The Data (Use and Access) Act 2025 has made a number of changes to UK data protection law that will affect any organisation processing personal data, including personal data of employees, contractors, harbour users or visitors. Most of these changes came into force on 5 February 2026.
The Act has introduced targeted reforms to streamline compliance obligations and promote innovation, whilst preserving protection for personal data. The full package of reforms cover various topics, including changes to automated-decision making and international transfers rules, as well as to scientific research provisions.
However in this article we focus on the key changes that are most relevant to organisations operating within the marine sector, such as harbour authorities.
The Data (Use and Access) Act 2025 refines SAR rules for organisations receiving and responding to SARs.
Firstly, it codifies that the organisation responding to the SAR only needs to carry out ‘reasonable and proportionate’ searches for relevant personal data. This is not new, as this was already confirmed within case law and guidance published by the Information Commissioner’s Office. However the Act now gives this position a statutory footing.
What this means in practice is that organisations do not need to leave no stone unturned when locating personal data in response to a SAR. Instead they need to complete reasonable and proportionate searches which will depend on factors such as the scale of the request, the surrounding circumstances, any challenges in identifying the requested information, and also available resources.
Secondly, the Act codifies the ‘stop the clock’ rules which were also established within the Information Commissioner's Office guidance. These rules allow organisations to pause the timeframe for responding to a SAR where further information is required in order to identify the personal data being requested. The clock is stopped from the day that the further information is requested, and restarts once the further information has been received.
These changes provide greater operational certainty for organisations responding to SARs, including internal employee SARs and external SARs from members of the public.
The Data (Use and Access) Act 2025 also expands the categories of cookies and similar tracking technologies that can be deployed without consent. For any organisation which operates a website or application, these changes will be relevant.
The categories of cookies and similar tracking technologies that may now be used without consent include those deployed solely to tailor functionality to a user’s preferences or to gather statistical information about the use of a website or application.
These changes will allow organisations to better understand how members of the public engage with their website or other digital platforms.
Fines under the Privacy and Electronic Communications Regulations 2003 (PECR)
PECR is the piece of legislation governing cookies and tracking technologies, as well direct electronic marketing.
Previously the maximum monetary penalty that the Information Commissioner's Office could issue for a breach of PECR was £500,000. However the Data (Use and Access) Act 2025 increases this to align with the maximum fine under the UK General Data Protection Regulation: £17,500,000 or 4% of total annual worldwide turnover, whichever is higher.
Breach of direct marketing rules is a particular area of focus for the Information Commissioner's Office, and historically we have seen a number of fines in this space. The significant increase in PECR fines under the Act raises the stakes for any organisation carrying out electronic marketing - it's more important than ever to ensure that email, text and telephone marketing complies with PECR rules.
Finally, one of the most significant changes under the Data (Use and Access) Act 2025 is the new data protection complaints regime. The new complaints regime introduces obligations on organisations to help people make data protection complaints, and to deal with those complaints effectively.
The Act states that providing an electronic complaints form is an example of how to help people make a data protection complaint. It also requires organisations to acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay.
These changes are aimed at encouraging resolution of data protection complaints between the relevant parties in the first instance, before things are escalated to the Information Commissioner's Office.
Unlike the rest of the data protection reforms which came into force on 5 February 2026, the new complaints rules are due to take effect on 19 June 2026. Given the public‑facing nature of organisations such as harbour authorities, it's particularly important to take action ahead of 19 June to implement effective complaint handing procedures and ensure compliance with the new complaints rules.
The Data (Use and Access) Act 2025 does not radically overhaul UK data protection law, but it introduces targeted, practical reforms that will impact day‑to‑day compliance. By clarifying SAR rules, expanding cookies exceptions and introducing new complaints requirements, the Act aims to reduce friction and support more efficient operations.
Organisations should review their internal processes to ensure compliance with new requirements, and to ensure that they are taking advantage of reforms which provide greater flexibility.
If you require further information, please contact our data protection team.
