
The evolution of data protection

Whilst UK GDPR continues to form the backbone of UK data protection laws in 2026, real estate businesses must now grapple with implementing the reforms from the Data (Use and Access) Act 2025 (DUAA).
13.07.2026
Phased through 2025 and 2026, the reforms change key areas such as lawful bases, subject‑access handling, and automated decision‑making (paving the way for wider use of AI in areas such as applicant or tenant screening), while retaining the core UK GDPR principles.
DUAA has generally been well received from a business point of view, as a number of the reforms cut red tape and are pro-innovation. But regulatory expectations are increasing in some areas. From mid‑2026, organisations must implement a formal data‑protection complaints procedure, giving individuals a defined route to raise concerns. The idea is that this will facilitate resolution of issues before they result in complaints to the ICO.
Meanwhile, penalties for Privacy and Electronic Communications Regulations (PECR) breaches, including cookie violations, now match GDPR levels at £17.5m or 4% of turnover, significantly increasing the risk profile for real estate businesses that rely heavily on digital marketing, portals, smart‑building systems, or email communications. Recent enforcement trends, including the ICO’s record £14m fine in 2025 for systemic security failures, underline the focus on large organisations handling high‑volume personal data.
For developers, landlords, operators, and managing agents, these changes make strong governance essential. Firms should review the lawful basis on which they process personal data, update privacy notices, and update cookie notices to take advantage of the ability to drop additional cookies without consent. They should also consider whether they want to use personal data in AI and automated decision-making, such as tenant‑screening systems or digital access platforms, and update their DSAR handling process to take advantage of the statutory provision that searches need only be reasonable and proportionate.
Data Subject Access Requests
Data Subject Access Requests (DSARs) have become a significant operational issue in real estate, with rising data‑rights awareness driving more requests from tenants, employees, occupiers, contractors and others. They are often linked to disputes or service‑charge and employment matters.
Handling these requests is challenging because personal data is spread across numerous systems such as access logs, CCTV, emails, maintenance records, tenancy files, smart‑building platforms, and contractor databases, making DSARs particularly resource‑intensive in multi‑let buildings and large portfolios. The challenge is made worse by the rise of AI-written requests which often ask for material that the individual is not entitled to. Understanding what you do and don’t have to provide can be difficult.
Legal reforms are also reshaping DSAR compliance. The Data (Use and Access) Act 2025 clarifies the scope of an organisation’s search obligations. It now embodies in statute the requirement to carry out only “reasonable and proportionate” searches. This clears up any confusion and means that unreasonably broad exhaustive system‑wide reviews are no longer required. It also introduces a requirement that organisations have their own data protection complaints process in the hope that fewer complaints are made to the ICO.
For real estate companies, DSARs are now unfortunately a routine risk‑management issue. Many are tightening data‑retention practices, improving governance frameworks, and adopting specialist DSAR tools, especially as modern buildings generate increasing volumes of personal data. Those that invest early in better data hygiene, structured record‑keeping, and robust DSAR procedures are best placed to handle requests efficiently, reduce disruption and manage legal exposure.
How we can help
DSARs are rarely made in isolation. They are usually made in connection with an actual or anticipated disagreement or dispute. Always consider the bigger picture. Our legal experts can help you respond effectively to any DSAR you face, apply any available exemptions, and support with the strategies, particularly if there is a connected legal claim.
Our data protection experts can also support by advising on DUAA‑driven changes, drafting amended policies and procedures, and advising on how to compliantly use AI and carry out automated decision making. We also advise generally on data sharing contracts, the complex issue of data export, and ensuring you have a robust accountability framework – something regulators increasingly expect across the real estate sector.
Key Contacts

Related Articles
Expert CommentFarley v Paymaster: A Turning Point in UK Data Protection LitigationThe Court of Appeal’s recent decision in Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (“Farley”) represents significant clarification of the legal framework governing compensation for data protection breaches in the United Kingdom.
Expert CommentPicture perfect: data protection essentials for photography in schools and collegesUsing photographs and videos in schools and colleges often raises data protection concerns. Whether it's for ID passes, marketing, or capturing memories, there are important considerations to keep in mind.
Expert CommentData Protection Reforms: The Data (Use and Access) Bill - the final stagesThe Data (Use and Access) Bill (or the DUA Bill as it is often called) was introduced to Parliament on 23 October 2024 and includes, amongst other things, the current proposals to reform UK data protection law. There have been a number of previous bills submitted to Parliament which included reforms to UK data protection law (such as the Data Protection and Digital Information Bill (DPDI) (numbers 1 and 2)) but these previous bills did not make it to the end of the parliamentary process and did not, therefore, become law.


