Privacy and Data Protection Autumn Snapshot 2025
Thursday 25th September 2025
As we look to Q4, the ‘golden quarter’ for many organisations in the UK, we have summarised key data protection news and development since our last quarterly update, below.
If you have any questions, please do not hesitate to get in touch with one of our Privacy experts.
In this edition, we cover the following key updates:
- Data (Use and Access) Act (‘DUAA’) becomes law;
- ‘All data’ requests requirements clarified by the DUAA;
- Court of Appeal widens scope for data breach compensation claims;
- ICO secures criminal conviction for blocked SAR; and
- Launching our forthcoming back to basics webinar on commercial contracts.
Data (Use and Access) Act 2025 becomes law
The Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent in June this year, marking the biggest changes to UK data protection law since the arrival of the GDPR. The DUAA aims to modernise the way businesses use data and, amongst other things, supplements current UK data protection laws. Most of the changes are expected to take effect from December 2025, except notably for the right of a data subject to complain to an organisation, which is expected to come into force around June 2026. Organisations should take stock of the upcoming changes to ensure that their compliance programme is up-to-date, whilst also being able to take advantage of some of the provisions which present a relaxation of certain rules (detailed below).
‘All data’ requests requirements clarified by the DUAA
‘All data’ subject access requests (DSARs) can present a challenge to organisations where they hold vast amounts of data about the data subject – for example, an ex employee with a long service history requesting all personal data held about them. The DUAA now clarifies in statute that: 1) the organisation is only obliged to take a reasonable and proportionate search to the DSAR; and 2) the ‘clock’ is stopped until the requester clarifies the scope of their DSAR or provides their identity. This will be a welcome change for organisations dealing with DSARs.
Court of Appeal widens scope for data breach compensation claims
In a momentous ruling, the Court of Appeal provided clarification on when individuals may be able to claim compensation for data breaches concerning their personal data.
In Farley v Paymaster (1836) Ltd [2025] EWCA Civ 117, on the issue of compensation, the Court of Appeal held that, in principle, fear of the consequences of a data breach is sufficient to entitle a claimant to compensation.
This is subject to such fear being objectively well-founded (and not hypothetical or speculative), an assessment which should be made at the time such fear was experienced (and not with hindsight).
This means that claimants/individuals may need not prove that an unauthorised third party actually accessed their personal data to seek compensation from the data controller, but they may seek compensation on the basis of their fear their data being misused.
This case provides an important reminder for businesses to regularly review, update and test the integrity and robustness of their IT security procedures and data protection policies and procedures to reduce the risk of unauthorised, albeit inadvertent, disclosures/data breaches.
ICO secures criminal conviction for blocked SAR
The director of a care home in Yorkshire was ordered to pay a fine of £1.1k and costs of £5.4k for failing to respond to a subject access request (SAR).
Ordinarily, a failure to comply with a SAR is a civil matter, however Section 173 of the Data Protection Act makes it a criminal offence to alter deface, block, erase, destroy, or conceal information with the intention of preventing disclosure. The director is reported to have offered unsuccessful defences, including that the care home manager was responsible, not him.
Believed to be the first prosecution of its type, it shows criminal liability can attach directly to individuals in positions of responsibility and clarifies that responding to DSARs is a statutory obligation.
Back to basics
We’re currently running a number of bespoke ‘Back to Basics in Data Protection’ sessions for our clients and contacts.
If you are interested in this type of training (either in person or virtual) please contact us at privacy@gordonsllp.com and we would be happy to put together a tailored proposal for your organisation.
