In a sector that’s had it tough for the past few years, you may be surprised by what I’m about to tell you - 2026 is set to bring good news for charities of all sizes and sectors.
If I then tell you that the news relates to data protection and governance, your sense of anticipation may diminish. But be assured, the upcoming changes could make a practical difference to both day-to-day operations and long-term planning, clarifying how to handle certain data management issues and making it easier to communicate with supporters.
Calls for greater clarity answered
The changes result from the Data (Use and Access) Act 2025 (DUAA), passed by the UK Parliament last summer. Some provisions are already in force; others will come into force over the next 6 to 12 months to give organisations time to prepare. The Act amends (rather than replaces) existing legislation, such as the Data Protection Act 2018. The changes most relevant to charities relate to:
- Data subject access requests - clarifying what’s required when responding
- Recognised legitimate interests - simplifying some data sharing and processing
- The ‘soft opt-in’ for direct marketing communications - making it more straightforward to communicate with supporters
Data subject access requests
Under UK data protection legislation, you must respond to data subject access requests without ‘undue delay’ and usually within a calendar month of receipt. But the legislation does not clearly define how far you must go in searching for information, nor when you can stop the clock on the time limits for responding.
Now, the DUAA changes that, by codifying and formalising existing guidance from the Information Commissioner’s Office (ICO).
First, the Act introduced, from June 2025, a statutory ‘reasonable and proportionate’ standard for data subject access searches, confirming you’re not expected to conduct exhaustive searches if this would be disproportionate.
At a time when data processors and controllers are receiving more and more of these requests, this is helpful.
For example, if someone has been with your organisation for 20 years, you may hold a huge amount of paper or electronic information which includes their details - from a reasonable and proportionate perspective it’s unlikely that you would be expected to trawl through every email or message exchanged during that time.
It will be more a question of setting reasonable and proportionate parameters for your initial search, without, as the current ICO guidance states, conducting searches ‘that would be unreasonable or disproportionate to the importance of providing the information’. It’s still wise to make sure you can explain your approach, so keeping a record of your methodology is wise.
The second change on data subject access requests relates to the timing of your response.
Previously, there were mechanisms and guidance about when you could stop the clock on a response or extend beyond the calendar month, but they were not codified. Now the DUAA specifies that you may extend the deadline if you need information from the requester, for example when you are:
- Verifying the data subject’s ID
- Requesting additional information necessary to process their request
This certainly doesn’t open the way for complete flexibility on timings, and you will need to provide notifications around delays and give reasons for any extension. However, the greater clarity provided on both parameters and timeframes is very welcome.
Recognised legitimate interests
The new Act will also make it simpler to navigate the question of ‘legitimate interests’.
To recap, ‘legitimate interests’ is one of the six lawful bases for processing data, but it requires the processor to identify the legitimate interest and balance their own legitimate interests and the individual’s rights, through a three-part legitimate interest assessment of purpose, necessity, and a balancing test.
The DUAA simplifies this task by introducing ‘recognised legitimate interests’, covering activities such as:
- Detecting, investigating, or preventing crime
- Safeguarding a child or vulnerable adult
- Responding to emergencies
- National security or public safety
With these interests, the sharing or processing of data still needs to be necessary for your legitimate interest, but you will not need to perform a balancing test.
So, what does this mean in practice?
For charities, typical scenarios for using recognised legitimate interests could include sharing data when you suspect fraud or other crimes are being or have been committed, or when you want to safeguard vulnerable individuals. If your interest falls within one of the ‘recognised’ interests, you’ll be able to process or share data with greater confidence that it’s legitimate to do so, and with less administrative burden.
The changes are expected in early 2026, so it’s helpful to prepare now by reviewing activity and processing and updating privacy notices.
The DUAA also clarifies the application of the standard ‘legitimate interests’ lawful basis, giving examples such as direct marketing and intra-group transfers for administrative purposes.
Both activities still require organisations to complete a legitimate interests assessment—including a balancing test. For example, sharing data between linked charities across the border for administrative reasons is now more straightforward, so long as you document the necessity of the transfer and confirm the individual’s rights remain protected.
The soft opt-in
A third key change under the DUAA for charities is what’s known as the ‘soft opt-in’. This exemption is already available to businesses but will now be extended to the third sector. By making it easier to reach out to donors, volunteers, and other supporters, this could transform how you access donations and other support.
The soft opt-in allows you to send electronic mail marketing (such as emails, texts and some social media direct messages) to people whose personal information you collect when they support or express an interest in your work. As long as you meet the three conditions below, you will no longer have to obtain their explicit consent to market to them directly.
Those conditions are:
- The direct communications are to individual subscribers for the purpose of furthering your objectives as a charity
- You obtained the recipient’s contact details when they expressed interest in your charity’s purposes, or when they were offering or providing support to further one of those purposes – for example, they donated or volunteered.
- The recipient is offered a simple means to opt out of receiving marketing messages, both at the time their details were collected and on every occasion they are contacted.
It’s important to emphasise that the soft-in exemption only applies to supporters you recruit in future; you can’t use it for people who have signed up previously. It also doesn’t apply to telephone marketing.
If you want to make use of it, you will therefore need to implement a two-track approach for existing and new supporters and put in place recordkeeping and database management systems to accommodate this.
For some charities, this may seem impractical, in which case you can retain your previous consent model or use ‘legitimate interests’.
And if you do use the soft opt-in, you will still need rigorous document trails showing that you have a lawful basis for processing people’s information. Commencement is expected in early 2026 so now is the time to review your supporter engagement and database management systems.
Complaints handling
Although primarily simplifying, the DUAA introduces a new requirement: from mid-2026, charities, along with all organisations processing data as controllers, must operate an internal data protection complaints process, acknowledging complaints within 30 days and responding substantively without undue delay.
It’s helpful to start preparing and implementing a policy in readiness.
Strong data governance still needed
None of these changes frees you from the need to have strong data governance in your charity, business or other organisation. Good data housekeeping and an understanding of data protection legislation and best practice will remain essential.
But these changes will simplify that task and save you valuable time spent seeking out data from 20 years ago or obtaining individual donor consents.
That has to be a good thing for your organisation and the wider sector as a whole.
Published 12 January 2026
If you’d like to know more about the upcoming DUAA changes, how they relate to your own activities and systems, and the practical steps you can take to incorporate them, we’d be delighted to discuss this with you.
