Technology

Written by Sophie Hudson

Key developments in 2025

The Data (Use and Access) Act 2025 ("DUAA") received Royal Assent on 19 June 2025. It marks the most significant overhaul of the UK’s data protection landscape since Brexit. The DUAA introduces targeted amendments to the Data Protection Act 2018, the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations 2003. The focus is to streamline compliance and enable more agile data use for businesses.

A key change is the creation of “recognised legitimate interests”. This is an expanded lawful basis for processing personal data that removes the need to balance individuals' interests against the legitimate interests of the processor for specified activities such as direct marketing and intragroup administration. For insurers, this is expected to simplify routine data flows and reduce friction in claims handling and underwriting operations.

The DUAA also tightens controls around automated decision-making and requires organisations to demonstrate meaningful involvement in decisions where individuals’ rights are affected. This is particularly important for claims teams deploying AI or automated triage tools, as it clarifies when and how those technologies can be used.

For international data transfers, the DUAA introduces a new “data protection test” to replace the previous adequacy assessment. Firms must now ensure that data protection standards in third countries are “not materially lower” than those in the UK. This will likely require a review of cross-border claims and data-sharing arrangements.

Other notable updates include:

• Enhanced complaint-handling procedures;
• Stricter requirements for responding to data subject access requests;
• New powers for the Secretary of State to expand or clarify what counts as special category data.

The DUAA will be introduced in phases starting August 2025, with full implementation expected by mid-2026.

What to look out for in 2026

EU's approach to AI regulation

The European Union Artificial Intelligence Act ("EU AI Act") represents the world’s first comprehensive legal framework governing the development and use of AI across sectors.

General-purpose AI (“GPAI”) models with systemic risk have been subject to initial requirements since August 2025. From August 2026, The EU AI Act’s full suite of obligations for high-risk AI systems (“HRAI”) will come into force. The legislation establishes a structured approach for identifying, managing and reporting “serious incidents” involving AI.

Any use of AI, whether for claims triage, fraud detection or underwriting automation, must be carefully assessed to determine whether it qualifies as high-risk. Providers of HRAI systems will be subject to strict incident notification requirements: serious incidents must be reported to national authorities within defined timeframes. For example, for the most severe of cases, a notification must be made within two days.

Meanwhile, developers of GPAI models that present systemic risk will be required to monitor and report incidents “without undue delay.” This must be made to both the EU AI Office and the relevant national regulators. These obligations will operate under a forthcoming Code of Practice, which has yet to be finalised.

However, The EU Digital Simplification Package ("Omnibus"), published on 19 November 2025 is likely to result in a relaxing of certain requirements originally set out in the EU AI Act in the longer term. Its aim is to reduce the cost and complexity of regulatory compliance for digital service providers, offering a competitive advantage to businesses.  For instance, the definition of "personal data" under GDPR would be amended. Full adoption of the Omnibus is currently expected by mid-2027.

UK's approach to AI regulation

In contrast, the UK Government's approach remains pro-innovation. Following its 2024 consultation, it confirmed that it would not rush into legislation, opting instead to shape future policy through continued industry engagement and alignment with international developments, such as the EU AI Act.

While this means the UK currently faces fewer prescriptive rules, organisations must still keep pace with emerging best practices, regulatory expectations and potential future reforms. The UK’s flexible stance offers operational agility, but firms should avoid complacency. Cross-border operations and client expectations will increasingly be influenced by the stricter EU framework.

Staying ahead will require proactive risk management, regular policy reviews, and close collaboration between legal, compliance, and operational teams.