Update Subject Access Request Procedures
The Act codifies existing ICO guidance regarding the scope of searches required when responding to a Subject Access Request (SAR).
The law now expressly recognises that organisations are only required to undertake searches that are reasonable and proportionate.
This is particularly relevant to law firms where:
- Large volumes of email correspondence exist.
- Multiple fee earners have worked on a matter.
- Archived systems are involved.
- Requests relate to historic employment matters.
The Act also introduces formal stop-the-clock provisions where:
- Identity verification is required.
- Clarification of the request is necessary.
Practical considerations
COLPs should review whether SAR procedures:
- Document search methodology.
- Record decisions regarding proportionality.
- Include templates for seeking clarification.
- Include procedures for identity verification.
- Maintain evidence supporting any decision to limit searches.
A well-documented SAR process remains critical in the event of an ICO investigation.
Review the Firm's Lawful Basis Assessments
The DUAA introduces the concept of recognised legitimate interests for certain processing activities.
Although firms should not assume that legitimate interests assessments are no longer required, the changes may simplify decision-making in specific circumstances.
This presents an opportunity for firms to revisit:
- Employee monitoring activities.
- Fraud prevention measures.
- Anti-money laundering processes.
- Client due diligence activities.
- Business risk management procedures.
COLPs should ensure that records of processing activities accurately reflect any reliance on legitimate interests.
Consider Data Reuse and Secondary Purposes
The legislation provides additional clarity around when personal data may be processed for a purpose that is compatible with the original reason for collection.
This is particularly relevant for firms that use information for:
- Internal training.
- Precedent development.
- Knowledge management.
- Legal research.
- Service improvement initiatives.
While the changes provide additional flexibility, firms should continue to assess confidentiality obligations, legal professional privilege and client expectations before repurposing information.
Compliance teams should resist viewing the reforms as a relaxation of professional obligations.
Review Governance Around AI and Emerging Technologies
Although the Act introduces greater flexibility regarding automated decision-making, solicitors remain subject to broader professional obligations concerning competence, confidentiality and supervision.
Many firms are increasingly deploying:
- AI-assisted document review tools.
- Legal research platforms.
- Client onboarding systems.
- Workflow automation technologies.
COLPs should ensure that data protection impact assessments, supplier due diligence and governance frameworks keep pace with technological developments.
Update Training and Awareness Materials
Many data protection breaches arise not because policies are absent, but because staff are unfamiliar with them.
Training materials should be reviewed to reflect:
- The revised complaints process.
- Updated SAR procedures.
- Lawful basis changes.
- Accountability requirements.
- Escalation routes for data protection concerns.
Fee earners, HR teams and business support staff should all understand how the new requirements affect their day-to-day responsibilities.
A Practical COLP Checklist
Before 19 June 2026, COLPs should consider:
☐ Reviewing complaints policies and introducing a dedicated data protection complaints process.
☐ Revising SAR procedures to reflect the new reasonable and proportionate search requirements.
☐ Updating SAR templates to incorporate identity verification and clarification requests.
☐ Reviewing records of processing activities and lawful basis assessments.
☐ Assessing how client information is used for training, knowledge management and secondary purposes.
☐ Reviewing governance arrangements for AI and automated processing tools.
☐ Updating staff training materials.
☐ Reporting significant compliance changes to the firm's management board or risk committee.
Final Thoughts
The Data (Use and Access) Act 2025 does not require firms to rebuild their data protection framework from scratch. However, it does require COLPs and compliance teams to revisit existing arrangements and ensure they remain fit for purpose.
Firms that take the opportunity to update complaints procedures, strengthen SAR processes and refresh governance documentation will be better placed to demonstrate accountability to both the ICO and the SRA.
As with many regulatory changes, the greatest risk may not come from the legislation itself, but from assuming that existing policies will automatically remain adequate.
.svg)