With the UK’s EU data adequacy renewed, the Data (Use and Access) Act 2025 coming into force, and new EU accessibility requirements on the horizon, this bulletin highlights what’s changed and what it means in practice for members.

EU Data Adequacy Renewed

In December 2025, the European Commission renewed the UK’s EU data adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive. This allows free EU–UK data flows until December 2031.

This means that:

• No extra data transfer hoops – EU–UK data flows continue without Standard Contractual Clauses or International Data Transfer Agreements
• Trusted EU partner status maintained – the UK remains “essentially equivalent” under EU data protection law
• Certainty through to at least December 2031 – supporting long-term planning and investment

Brazil also retains EU data adequacy under the GDPR, enabling unrestricted EU–Brazil personal data transfers. However, UK-Brazil transfers remain “restricted transfers”.

Further details: Data protection adequacy for non-EU countries

 

Data (Use and Access) Act 2025 – Key Changes from 5 February 2026

From 5 February, most UK data protection reforms take effect. These simplify aspects of the UK GDPR, introduce recognised legitimate interests, reduce consent requirements for low-risk analytics cookies, clarify scientific research (including commercial research) and broad consent, widen lawful automated decision-making with safeguards, and streamline subject access requests. Enforcement and investigatory powers are strengthened.

Further details: The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations? | ICO

 

European Accessibility Act

This Act requires certain products and services offered to EU consumers to meet common accessibility standards. It is particularly relevant to consumer-facing digital services.

While market research as a professional service is not explicitly listed, participant-facing digital research tools (such as online surveys, recruitment platforms or incentive payment systems) may fall within scope where they operate as consumer-facing digital services or e-commerce.

UK-based providers offering in-scope services to EU consumers may therefore need to ensure accessibility compliance, even when services are delivered from the UK, to support inclusive participation by patients and healthcare professionals and to reduce cross-border regulatory risk.

Further Details: European Commission – European Accessibility Act

 

GDPR Reminder

It may be old, but it’s important: Article 32 of the GDPR requires organisations to process personal data securely through appropriate, risk-based technical and organisational measures that protect confidentiality, integrity, and availability. This includes restricting access, using secure transfer methods, and regularly testing controls.

This means that: When transferring sensitive data, such as respondent bank details for incentive payments, the responsibility for processing this information securely remains with the organisation, even if a respondent agrees to provide details in an unsecure manner (e.g. a standard email).

Further details: Art. 32 GDPR – Security of processing - General Data Protection Regulation (GDPR)

 

Upcoming Training and Conference Activity

Essential Ethics Workshop | Thursday 19 March 2026 | 13.00 - 17:00 | Online 

Understanding the principles and theory of compliant Market Research is one thing; feeling confident in the practical application of the guidelines can be another. This half-day online workshop is designed to help you put theory into practice.

Ethics at the BHBIA Annual Conference | 27 - 28 April 2026 | Birmingham

Look out for the Ethics & Compliance Committee stand at the BHBIA Annual Conference. Come and have a chat with the team, we’d love to hear your thoughts. There will be an Ethics-based quiz with a magnificent prize!

The BHBIA’s Ethics & Compliance Committee provides guidance as general information for its members. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to any specific legal problems or matters. Whilst every reasonable effort is made to ensure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA.