The UK Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. Building upon the Data Protection Act 2018 and UK GDPR, DUAA introduces targeted changes to the data protection landscape aimed at fostering business growth. Such changes will be brought about in stages, with provisions expected to come into force between June 2025 and June 2026.
The changes implemented by DUAA will have implications for data controllers and processors alike. Therefore, this article offers practical guidance for businesses (where relevant) alongside a concise overview of the key changes DUAA will introduce to data protection.
Recognised legitimate interests
DUAA introduces ‘recognised legitimate interests’ as a new lawful basis for data processing. This is separate from the existing legitimate interest lawful basis. Essentially, it exists as a pre-approved list of interests which are automatically legitimate. As a result, traditional legitimate interest assessments will not be required.
Such ‘recognised legitimate interests’ include national security, public security, defence, safeguarding children or individuals at risk, responding to emergencies and preventing or detecting crime.
ICO restructuring
DUAA restructures the ICO, establishing the Information Commission (IC). This will move the ICO from a single-commissioner model to a board-led model, therefore aligning the ICO with the approach taken by other UK regulators.
Complaints
If data subjects wish to complain that their UK GDPR rights have been breached, DUAA now requires that they complain to the data controller in the first instance (rather than direct to the ICO).
In light of this, data controllers must have a process in place to manage such complaints. DUAA requires a complaint form which can be completed electronically as well as by other non-electronic means. The controller must acknowledge receipt of the complaint within 30 days, take appropriate steps to address the complaint, and inform the subject of the outcome of the complaint.
Practical guidance: Establish a complaints-handling procedure which complies with DUAA. Ensure that employees are trained to manage complaints in line with the new procedure/requirements.
Data subject access requests (DSARs)
DUAA codifies the requirement for data controllers to carry out ‘reasonable and proportionate’ efforts in response to DSARs. In effect, this means that controllers do not need to carry out disproportionate searches. Rather, the extent of their searches should be based on context and resources.
The DUAA now allows a data controller to require a data subject to clarify what they are looking for, resulting in a more targeted DSAR. When a controller makes such a request, the one-month timer in which the controller must respond to the DSAR stops and does not start again until the subject clarifies the request.
Practical guidance: Review DSAR protocols in light of DUAA.
Automated decision-making (ADM)
DUAA relaxes UK GDPR’s restrictions on ADM, allowing important decisions through automated processes where the following appropriate safeguards are implemented:
Firstly, individuals must be provided with comprehensive information regarding decisions made through ADM.
Secondly, individuals must be able to make representations and challenge decisions made by ADM systems.
Thirdly, individuals must have the right to seek human intervention concerning ADM decisions.
ADM remains restricted for special categories of data, e.g. health-related information.
Practical guidance: Review and potentially update ADM policies, implement safeguards where updating policies. Ensure that automated systems are regularly audited.
Cookies
DUAA expands the circumstances in which consent for certain cookies is not required. Namely, consent is not required for cookies used for collecting statistical information to improve the service; functional purposes, such as improving the website display; and locating the geographical position of a subscriber or user in response to emergency communication.
For statistical and functional purposes, website operators must give users detailed information about the tracking's purpose and provide a free option to opt out.
Practical guidance: Consider whether your cookie notice needs updated in light of these changes.
International data transfers
DUAA introduces a new data protection test for international transfers. For businesses, this new test should be used when undertaking a transfer risk assessment and you must assess the standard of protection in the third country where you are transferring the personal data.
The test assesses whether the protection level in non-UK countries is ‘not materially lower’ than that of the UK GDPR, thereby simplifying the transfer process while maintaining adequate safeguards.
It is not yet clear what ‘not materially lower’ means. However, this appears to be a lower standard than that adopted by EU GDPR which requires a regime to be ‘essentially equivalent’.
Privacy and Electronic Communications Regulations fines (PECR)
DUAA aligns the PECR enforcement regime with the UK GDPR. Notably, this means the maximum fines for breaches of PECR’s direct marketing rules are now up to £17.5M or 4% of the total worldwide annual turnover of the undertaking in the previous year (whichever is higher).
Conclusion
DUAA does not represent an overhaul to UK GDPR. However, there are significant issues for businesses to consider surrounding complaints handling, DSARs, ADM, cookies, and international data transfers. Businesses should review internal policies to ensure that they are ready to comply with any changes brought about by the Act.
