ASK MAT: What’s Changed in UK Data Protection with the “Data (Use and Access) Act 2025” (DUAA)

The Data (Use and Access) Act 2025 (DUAA), enacted on 19 June 2025, marks a significant evolution in UK data protection law.

While it amends rather than replaces the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018), and Privacy and Electronic Communications Regulations (PECR), the DUAA introduces reforms that reshape how organisations process personal data, manage subject access requests, handle cookies, and apply legitimate interests.

EXECUTIVE SUMMARY  

• The DUAA introduces evolutionary changes to UK data protection, balancing innovation with robust protections.
• By refining lawful bases, easing cookie and DSAR burdens, and modernising ADM and data transfer rules, it offers opportunities for efficiency while maintaining GDPR alignment.
• Organisations should act promptly to update compliance frameworks, leveraging the staged implementation (2–12 months from June 2025) to ensure readiness.
• Regular monitoring of ICO guidance and EU adequacy developments will be critical to navigating this new landscape effectively.

MAT SAYS

• What I can do is outline the key changes, their implications, and practical steps for organisations to adapt their compliance frameworks, ensuring readiness for the new regulatory landscape while avoiding potential missteps.

What the DUAA Changes (and What It Leaves Intact)

The DUAA refines the UK GDPR, DPA 2018, and PECR, maintaining their core principles while introducing targeted changes to streamline compliance, encourage innovation, and balance data protection with economic growth. It does not overhaul the fundamental requirements of data protection, such as the need for Data Protection Officers (DPOs), Records of Processing Activities (ROPAs), or adherence to individual rights.

Key changes include:

• Clarifications and New Provisions: The DUAA introduces concepts like “recognised legitimate interests,” broad consent for research, and relaxed rules for automated decision-making (ADM) and cookies, aiming to reduce administrative burdens.
• Preservation of Core Framework: The principles of lawfulness, fairness, transparency, and data minimisation remain intact. Organisations must still comply with existing obligations for data subject rights, data breach notifications (within 72 hours), and DPIAs for high-risk processing.
• Modernisation and Flexibility: The DUAA supports digital verification services, smart data schemes, and a new “data protection test” for international transfers, aligning with post-Brexit economic goals.

What Remains Unchanged:

• The UK GDPR’s hierarchy of lawful bases, the requirement for explicit consent in specific contexts (e.g., special category data), and the Age Appropriate Design Code (AADC) for children’s data protection remain largely unaffected.
• However, the DUAA reinforces the need to consider children’s needs explicitly in online services.

Research, Broad Consent, and New Lawful Bases for Processing

The DUAA enhances flexibility for data processing, particularly in research and legitimate interests:

• Broad Consent for Research: The DUAA codifies “broad consent” for scientific research (including commercial research) in the UK GDPR, allowing individuals to consent to an area of study rather than specific projects, provided ethical standards are met. This is a shift from the recitals to a legally binding text, offering clarity for researchers. Organisations can also reuse personal data for research without issuing new privacy notices if doing so would involve disproportionate effort, provided safeguards like data minimisation and pseudonymisation are in place.
• Recognised Legitimate Interests: A new lawful basis under Article 6(1)(ea) UK GDPR introduces “recognised legitimate interests” (RLIs), such as national security, crime prevention, safeguarding vulnerable individuals, and emergency response. These do not require a Legitimate Interests Assessment (LIA), reducing compliance burdens. Additionally, direct marketing, intra-group data transfers, and cybersecurity are explicitly recognised as potential legitimate interests, though an LIA is still required for these unless they fall under RLIs.
• Purpose Limitation: The DUAA clarifies that further processing for scientific, historical, or statistical research is presumed compatible with the original purpose, provided safeguards are met, facilitating data reuse.

Implications:

• Organisations involved in research or relying on legitimate interests should review their lawful bases and update privacy notices to reflect these changes. For direct marketing, compliance with PECR remains critical, as consent is still required for specific channels (e.g., email, SMS).

Changes to Subject Access Rights and Proportionality

The DUAA introduces a “reasonable and proportionate search” standard for Data Subject Access Requests (DSARs), effective immediately upon Royal Assent:

• Reasonable and Proportionate Search: Article 15(1A) UK GDPR codifies existing case law, allowing organisations to limit DSAR searches to what is reasonable and proportionate, reducing the burden of handling complex or voluminous requests.
• Complaints Handling: Organisations must implement formal complaints procedures, including electronic forms, acknowledge complaints within 30 days, and respond without undue delay. This strengthens data subject rights and requires robust processes.

Implications:

• Organisations should update DSAR procedures to align with the proportionality standard and establish or refine complaints handling processes, ensuring staff are trained to meet the new timelines.

Cookie Rules, Soft Opt-In for Charities, and PECR Fines

The DUAA significantly amends PECR, particularly around cookies and direct marketing:

• Cookie Consent Exemptions: Regulation 6(1) PECR now exempts certain “low-risk” cookies from requiring consent, including those for analytics, site optimisation, fraud detection, and emergency location services. These must be strictly necessary and proportionate, with clear opt-out options provided. Existing cookie banners and policies should be reviewed to leverage these exemptions.
• Soft Opt-In Expansion: The soft opt-in rule, previously limited to commercial entities, now extends to charities, political parties, and non-profits. These organisations can send marketing emails or texts without explicit consent if contact details were obtained during a prior interaction, the marketing relates to similar activities, and an opt-out is provided.
• Increased PECR Fines: Fines for PECR breaches are aligned with UK GDPR, rising from £500,000 to £17.5 million or 4% of global annual turnover, whichever is higher. This increases the stakes for non-compliance in cookie usage and direct marketing.

Implications:

• Organisations should conduct cookie audits to identify exempt categories, update consent management platforms, and revise marketing practices to comply with the soft opt-in rules. Robust PECR compliance is critical given the higher fines.

Automated Decision-Making and AI Compliance Under the DUAA

The DUAA reforms automated decision-making (ADM) by replacing Article 22 UK GDPR with Articles 22A–22D, offering greater flexibility:

• Expanded Lawful Bases: Organisations can use any lawful basis (e.g., legitimate interests) for ADM with significant effects, except for special category data, which remains restricted unless explicit consent, contractual necessity, or legal requirements apply.
• Safeguards: Organisations must provide transparency about ADM decisions, allow data subjects to make representations, contest decisions, and request human intervention. These safeguards also apply to law enforcement processing, with limited exemptions (e.g., national security).
• AI and ADM: The DUAA supports AI-driven innovation but requires robust safeguards to ensure fairness, particularly as new statutory codes for ADM are expected following sector consultations.

Implications:

• Organisations using ADM or AI should implement safeguards, update privacy notices to disclose ADM processes, and monitor forthcoming ICO guidance expected in Spring 2026. Special category data processing requires stringent controls.

Data Transfers and Adequacy Under the New “Data Protection Test”

The DUAA revises the international data transfer regime:

• New “Data Protection Test”: The standard for adequacy decisions shifts from “not undermined” to “not materially lower” than UK protections, potentially broadening the range of approved destinations. Transfers using safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) require a transfer impact assessment based on this test.
• EU Adequacy Concerns: The EU extended its adequacy decision for the UK to 27 December 2025 to assess the DUAA’s impact. While the changes are modest, any perceived lowering of standards could risk this status, affecting EU-UK data flows.
• Ongoing Monitoring: The Secretary of State will conduct ongoing monitoring of adequacy decisions, replacing the four-year review cycle, and can recognise new transfer mechanisms via secondary legislation.

Implications:

• Organisations should review international transfer mechanisms, update SCCs, and monitor EU adequacy developments. No immediate action is required, but preparedness for potential changes is advisable.

Best Practice Preparation Steps and DUAA Readiness Checklist

To adapt existing GDPR and DPA 2018 compliance frameworks and ensure DUAA readiness, organisations should:

1. Review Lawful Bases and Privacy Notices:
• Update privacy notices to reflect RLIs, broad consent for research, and ADM processes.
• Assess whether direct marketing can rely on legitimate interests, ensuring PECR compliance for email/SMS marketing.
2. Conduct Cookie Audits:
• Identify cookies qualifying for low-risk exemptions and update consent banners and policies.
• Ensure precise opt-out mechanisms are in place.
3. Update DSAR and Complaints Processes:
• Implement a “reasonable and proportionate” approach to DSARs.
• Establish electronic complaint forms and train staff on the 30-day acknowledgement requirement.
4. Enhance ADM Safeguards:
• Implement transparency, contestation, and human intervention mechanisms for ADM.
• Review AI systems for compliance with new safeguards, especially for special category data.
5. Assess International Data Transfers:
• Review SCCs and BCRs against the “data protection test.”
• Monitor EU adequacy developments and prepare for potential compliance adjustments.
6. Strengthen Children’s Data Protections:
• Ensure online services comply with the AADC and DUAA’s explicit requirements for children’s data.
7. Monitor ICO Guidance:
• Stay informed on ICO updates expected in Winter 2025/26 (e.g., cookies, legitimate interests) and Spring 2026 (ADM).
8. Conduct Training and Audits:
• Train staff on DUAA changes, particularly DSARs, complaints, and PECR compliance.
• Perform a GDPR gap analysis to identify vulnerabilities and align with DUAA requirements.

Avoiding Missteps:

• Over-Reliance on RLIs: Conduct LIAs for non-recognised legitimate interests (e.g., direct marketing) to avoid non-compliance.
• Neglecting PECR: Ensure consent for non-exempt cookies and marketing channels to avoid hefty fines.
• Ignoring EU Adequacy: Monitor EU developments to prevent disruptions in cross-border data flows.
• Inadequate Safeguards: Implement robust ADM safeguards to protect data subject rights and avoid enforcement action.

Conclusion

• The DUAA introduces evolutionary changes to UK data protection, balancing innovation with robust protections.
• By refining lawful bases, easing cookie and DSAR burdens, and modernising ADM and data transfer rules, it offers opportunities for efficiency while maintaining GDPR alignment.
• Organisations should act promptly to update compliance frameworks, leveraging the staged implementation (2–12 months from June 2025) to ensure readiness.
• Regular monitoring of ICO guidance and EU adequacy developments will be critical to navigating this new landscape effectively.

SOURCE

For the latest ICO guidance expected in Winter 2025/26 and Spring 2026, monitor the ICO website: https://ico.org.uk

Sources for Data (Use and Access) Act 2025 (DUAA) Briefing

1. Title: Data (Use and Access) Act 2025: Data Protection and Privacy Changes
   Publication Date: 27 June 2025
   Description: A summary of changes to the UK’s data protection and privacy legislation under the DUAA, including key amendments to the UK GDPR, DPA 2018, and PECR.
   Link: https://www.gov.uk/government/publications/data-use-and-access-act-2025/data-use-and-access-act-2025-data-protection-and-privacy-changes
2. Title: The Data (Use and Access) Act 2025: A New Chapter in the UK’s Data Protection Framework
   Publication Date: 23 July 2025
   Description: Discusses the DUAA’s passage, its focus on balancing privacy and innovation, and its implications for compliance, including automated decision-making and EU adequacy.
   Link: https://www.privacyworld.blog/2025/07/the-data-use-and-access-act-2025-a-new-chapter-in-the-uks交叉
3. Title: The Data Use and Access Act 2025 (DUAA): What Does It Mean for Organisations?
   Publication Date: 19 June 2025
   Description: Summarises DUAA changes affecting organisations, including research provisions, cookie rules, and DSAR handling, with guidance on compliance preparation.
   Link: https://ico.org.uk/for-organisations/legislation-and-key-decisions/the-data-use-and-access-act-2025-duaa-what-does-it-mean-for-organisations/
4. Title: UK Data (Access and Use) Act 2025: Key Changes Seek to Streamline Privacy Compliance
   Publication Date: 27 June 2025
   Description: Highlights DUAA amendments to UK GDPR, DPA 2018, and PECR, focusing on legitimate interests, DSARs, and automated decision-making.
   Link: https://www.gtlaw.com/en/insights/2025/06/uk-data-access-and-use-act-2025-key-changes-seek-to-streamline-privacy-compliance
5. Title: The UK’s Data (Use and Access) Act 2025
   Publication Date: 1 July 2025
   Description: Discusses DUAA’s aim to ease compliance burdens while maintaining EU adequacy, covering cookie consent, data portability, and automated decision-making.
   Link: https://www.faegredrinker.com/en/insights/publications/2025/07/the-uks-data-use-and-access-act-2025
6. Title: UK Data (Access and Use) Act 2025: Key Changes Seek to Streamline Privacy Compliance
   Publication Date: 27 June 2025
   Description: Details DUAA’s modernisation of data protection, including recognised legitimate interests and cookie exemptions, with a focus on compliance strategies.
   Link: https://natlawreview.com/article/uk-data-access-and-use-act-2025-key-changes-seek-streamline-privacy-compliance
7. Title: The Data (Use and Access) Act 2025: A Strategic Update to UK Data Privacy Regulations
   Publication Date: 8 August 2025
   Description: Covers DUAA’s targeted amendments, including cookie rules, DSAR reforms, and the new data protection test for international transfers.
   Link: https://www.morganlewis.com/pubs/2025/08/the-data-use-and-access-act-2025-a-strategic-update-to-uk-data-privacy-regulations
8. Title: UK Adequacy Holds Firm Under New Data (Use and Access) Act 2025
   Publication Date: 25 July 2025
   Description: Examines DUAA’s limited practical implications and its alignment with EU adequacy, with a focus on research and special category data.
   Link: https://www.globalprivacyblog.com/privacy/uk-adequacy-holds-firm-under-new-data-use-and-access-act-2025/
9. Title: Data (Use and Access) Act 2025
   Publication Date: 1 July 2025
   Description: Official parliamentary page with the latest news, sponsors, and progress of the DUAA, including its scope beyond data protection.
   Link: https://bills.parliament.uk/bills/3825
10. Title: What Are the Key Data Protection Law Issues in 2025?
    Publication Date: 12 February 2025
    Description: Discusses DUAA’s implications, including notable category data expansions, automated decision-making, and international data transfers.
    Link: https://www.lawscot.org.uk/members/journal/issues/2025/february-2025/what-are-the-key-data-protection-law-issues-in-2025/
11. Title: UK Data Privacy Reform 2025: Key Changes Under the Data (Use and Access) Act (DUAA)
    Publication Date: 27 June 2025
    Description: Explores DUAA’s reforms to DSARs, ADM, cookies, and data transfers, with guidance on compliance preparation.
    Link: https://www.complianceandrisks.com/blog/uk-data-privacy-reform-2025-key-changes-under-the-data-use-and-access-act-duaa/
12. Title: The Data Shift: UK Sets a New Course With 2025 Data (Use and Access) Act
    Publication Date: 15 July 2025
    Description: Summarises DUAA’s key elements, including recognised legitimate interests, DSAR reforms, and ICO restructuring.
    Link: https://www.goodwinlaw.com/en/insights/2025/07/the-data-shift-uk-sets-a-new-course-with-2025-data-use-and-access-act
13. Title: Data (Use and Access) Act Factsheet: UK GDPR and DPA
    Publication Date: 27 June 2025
    Description: Detailed factsheet on DUAA provisions amending UK GDPR and DPA 2018, including automated decision-making and children’s data protection.
    Link: https://www.gov.uk/government/publications/data-use-and-access-act-2025/data-use-and-access-act-factsheet-uk-gdpr-and-dpa
14. Title: UK Data Use and Access Act 2025: What You Should Know
    Publication Date: 8 July 2025
    Description: Outlines DUAA’s amendments, compliance timelines, and enforcement changes, including PECR fine increases.
    Link: https://www.groundlabs.com/blog/uk-data-use-and-access-act-2025-what-you-should-know/
15. Title: Data Use and Access Act 2025: Key Privacy Law Changes
    Publication Date: 1 July 2025
    Description: Highlights DUAA’s changes for SMEs, including PECR penalties, legitimate interests, and children’s data protection.
    Link: https://legalvision.co.uk/data-privacy-and-it/data-use-and-access-act/
16. Title: UK Organisations Stand to Benefit from New Data Protection Laws
    Publication Date: 19 June 2025
    Description: ICO’s announcement on DUAA’s Royal Assent, emphasising its balance of innovation and privacy protections.
    Link: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/uk-organisations-stand-to-benefit-from-new-data-protection-laws/
17. Title: UK Data (Use and Access) Act 2025 Receives Royal Assent and ICO Publishes Guidance
    Publication Date: 20 June 2025
    Description: Notes DUAA’s Royal Assent and ICO’s guidance, including the staggered implementation timeline.
    Link: https://www.hunton.com/en/insights/uk-data-use-and-access-act-2025-receives-royal-assent-and-ico-publishes-guidance.html
18. Title: The Data (Use and Access) Act 2025
    Publication Date: 11 July 2025
    Description: Discusses DUAA’s passage, its rejection of AI transparency amendments, and changes to legitimate interests and ADM.
    Link: https://www.clydeco.com/en/insights/2025/07/the-data-use-and-access-act-2025
19. Title: Data (Use and Access) Act Becomes Law, With First Ever Changes to UK GDPR
    Publication Date: 3 July 2025
    Description: Explores DUAA’s broader implications, including digital verification and PECR fine increases.
    Link: https://www.osborneclarke.com/insights/data-use-and-access-act-becomes-law-first-ever-changes-uk-gdpr
20. Title: The Data (Use and Access) Act 2025
    Publication Date: 30 June 2025
    Description: Provides an overview of DUAA’s amendments, including DSARs, cookies, and international transfers, with action points for compliance.
    Link: https://www.addleshawgoddard.com/en/insights/insights-briefings/2025/the-data-use-and-access-act-2025/
21. Title: UK Data Protection Law Changes and EU GDPR Simplification Proposals
    Publication Date: 19 June 2025
    Description: Covers DUAA’s Royal Assent and its impact on adequacy and ADM, alongside EU GDPR proposals.
    Link: https://www.penningtonslaw.com/news-publications/latest-news/2025/uk-data-protection-law-changes-and-eu-gdpr-simplification-proposals
22. Title: The Data (Use and Access) Act’s Data Protection Reforms – What Now?
    Publication Date: 11 July 2025
    Description: Details DUAA’s implementation timeline, ICO restructuring, and practical steps for businesses.
    Link: https://www.traverssmith.com/knowledge/knowledge-container/the-data-use-and-access-acts-data-protection-reforms-what-now/
23. Title: UK Data Protection Reform Nears Final Approval: What the Data (Use and Access) Bill Means for Business Compliance
    Publication Date: 29 May 2025
    Description: Discusses DUAA’s parliamentary process and its implications for direct marketing and PECR compliance.
    Link: https://www.arnoldporter.com/en/perspectives/advisories/2025/05/uk-data-protection-reform-nears-final-approval
24. Title: The Data (Use and Access) Act 2025: A New Chapter in the UK’s Data Protection Framework
    Publication Date: 25 July 2025
    Description: Comprehensive overview of DUAA’s goals, amendments, and compliance considerations, with a focus on EU adequacy.
    Link: https://natlawreview.com/article/data-use-and-access-act-2025-new-chapter-uks-data-protection-framework