Changes to non-disclosure agreements

New legislation will come into effect on 1 October 2025 which affects confidentiality clauses, also known as non-disclosure agreements. The government has published guidance which explains the changes and what they will mean for businesses and individuals who use non-disclosure agreements.

The legislative change makes clear in statute that non-disclosure agreements cannot be enforced insofar as they seek to prevent victims from reporting the crime to the police. The changes also extend these protections to certain other disclosures, including those necessary for victims to access confidential advice and support needed to cope and recover from the impact of crime. Non-disclosure agreements signed on or after 1 October 2025 will be legally unenforceable to the extent that they seek to prevent such disclosures.

To prepare for the change in law from 1 October 2025, businesses should:

• Familiarise themselves with the change in the law and ensure that they understand what the implications are for their business
• Update relevant internal guidance on the use of non-disclosure agreements to ensure it reflects the new law
• Ensure that any non-disclosure agreement and general contract templates comply with the new law. Best practice will be to make clear on the face of the non-disclosure agreement what parties are able to disclose in particular circumstances and make clear what those circumstances are.

UK organisations stand to benefit from new data protection laws

The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.

Changes to the law include clarifying how personal information can be used for research; lifting restrictions on some automated decision making; setting out how to use some cookies without consent; allowing charities to send people electronic mail marketing without consent in certain circumstances; requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests.

Government will phase implementation of the new law, commencing different changes using secondary legislation. While most provisions are expected to come into force either two or six months after Royal Assent, some may take up to 12 months.

The DUAA provides amendments, but does not replace, the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. These changes are designed to make data protection law clearer and more flexible for organisations, while maintaining strong safeguards for individuals.