The Data (Use and Access) Act 2025 (DUAA) was introduced with the intention to create a modern digital government that promotes economic growth and makes lives easier while maintaining high standards of data protection.
The DUAA came into force on 19 June 2025, marking a significant moment in the UK’s post-Brexit approach to data protection. The DUAA aims to modernise and streamline data protection laws while preserving the compatibility with EU standards to preserve seamless EU-UK data transfers.
The DUAA amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR). The DUAA not only makes changes to the UK’s data protection and privacy laws, but it also introduces new frameworks for digital identity verification and Smart Data schemes, aiming to support data use across multiple sectors.
While certain provisions came into force on 19 June 2025 – in particular changes to Data Subject Access Requests (DSARs) – most changes will be phased in via secondary legislation, with the Department for Science, Innovation and Technology (DSIT) publishing an implementation timeline.
What are the key changes brought about by the DUAA?
DSARs
Businesses are now only required to carry out “reasonable and proportionate” searches when responding to DSARs. The 1-month response deadline may be paused if the controller needs to seek further information from the requestor (for example, to verify their identity or clarify the request’s scope).
Automated decision-making (ADM)
The DUAA replaces Article 22 of the UK GDPR which gives individuals the right not to be subject to decision making based solely on ADM if it would produce a significant legal effect (for example, a recruitment test with pre-set algorithms). The most significant change is that the prohibition on taking automated decisions with a legal or significant effect will only apply if the decision is based entirely or partly on the special categories of personal data (including data on health, racial/ethnic origin, genetic and biometric data, etc). However, it should be noted that this comes with new transparency and procedural safeguards. For example, individuals must be informed about the decisions taken using ADM, the right to contest these decisions and the right to seek human intervention. This new regime broadens the scope of ADM in practice, albeit that there is still a more restricted regime for the use of ADM in relation to special category personal data.
Legitimate Interest
The DUAA amends Article 6 of the UK GDPR to establish that legitimate interest assessments will not be required in relation to “recognised legitimate interests” which do not require a balancing test. The list of recognised legitimate interests includes sharing data in relation to national security, emergency response and safeguarding vulnerable people.
There is also a separate list of activities where legitimate interest may be relied upon (including intra-group data sharing for administrative purposes, direct marketing and processing to ensure network and information security) but these still require a legitimate interest assessment.
Purpose Limitation
The DUAA restates GDPR provisions on the “purpose limitation”. This is one of the various ways in which the GDPR limits the use of personal data – the purpose limitation requires that personal data is collected for specified, explicit and legitimate purposes and should not be processed for additional purposes which are not compatible with the original ones. The DUAA sets out factors to be considered in determining whether a new purpose for processing data is compatible with the original purpose. It introduces a list of purposes deemed compatible without a separate compatibility assessment which includes archiving in the public interest and regulatory compliance activities.
International data transfers
The DUAA introduces a new “data protection test”. The UK may now deem a country or organisation adequate if the level of data protection in the third country/organisation is not “materially lower” than UK standards, which marks something of a move away from the EU’s essential equivalence threshold.
Children’s data
New duties are introduced for information society services that are likely to be accessed by children, building on existing obligations under Article 25 of the UK GDPR. Providers of these services must maintain high privacy settings by default, avoid profiling and ensure data minimisation.
Complaints handling
Data subjects will now have to raise their complaint directly with the data controller first before lodging this with the ICO. Controllers must:
- Have a formal complaints procedure (such as an online complaint form).
- Acknowledge complaints within 30 days.
- Inform complainants of the steps they are taking and keep them updated on the progress of their investigation into the complaint.
Scientific research
The DUAA makes it clear that the definition of scientific research includes commercial scientific research, privately funded research and any research that can reasonably be described as scientific. Consent requirements have been amended so that they may be scoped more broadly, so that it is possible to fully identify the data processing purposes at the time personal data is collected.
Charities marketing
Once the provisions relating to marketing by charities come into force, charities will be able to benefit from the soft opt-in exception when sending direct marketing emails. This could be a game changer for how they utilise their electronic marketing for fundraising and engagement strategies.
PECR reforms
Certain low-risk, non-essential cookies no longer require prior consent, for example, cookies relating to the improvement of the functionality of a website, and those used for statistical or security purposes. This will allow businesses to simplify cookie banners, but it is important to note that users must still be given information about why cookies are being used as well the ability to opt-out. User consent will still be required for third-party tracking cookies, profiling cookies and targeted advertising.
The maximum fines for breaches of PECR will increase to GDPR levels (i.e. the higher of £17.5 million or 4% of global annual turnover). This will mean a tougher enforcement stance against unlawful electronic marketing (e.g. unsolicited emails, cold calls, SMS).
What approach should UK businesses take?
Businesses should familiarise themselves with the DUAA’s provisions, track the implementation timeline and monitor the ICO’s guidance as it becomes available on these changes. Businesses should also ensure compliance with the DUAA by reviewing and updating their internal policies, procedures, contracts, training materials, cookie policies and data transfer frameworks.
We will provide further information and updates as the DUAA’s changes continue to take effect. Nonetheless, businesses should be reviewing their policies and procedures now to ensure compliance and identify where they may be able to take advantage of the upcoming changes to innovate further (e.g. in relation to ADM).
If you have any queries about the DUAA and how it might impact your business, want support with updating your data protection and privacy documentation or would like a tailored training session to become DUAA ready, please feel free to reach out to the team at [email protected]
