The Data Use and Access Act 2025 changes how UK organisations handle personal data, complaints, AI, cookies, and transfers. It is designed to modernise the UK’s digital framework, boost economic growth, and simplify compliance without weakening core protections.
Overview of the Data Use and Access Act 2025 (DUAA)
The Data Use and Access Act 2025 received royal assent on 19 June 2025. These exact dates matter because the law is being commenced in phases, and organisations must apply the legislation in force at the relevant date.
The Data (Use and Access) Act 2025 amends but does not replace the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, PECR, and rules for law enforcement processing and intelligence services. In short, the data protection act framework remains, but key procedures and lawful bases change.
DUAA makes compliance more flexible while maintaining high data protection standards for data subjects. It supports smart data schemes, digital verification services, research data sharing, and projects such as the national underground asset register.
For UK businesses, the message is simple: do not treat DUAA as a minor update. Data Privacy Services is already helping clients assess DUAA-readiness, update privacy notices, and review how personal data is processed.
Simplified UK Data Protection Regime under DUAA
DUAA streamlines parts of data protection legislation, including accountability, definitions, and documentation for some lower-risk data processing. It does not remove the six principles of UK data protection, but it changes how organisations evidence compliance in some areas.
The Act affects the relationship between UK GDPR, the data protection act 2018 and PECR. It also creates divergence from EU GDPR, which means organisations operating in the UK and EU member states should avoid assuming one policy fits both regimes.
Some controller and processor obligations around DPIAs, records, and DPO appointments are adjusted. Organisations should reassess whether existing governance still meets data protection requirements and whether they can demonstrate appropriate safeguards.
The information commissioner’s office regulates data protection laws in the UK, ensuring compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation. The ICO provides guidance and resources, including updates on legislative changes and best practice, and can issue fines or take legal action against organisations that violate data protection laws.
Data Privacy Services can run a DUAA gap analysis comparing current GDPR compliance with the post-2025 regime, then provide prioritised recommendations.
Key DUAA Changes to Core Data Protection Concepts
DUAA adjusts core concepts under UK law, including lawful bases, legitimate interests, scientific research, and how organisations collect information for explicit purposes.
A major change is recognised legitimate interests, a new lawful ground for processing personal data. The DUAA introduces a new lawful ground for processing personal data, allowing businesses to use data for crime prevention, safeguarding, responding to emergencies, and other specified legitimate interests. This interacts with existing data protection laws and simplifies compliance, but necessity, transparency, minimisation, and the original purpose still matter.
The existing lawful ground of legitimate interests remains available, alongside consent, contract, legal obligation, vital interests, and public task. However, recognised legitimate interests reduces the balancing burden for listed public interest activities.
The DUAA clarifies the legal definition of scientific research to include commercial research, allowing broader consent for long-term studies and families of related projects. This is useful for life sciences, product testing, and analytics, but processing special categories or sensitive information still needs care.
DUAA also aligns terminology across general data processing, law enforcement processing, and intelligence services processing. Privacy notices, Article 30 records, DPIA templates, and policies explaining how personal data is used should be revised.
Automated Decision Making and AI under the Data Use and Access Act 2025
DUAA reforms automated decision making by narrowing the general prohibition on solely automated significant decisions. The Act narrows the general prohibition on solely automated significant decisions, applying only to processing that involves “special category” data such as medical records.
This creates more room for automated processing in credit scoring, fraud checks, recruitment screening, and AI-supported risk scoring. The Act also allows for clearer legal standards around training data for AI, providing tech companies with pathways to test and deploy AI workflows.
Where special category data, biometric data, or special categories are involved, organisations may still need explicit consent or another strong condition. Data subjects must usually have certain safeguards, including human intervention, the ability to express their view, and a route to contest significant decisions.
National security and law enforcement agencies may have limited exceptions, but oversight remains important. The ICO is expected to produce codes and updated guidance on AI, ADM, and governance.
Data Privacy Services can audit AI and ADM tools, review algorithmic impact assessments, and train product, HR, legal, and data science teams.
Subject Access Requests, Complaints and Data Subjects’ Rights
DUAA modifies how organisations respond to data subjects, especially subject access requests and data protection complaints.
Organisations are only required to conduct reasonable and proportionate searches for Data Subject Access Requests (DSARs), which is codified in the Act. The DUAA clarifies the time limits for organizations to respond to subject access requests, including a ‘stop the clock’ rule that allows organizations to pause the response time if they need more information from the requester. This also interacts with the existing frameworks of the UK GDPR and Data Protection Act 2018.
For example, if a former employee sends a broad SAR asking for “everything ever held about me”, HR can ask for clarification and pause time limits until the individual replies. The search must be reasonable and proportionate, not unlimited.
The Act requires organizations to handle complaints from individuals regarding breaches of data protection legislation, including providing an electronic complaint form and informing the individual about the outcome of their complaint. Responses should be made without undue delay.
Core rights remain: access, rectification, erasure, objection, data portability, rights to restrict processing, and rights linked to automated decision making. Data Privacy Services can redesign SAR playbooks and train frontline teams.
Cookies, Storage & Access Technologies and PECR Changes
DUAA amends PECR for cookies and similar access technologies used by online services.
Some low-risk tools, such as essential analytics, security logs, load balancing, and first-party service statistics, may be allowed without prior consent if transparency is prominent. However, targeted advertising, cross-site tracking, and profiling cookies will generally still need consent.
The DUAA raises penalties for breaches of electronic privacy and direct marketing, aligning them with UK GDPR standards. Organisations should review cookie banners, vendor contracts, CMP settings, and customer data flows.
Data Privacy Services can perform cookie audits, update wording, and help configure consent management platforms for the DUAA-era PECR regime.
Law Enforcement, Intelligence Services and National Security Provisions
DUAA introduces targeted changes to Parts 3 and 4 of the UK data protection act framework, affecting law enforcement processing and intelligence services processing.
The aim is to modernise rules for police, criminal justice bodies, and security agencies while maintaining international data protection standards. These provisions affect national security operations, lawful disclosures, and information sharing.
Commercial organisations may still be affected when responding to law enforcement data access requests. Templates, escalation routes, and verification checks should be reviewed.
The Information Commissioner’s Office remains central to oversight. The ICO gains enhanced powers, including the ability to issue interview notices and mandate independent investigation reports.
International Data Transfers, EU Adequacy and Divergence from EU GDPR
DUAA refines international transfer rules and allows easier international data transfers if the recipient country’s data protection standards are not materially lower than the UK’s, moving away from the rigid EU adequacy mechanism.
This may simplify some transfers, but organisations must still assess risk and maintain appropriate safeguards. Transfer documentation should reflect UK law and any separate EU GDPR obligations.
As of July 2025, the European Commission signaled it was minded to maintain UK adequacy, subject to scrutiny by the European data protection board and EU institutions.
Because DUAA creates divergence from EU GDPR, organisations operating across borders may need separate UK and EU SCCs, addenda, policies, and transfer risk assessments.
Data Privacy Services can map transfers, review supplier contracts, and update Records of Processing Activities.
Implementation Timeline and Transitional Considerations
DUAA provisions are being commenced in stages after Royal Assent on 19 June 2025. Some changes apply earlier, while others depend on secondary legislation and ICO guidance.
Organisations must familiarize themselves with the changes introduced by the DUAA and incorporate them into their privacy programs and compliance plans, as the law will be applied as it stands at the time of any infringement.
Key milestones include Royal Assent, phased commencement of SAR and complaint reforms, updated ICO objectives and powers, staged PECR changes, and later rollout of smart data schemes.
Maintain a living action plan, track DSIT and ICO updates, and assign owners for legal, security, marketing, HR, and product changes.
Practical Steps for UK Businesses: Updating Policies and Programmes
DUAA requires a structured response across data protection and information security. Start with an impact assessment covering ADM, profiling, transfers, research, cookies, complaints, and subject rights.
Update privacy notices, cookie policies, SAR procedures, complaint routes, DPIAs, retention schedules, incident response plans, and international transfer documentation.
Review accountability records, including Records of Processing Activities and legitimate interests assessments, especially where recognised legitimate interests are used.
Refresh staff training for teams involved in processing, product design, marketing, HR, security, and compliance decisions.
How Data Privacy Services Can Help You Navigate DUAA
Data Privacy Services, trading name of Data Privacy and Data Security Services Ltd, is a UK-based specialist in GDPR, data protection, and information security consultancy for private and public sector organisations.
We support DUAA readiness assessments, policy updates, cookie audits, AI and automated decision making reviews, international transfer remediation, and PECR alignment. We can also help with complex SARs, complaints, ICO engagement, and inspection preparation.
Our ongoing services include DPO as a Service, CISO-as-a-Service, ISO 27001-aligned security audits, cybersecurity training, and bespoke data protection consultancy.
If you want to bring your data protection programme up to date for 2025–2026, contact Data Privacy Services for a free initial GDPR/DUAA audit or to discuss a tailored support package.