Press Release

New UK legislation on NDAs and data protection

By
1 Mins read

Recent legislative changes in the UK will impact how businesses handle non-disclosure agreements (NDAs) and data protection. HR professionals and business leaders should be aware of these changes and ensure their organisations are compliant.

New rules for non-disclosure agreements

From 1 October 2025, new legislation will come into effect concerning confidentiality clauses, also known as NDAs. This new law clarifies that NDAs cannot be enforced if they prevent a victim from reporting a crime to the police. The changes also extend protections to other disclosures, such as those necessary for victims to access confidential advice and support needed for their recovery. Any NDAs signed on or after this date will be legally unenforceable if they attempt to prevent these types of disclosures.

To prepare for this change, businesses should:

  • Familiarise themselves with the new law and its implications.
  • Update internal guidance on NDA usage to reflect the new regulations.
  • Ensure that all NDA and contract templates comply with the new law. Best practice is to explicitly state what parties can disclose and in what circumstances.

Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA) has received Royal Assent and updates key aspects of data protection law. This legislation aims to make it easier for UK businesses to protect personal information while still innovating and growing.

Key changes in the new law include:

  • Clarifying how personal information can be used for research.
  • Lifting some restrictions on automated decision-making.
  • Setting out how certain cookies can be used without consent.
  • Allowing charities to send electronic mail marketing without consent in specific situations.
  • Requiring organisations to have a formal data protection complaints procedure.
  • Introducing a new lawful basis of recognised legitimate interests.

The government plans to phase in the new law, with most provisions expected to take effect either two or six months after Royal Assent. However, some changes may take up to 12 months to implement.

It is important to note that the DUAA amends existing legislation, but it does not replace the UK GDPR, the Data Protection Act 2018, or the Privacy and Electronic Communications Regulations. These changes are intended to make data protection law clearer and more flexible for organisations, while still maintaining strong safeguards for individuals.

Related posts
Press Release

Sabio Group Strengthens Operating Board with Key CCO and CPO Appointments

By
1 Mins read
Sabio Group, the AI-focused customer experience transformation specialist, has reinforced its leadership team with the appointment of Mark Starkey as Chief Commercial Officer (CCO)…
Press Release

UK Market Brief: US Engagement Giant Acquires C2events

By
1 Mins read
ITA Group, a prominent US-headquartered provider of employee and customer engagement solutions, has strengthened its presence in the UK and Europe with…
Learning and DevelopmentPress Release

UK's £400 Billion AI Risk: Adoption Crisis Stalls ROI as Shadow AI and Skepticism Split the Workforce

By
2 Mins read
The UK’s ambition to add £400 billion to its economy via AI by 2030 is being actively undermined by a massive failure in employee…