Cyber Security

ICO Data Act 2025 amendments: What law firms need to know

Debra Cairns Debra Cairns
 •  6 mins read
 •  Cyber SecurityData ProtectionIT Managed ServicesLegal Compliance
ICO Data Act 2025 amendments: What law firms need to know

ICO Data Act 2025 amendments: What law firms need to know

In a landmark development for UK data protection law, the Data (Use and Access) Act 2025, commonly referred to as the DUAA, received Royal Assent on 19 June 2025. This introduces reforms that balance innovation, client service, and the stringent privacy obligations inherent to the legal sector.

With phased implementation underway, the Information Commissioner’s Office (ICO) has launched consultations to support law firms in interpreting and applying key ICO data protection requirements.

This blog will explain what the DUAA entails, the key upcoming amendments, how they specifically affect legal practices, and how Net‑Defence can help law firms stay compliant and secure.

What is the Data (Use and Access) Act 2025?

The DUAA is not a complete overhaul but an enhancement of existing legislation, including the UK GDPR, Data Protection Act 2018, and PECR. For law firms, the Act modernises data governance frameworks, ensuring client confidentiality is preserved while supporting digital service delivery and secure client data sharing.

What are the core objectives of the Act?

  • Economic growth: Unlocking the power of data to bolster the UK economy and increase operational efficiency across sectors like health, infrastructure, and public services.
  • Modernising public services: Transitioning to digital systems (e.g., electronic birth/death registration) and improving government service delivery.
  • Stronger protections, clearer pathways: Introducing new lawful bases for data use while maintaining individuals’ data rights and promoting transparency.

What are the legislative highlights for legal practices?

The Act touches several areas directly relevant to law firms:

  • Access to client and business data while ensuring secure, compliant sharing between solicitors, barristers, and third-party providers
  • Regulation of digital verification services, enabling secure remote identity checks for clients
  • Reform of data protection, PECR, and ICO functions, giving firms clarity on ICO data protection governance obligations
  • Clarification of client consent, marketing communications, and automated decision-making within legal services

These provisions aim to give law firms greater confidence in compliance while facilitating secure, efficient digital workflows.

What amendments does the Act introduce?

1. New lawful basis: “recognised legitimate interest”

Since the Act’s passage, several notable amendments have come into focus, many under ongoing ICO consultation. These updates clarify how law firms manage sensitive client data in practice.

This new lawful basis allows law firms to use personal data in narrowly defined circumstances beyond standard client consent, such as internal compliance monitoring or legal research, providing flexibility while maintaining ethical obligations.

2. Mandatory data protection complaints process

Law firms must implement formal processes for handling ICO data protection complaints, ensuring clients’ concerns about personal information are addressed promptly and transparently. This builds trust and demonstrates accountability to both regulators and clients.

3. Clarification on research, cookies, automated decisions, and marketing

The amendments simplify cookie consent rules for client portals and clarify rules on automated decision-making in legal case management systems. They also define conditions under which firms can send marketing communications to clients and contacts, including legal updates or newsletters.

4. Enforcement powers for the ICO

The ICO now has enhanced enforcement powers, including issuing fines up to £17.5 million or 4% of global turnover. Law firms must be vigilant, ensuring all client data handling, marketing, and IT systems comply with ICO data protection standards.

5. AI and copyright transparency

Law firms increasingly use AI for document review, contract analysis, and research. The DUAA now requires transparency in AI usage, including protection of copyright for training data, aligning with professional duty of care to clients.

What does this mean for UK law firms?

The DUAA introduces both opportunities and responsibilities for legal practices. While it allows more streamlined client services and operational flexibility, it also heightens compliance obligations and the potential for regulatory scrutiny.

Opportunities

For forward-thinking firms, the DUAA provides greater freedom to embrace digital transformation. Clarified rules around legitimate interests, cookies, and automated processes enable firms to invest in client portals, AI-assisted research, and marketing communications with clearer compliance guidance.

Research-intensive practices, such as those involved in academic legal work or case precedent studies, benefit from clarified rules on data use. Meanwhile, firms offering newsletters and thought leadership can engage clients more effectively within the bounds of ICO data protection standards.

Responsibilities

With opportunity comes responsibility. Law firms must update their data policies, implement a robust complaints process, and review their website and client communications for compliance. Cookie consent banners, privacy notices, and marketing databases all require careful attention.

Phased implementation means firms must plan strategically. While some provisions take effect within two months, others may roll out over a year. Without forward planning, firms risk falling behind just as enforcement begins in earnest.

Monitoring forthcoming ICO guidance is also essential. Over the next 18 months, the ICO will issue detailed materials on lawful bases, complaint processes, archiving, and codes of conduct. Legal practices must stay informed and adapt policies as new guidance emerges.

Risks

The risks are substantial. Non-compliance could expose firms to severe fines, but perhaps more damaging is the loss of client trust. Mishandling sensitive client data, ignoring complaints, or misusing lawful bases could erode a firm’s reputation beyond repair.

With clients increasingly aware of their data rights, law firms must treat compliance not only as a legal duty but as a competitive differentiator. Demonstrating robust data protection practices can enhance client confidence and strengthen market position.

How can Net-Defence help?

We offer a complete suite of services that can all be tailored to ensure your firm meets the new regulatory requirements and maintains robust protection.

Policy, process & documentation alignment

We can assist in translating the DUAA’s new requirements into practice. Our Business Resilience as a Service packages allow you to integrate these policies into an overarching resilience strategy, backed by specialist guidance across cyber, IT and telecoms functions.

Risk assessment & technical compliance audits

To ensure compliance with PECR, cookies, and data-related requirements, our team can perform detailed security assessments. Our cyber security testing services – including penetration testing – provide a proactive way to identify vulnerabilities and demonstrate readiness in light of the DUAA’s enhanced enforcement.

Monitoring, response & incident management

For law firms that need continuous visibility, our Security Operations Centre (SOC) delivers real-time monitoring, threat detection, and rapid incident response. This service ensures prompt handling of data protection complaints or breaches and strengthens your ability to meet evolving regulatory expectations.

Infrastructure, hosting & continuity support

To support the secure handling of data throughout internal systems, we offer IT support, including managed services (MSP), data backup and recovery, and Secure Server Hosting on cloud platforms like AWS or Azure. These services uphold integrity, availability, and confidentiality in your infrastructure, which is increasingly critical under DUAA standards.

Certification, assurance & compliance pathways

Aligning with DUAA and broader UK data privacy requirements may involve aligning with standards like Cyber Essentials or IASME Cyber Assurance. Our team provides support for achieving these certifications and maintaining compliance vulnerabilities across firm-wide systems, bolstering your credibility with customers and regulators alike.

At Net-Defence, we understand that for law firms, compliance is inseparable from client trust. By combining policy expertise with technical assurance, we help practices remain resilient, compliant, and client-focused in an evolving regulatory environment.

If your firm is ready to navigate the DUAA with confidence, speak to our team today.

About the Contributor
Before joining Net-Defence, I worked for multinational consumer goods corporation, Proctor & Gamble (P&G), gaining over 19 years of finance and IT experience that I have brought with me to my current role. From 2018 onwards, I have worked for Net-Defence, and in 2020 stepped into the role as Managing Director, building a team of...
Debra Cairns' profile