Navigating the Data Use and Access Act (DUAA) 2025: What you need to know

What is the UK Data Use and Access Act?

The UK Data Use and Access Act builds upon the UK GDPR, and introduces nuanced adjustments to the current regime to modernise data governance and ensure alignment with EU standards. This alignment is critical to preserving the United Kingdom’s adequacy status, which allows the continued flow of personal data from the European Union to the United Kingdom. 

The new legislation does not constitute as significant a departure from the United Kingdom’s existing data protection framework - it amends rather than replaces the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation. 

Certain changes in the Act could affect your organisations’ data handling, sharing and compliance obligations in the UK. The changes may signal a shift in data management policies, requiring adjustments to your compliance frameworks and operational processes, and liaising closely with your Data Protection Officers (DPOs) to monitor forthcoming guidance from the ICO will be key. 

Now is an opportune moment to assess your internal practices, particularly in areas like legitimate interests and the handling of Data Subject Access Requests and to reinforce the robustness of your data governance framework. 

What does the DUAA include?

Introduction of Recognised Legitimate Interests

The Act introduces ‘Recognised Legitimate Interests’ as a new legal basis for data processing. It specifically allows certain security-related activities like fraud prevention, public safety, and national security to be considered legitimate interests by default, potentially without requiring a Legitimate Interests Assessment (LIA). The DUAA simplifies the process for organisations to rely on legitimate interests but it does not eliminate the need for an LIA in all cases.

Currently, this new legal basis explicitly applies to private organisations and does not appear to extend to public authorities. This potentially excludes NHS organisations and further clarification will be needed regarding the impact on NHS-held health data.

Additionally, the DUAA recognises direct benefits for organisations involved in direct marketing, intra-group administrative purposes and ensuring network security by making it clearer that such processing activities may qualify under legitimate interests.

The DUAA still requires organisations to assess whether an individual’s rights override their business interests when relying on legitimate interests for marketing. This process is known as the balancing test, and means that data controllers must evaluate the impact on individuals before using legitimate interests as a legal basis to ensure that it does not override fundamental rights and freedoms.

Finally, the DUAA does not override existing Privacy and Electronic Communications Regulations (PECR), which still requires consent for certain marketing channels such as email and SMS marketing. The rules for general commercial direct marketing remain unchanged, meaning that in many cases explicit consent will still be required under PECR.

Changes to Data Subject Access Requests (DSARs)

Processing Data Subject Access Requests (DSARs) can be costly and time-consuming due to the large volume of data typically involved. 

Under existing UK GDPR framework, organisations were required to respond to DSARs without undue delay and within one calendar month of receipt. The DUAA retains this timeframe but introduces the “reasonable and proportionate” search principle for responses. 

The DUAA clarifies that organisations are required to conduct “reasonable and proportionate” searches when responding to DSARs. This means that while organisations must make genuine efforts to locate and provide the requested personal data, they are not obligated to conduct exhaustive searches that would impose an excessive burden. This clarification aligns with the guidance of the Information Commissioner’s Office (ICO), which states that organisations should perform a reasonable search for the requested information. 

The DUAA also allows organisations to pause the response period in certain circumstances: 

  • When verifying the identity of the data subject 
  • When requesting additional information necessary to process the request
  • When dealing with complex requests or multiple requests from the same individual

Once the necessary information is provided, the response timeframe resumes. Organisations must notify the individual of the delay and provide reasons for the extension within the original one-calendar month period.

Clarification on Automated Decision-Making

Exisiting UK GDPR restricts solely Automated Decision-Making (ADM) that has a significant legal effect on individuals, requiring meaningful human oversight for all such processes.

The DUAA clarifies that ‘meaningful human intervention’ necessitates a competent person reviewing automated decisions. This ensures that human oversight in ADM processes is substantive and informed. Organisations using AI-driven processes must uphold transparency and accountability in decision-making. They are also required to inform individuals and comply with non-discrimination laws such as the Equality Act 2010.

The DUAA further specifies that ADM processes involving any type of personal data must still be subject to appropriate safeguards.

Changes to the Protection of Children’s Personal Data

The DUAA introduces several provisions aimed at strengthening the protection of children’s personal data. It defines children’s ‘higher protection matters’ as considerations for how best to safeguard and support children when using services. The DUAA also acknowledges that children may be less aware of the risks and consequences of data processing and have different needs at various stages of development.

Recent developments highlight ongoing efforts to enhance children's data protection:

  • The ICO has launched investigations into platforms such as TikTok, Reddit, and Imgur regarding their handling of children’s data, focusing on content recommendations and age verification methods
  • The ICO introduced the Age-Appropriate Design Code, also known as the Children’s Code, a UK code of practice requiring online services likely to be accessed by children to be designed with their safety and privacy in mind
  • The Online Safety Act is broader in scope and improves online safety for all users but also includes a focus on protecting children. Regulated by Ofcom, the DUAA introduces stricter content moderation requirements for platforms to prevent harm to minors. In December 2024, Ofcom issued its first codes of practice under the DUAA targeting illegal harms such as child sexual abuse and incitement to suicide. The DUAA also mandates age verification measures to prevent children from accessing harmful content, including the use of AI facial checks and email analysis

These initiatives reflect a broader effort to create a safer digital environment for children and ensuring that their personal data is handled with due care and consideration.

Cookies and Other Similar Tracking Technologies

The DUAA expands the scope for implementing cookies and similar tracking technologies without requiring user consent, under certain conditions.

It specifies that cookies used solely for statistical purposes, such as improving services or websites, will be exempt from the consent requirement. However,  users will need to informed of their purpose and be able to opt out easily. The exemptions also cover service improvement, security purposes and emergency assistance. This change aims to reduce compliance burdens for organisations managing cookie regulations.

The DUAA also seeks to standardise enforcement across the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulation (PECR). Organisations are advised to ensure compliance with PECR, particularly regarding cookie usage and direct marketing.

Revised International Data Transfer Mechanisms

The DUAA places a strong emphasis on only allowing international data transfers to countries where the protection standard is “not materially lower” than the UKs. This change is intended to enhance flexibility for businesses engaging in global data exchanges. This could streamline cross-border business operations, but concerns may remain about its potential impact on the EU-UK adequacy decision.

Additionally, the DUAA restricts the Secretary of State’s ability to amend existing transfer safeguards. Any modifications will require secondary legislation to take effect.

Digital Verification Services (Digital ID)

The DUAA establishes a Digital ID Trust Framework to drive innovation and broader adoption of digital identities. This framework aims to streamline regulations for digital verification services, enhance national security measures for provider registration and increase oversight and consultation. Key provisions of the framework include simplifying regulations to make digital verification services more efficient and accessible.

Restructuring the ICO

The DUAA introduces a structural and strategic reform of the ICO. Under the new framework, the ICO will transition from its status as a corporation sole to a corporate body formally established as the Information Commission led by a Chair and supported by a non-executive board.

Importantly, the Commission will now be required to consider the public interest in driving innovation and supporting competitive markets. This will be in addition to its core responsibilities for safeguarding privacy and upholding data protection standards. The reform is designed to enable more commercially balanced regulatory outcomes and enhance the ICO’s ability to respond effectively to the evolving data economy.

Penalties for Non-Compliance

The DUAA enhances PECR enforcement powers, bringing penalties in line with UK GDPR. It permits fines of up to 4% of global turnover or £17.5 million, whichever is greater, significantly raising potential penalties for non-compliance. 

It is important for UK organisations to begin assessing the Act’s potential impact on their data management and compliance frameworks. It is important to note that the DUAA amends the current UK legislation, so it is therefore important that organisations continue to adhere to the existing requirements in addition to the these amendments.

How is the Data Use and Access Act being implemented?

Since receiving Royal Assent on 19 June 2025, the UK Government has begun a phased implementation of the DUAA, supported by the Information Commissioner’s Office (ICO) through a structured programme of guidance and consultations. This section summarises the current status of implementation, the ICO’s supervisory approach, and the practical steps your organisation should consider over the next twelve months to ensure readiness and compliance under the evolving framew

ICO support and programme of guidance

The Information Commissioner’s Office (ICO) has published an initial catalogue of resources to help organisations understand the changes and further guidance, consultations and tools will follow. The ICO regularly updates a central page focused on DUAA that sets out which guidance is developing, in what order and when publication is expected.

Recognised legitimate interests and purpose compatibility

Since Royal Assent, organisations have been preparing to operationalise the new lawful basis of recognised legitimate interests, which is set out in an annex to the DUAA and removes the requirement to conduct a legitimate interest assessment for any listed acceptable purposes. The DUAA also clarifies that when relying on the standard legitimate interest basis, personal information should only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. As noted above, a new annex introduces a list of further processing activities that are deemed to be compatible with the original purpose – (which includes crime prevention, public interest task, safeguarding of vulnerable individuals, and emergency response), enabling organisations to reuse personal information for those purposes without a new compatibility assessment or having to obtain renewed consent. 

Subject access requests and timelines

Organisations are now preparing to apply the DUAA changes to their subject access requests policies and processes. This includes conducting reasonable and proportionate searches, applying a revised start point for any response, but also using the ability to pause the response time to seek necessary clarification from requestors and applying allowable extensions for complex or multiple requests.

Automated decision making and safeguards

Organisations should be assessing where they may take significant decisions based solely on automated processing, provided appropriate safeguards are in place. These safeguards include providing information about the decision, enabling representations, enabling human intervention and enabling a right to contest. Restrictions on the use of special category personal information remain. Parallel provisions apply to law enforcement and intelligence processing, with specific conditions and safeguards. 

Children’s services and design expectations

Providers of online services that are likely to be used by children should ensure that their technical and organisational measures take account of children’s higher level of protection, their differing needs at different ages and how best to support them when using services.

PECR, cookies and storage and access technologies

The ICO has flagged that its guidance on storage and access technologies, including cookies, tracking pixels, link decoration, device fingerprinting and web storage, is under review in light of the DUAA. The guidance explains when consent is required under the Privacy and Electronic Communications Regulations (PECR) for the use of storage and access technologies such as cookies, when limited exceptions may apply, and how valid consent mechanisms should be designed in practice.

The ICO has also clarified that some cookies and similar technologies may be used without consent in limited circumstances - for example, where they are necessary for communication, essential for providing a service requested by the user, or used to collect information for statistical or performance purposes. In all cases, you should continue to provide clear and comprehensive information to your users and apply appropriate safeguards to ensure transparency and accountability.

International transfers and recognised laws

The DUAA introduces targeted amendments to international transfer provisions, allowing certain data transfers to proceed where the processing is carried out in accordance with recognised foreign laws designated in a new schedule as providing adequate protection. 

Research, broad consent and privacy information

You may want to reassess your research programmes in light of the DUAA’s clarifications to the meaning of scientific, historical and statistical research. It permits broad consent to an area of scientific research where the exact purpose cannot be specified at the outset and where recognised ethical standards are met. It also allows the reuse of personal information for research without providing a privacy notice where doing so would be impossible or disproportionate, provided that appropriate safeguards are applied and public information is available. 

  1. Complaints handling and accountability

The DUAA includes a new requirement for organisations to help individuals make complaints about the use of their personal information - for example, by providing an electronic complaints form. Organisations should acknowledge complaints within thirty days, keep complainants informed and respond without undue delay, which reinforces accountability and transparency obligations. 

  1. ICO powers and regulatory approach

As implementation progresses, the ICO will use an enhanced toolkit, including powers to compel interviews, require technical reports and issue penalties under the Privacy and Electronic Communications Regulations up to £17.5 million or 4 per cent of global turnover. It also introduces changes to notices, assessments and reporting duties, supporting a more modern and effective supervisory regime. 

Practical next steps for your organisation

Make sure to familiarise yourself and your team with the changes introduced by the DUAA and review where they may affect your current compliance frameworks. Key areas to consider include the introduction of recognised legitimate interests, updates to subject access request procedures, and the need for appropriate safeguards when making solely automated decisions. If you are providing online services that are likely to be used by children, you should ensure that relevant technical and organisational measures meet the higher protection standards required. It is also advisable to refine your internal complaints-handling processes in line with the DUAA’s new requirements, and to monitor the ICO’s ongoing consultation and guidance updates. 

Expert help

We will continue to monitor developments as the ICO rolls out new and updated guidance under the Data Use and Access Act 2025. We will provide further updates as the changes take effect, and we would be pleased to discuss any questions you may have or provide more detailed information on the implications for your organisation.

If you aren’t already, sign up to our Data Protection News and Trends Newsletter to stay up to date and for tips and guidance on how to stay compliant. 

If you have any queries about the DUAA, find out about our data protection services or contact Christopher Beveridge.


Contact us

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.