What do you need to know about the Data (Use and Access) Act 2025?

This blog summarises the main changes introduced. The DUAA is not replacing the existing laws of the UK GDPR, the Data Protection Act 2018 and PECR (Privacy and Electronic Communications Regulations) but rather amending aspects of them (see below for detail).

With the exemption of the new provisions regarding searches for personal data when dealing with a data subject access request, which came into force when the Act was passed on 20^th June 2025, the remaining changes described below will come into force in phases over the next two to twelve months (details not yet available).

How does the law change?

'Off the shelf' (and other) legitimate interests

• There is a new lawful basis introduced for "recognised legitimate interests", which will relate to areas such as safeguarding vulnerable individuals, security and defence, crime as well as emergencies. No legitimate interest assessment ("LIA") will be required in these instances.
• The DUAA also recognises direct marketing, intra-group transfers and security as examples of processing activities necessary for the legitimate interests of controllers.   These will still however require an LIA.

Individuals' rights – searches and timescales relaxed

• The DUAA introduces a 'stop the clock' provision whereby the 1-month timeframe to respond to a DSAR will stop counting while the controller seeks any necessary clarifications from the individual.
• Furthermore, searches for the dataset in scope are to be 'reasonable and proportionate' codifying long-standing ICO guidance.

More flexibility to reuse personal data

• Changes will allow organisations to not provide transparency information when further processing personal data for certain limited processing purposes, such as scientific or historical research, if providing a notice is impossible or would involve a disproportionate effort.
• Purpose limitation and when an organisation can consider a new use compatible with the original purpose receives some restructure and amendments.

Data transfers - the bar is set lower

• Adequacy decisions can now be issued by the Government if the standard of data protection in a third country or international organisation is "not materially lower" than the UK's, as opposed to the existing "essentially equivalent".
• This same "data protection test" will also apply to exporting controllers or processors undertaking transfers under SCCs or BCRs, which should make compliance a little easier especially with the provision that they can apply this test "reasonably and proportionately".

ADM – many restrictions removed

• Another area where the compliance burden will be eased is in relation to automatic decision making leading to significant decisions ("ADM").  ADM is now not restricted unless special category data is used (subject to the existing exemptions).  Where there is no special category data, ADM can take place without restriction but subject to some safeguards (such as transparency and the ability to seek human intervention and contest the decision). 

Stronger protection for children by design

• The DUAA sets out an explicit requirement to be applied by those designing online services likely to be accessed by children whereby they will have to take into account how to best protect and support children.

e-privacy: relaxing of rules but higher fines

• You will not be required to obtain consent to serve cookies for activities linked or improvement the functionality of a website or statistical purposes (ie analytics purposes).
• Fine levels for the breach of e-privacy rules under PECR increase from £500,000 to the UK GDPR levels, i.e. up to £17.5 million or 4% of global turnover.

Better certainty for processing data for scientific research

• The DUAA makes it clear that the definition of scientific research includes commercial scientific research.
• Furthermore, consent may be scoped more broadly, in acknowledgement that the purposes for processing data in scientific studies sometimes change.

Next steps:

While each controller/processor will decide, in due course, whether their data protection compliance efforts become 'easier' under the DUAA, there is no doubt that the DUAA does offer opportunities for using and re-using of personal data more flexibly and provides clarity about the interpretation of some requirements that will benefit many.

In the ICO's own words, this DUAA "offer(s) you an opportunity to do things differently, rather than needing you to make specific changes to comply". It remains to be seen whether global organisations will adapt their compliance programme for their UK operations in order to benefit from lower compliance standards.   

Our recommendation is that organisations map out the impact (the good and the bad) against their data protection compliance programme and stay tuned to the forthcoming ICO guidance, in relation to which the ICO has also set out a timetable (see below).  

Useful resources

ICO guidance UK organisations stand to benefit from new data protection laws | ICO

ICO guidance timetable Our plans for new and updated guidance | ICO

UK Gov factsheet Data (Use and Access) Act factsheet: ICO - GOV.UK