The UK Data Use and Access Act (DUAA) 2025

The Data Use and Access Bill, which has now received Royal Assent from the King on 19 June 2025 and as a result, the newly approved Act has now been enacted into UK law. This article reviews the new legislation and its potential impact for UK businesses and organisations.

What are the key changes in the UK Data Use and Access Act?

The UK Data Use and Access Act introduces nuanced adjustments to the current regime rather than completely overhauling it. Nonetheless, certain changes could affect data handling, sharing and compliance obligations for UK businesses.

Introduction of Recognised Legitimate Interests

The Act introduces ‘Recognised Legitimate Interests’ as a new legal basis for data processing, specifically allowing certain security-related activities such as fraud prevention, public safety, and national security to be considered legitimate interests by default, potentially without requiring a Legitimate Interests Assessment (LIA). The Act simplifies the process for organisations to rely on legitimate interests but, crucially, it does not eliminate the need for an LIA in all cases.

Currently, this new legal basis explicitly applies to private organisations and does not appear to extend to public authorities. This potentially excludes NHS organisations and further clarification will be needed regarding the impact on NHS-held health data.

Additionally, the Act recognises direct benefits for organisations involved in direct marketing, intra-group administrative purposes and ensuring network security by making it clearer that such processing activities may qualify under legitimate interests.

It is important to stress that the Act still requires organisations to assess whether an individual’s rights override their business interests when relying on legitimate interests for marketing. This process is known as the balancing test. This means that data controllers must evaluate the impact on individuals before using legitimate interests as a legal basis to ensure that it does not override fundamental rights and freedoms.

Finally, the Act does not override existing Privacy and Electronic Communications Regulations (PECR), which still requires consent for certain marketing channels such as email and SMS marketing. The rules for general commercial direct marketing remain unchanged, meaning that in many cases explicit consent will still be required under PECR.

Changes to Data Subject Access Requests (DSARs)

Processing Data Subject Access Requests (DSARs) can be costly and time-consuming due to the large volume of data typically involved. Under the existing UK GDPR framework, organisations were required to respond to DSARs without undue delay and within one calendar month of receipt. The Data Use and Access Act retains this timeframe but introduces the “reasonable and proportionate” search principle for responses.

The Act clarifies that organisations are required to conduct “reasonable and proportionate” searches when responding to DSARs. This means that while organisations must make genuine efforts to locate and provide the requested personal data, they are not obligated to conduct exhaustive searches that would impose an excessive burden. This clarification aligns with the guidance of the Information Commissioner’s Office (ICO), which states that organisations should perform a reasonable search for the requested information.

The Act also allows organisations to pause the response period in certain circumstances:

  • When verifying the identity of the data subject
  • When requesting additional information necessary to process the request
  • When dealing with complex requests or multiple requests from the same individual

Once the necessary information is provided, the response timeframe resumes. Organisations must notify the individual of the delay and provide reasons for the extension within the original one-calendar month period.

Clarification on Automated Decision-Making

Article 22 of the existing UK GDPR restricts solely Automated Decision-Making (ADM) that has a significant legal effect on individuals, requiring meaningful human oversight for all such processes.

The Act clarifies that ‘meaningful human intervention’ necessitates a competent person reviewing automated decisions. This ensures that human oversight in ADM processes is substantive and informed. Organisations using AI-driven processes must uphold transparency and accountability in decision-making. They are also required to inform individuals and comply with non-discrimination laws such as the Equality Act 2010.

The Act further specifies that ADM processes involving any type of personal data must still be subject to appropriate safeguards.

Changes to the Protection of Children’s Personal Data

The Data Use and Access Act introduces several provisions aimed at strengthening the protection of children’s personal data. It defines children’s ‘higher protection matters’ as considerations for how best to safeguard and support children when using services. The Act also acknowledges that children may be less aware of the risks and consequences of data processing and have different needs at various stages of development.

Recent developments highlight ongoing efforts to enhance children's data protection:

  • The ICO has launched investigations into platforms such as TikTok, Reddit, and Imgur regarding their handling of children’s data, focusing on content recommendations and age verification methods
  • The ICO introduced the Age-Appropriate Design Code, also known as the Children’s Code, a UK code of practice requiring online services likely to be accessed by children to be designed with their safety and privacy in mind
  • The Online Safety Act is broader in scope and improves online safety for all users but also includes a focus on protecting children. Regulated by Ofcom, the Act introduces stricter content moderation requirements for platforms to prevent harm to minors. In December 2024, Ofcom issued its first codes of practice under the Act targeting illegal harms such as child sexual abuse and incitement to suicide. The Act also mandates age verification measures to prevent children from accessing harmful content, including the use of AI facial checks and email analysis

These initiatives reflect a broader effort to create a safer digital environment for children and ensuring that their personal data is handled with due care and consideration.

Cookies and Other Similar Tracking Technologies

The Act expands the scope for implementing cookies and similar tracking technologies without requiring user consent, under certain conditions.

It specifies that cookies used solely for statistical purposes, such as improving services or websites, will be exempt from the consent requirement. However, users will need to informed of their purpose and be able to opt out easily. The exemptions also cover service improvement, security purposes and emergency assistance. This change aims to reduce compliance burdens for organisations managing cookie regulations.

The Act also seeks to standardise enforcement across the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulation (PECR). Organisations are advised to ensure compliance with PECR, particularly regarding cookie usage and direct marketing.

Revised International Data Transfer Mechanisms

The Act places a strong emphasis on only allowing international data transfers to countries where the protection standard is “not materially lower” than the UKs. This change is intended to enhance flexibility for businesses engaging in global data exchanges. This could streamline cross-border business operations but concerns may remain regarding its potential impact on the EU-UK adequacy decision.

Additionally, the Act restricts the Secretary of State’s ability to amend existing transfer safeguards. Any modifications will require secondary legislation to take effect.

Digital Verification Services (Digital ID)

The Act establishes a Digital ID Trust Framework to drive innovation and broader adoption of digital identities. This framework aims to streamline regulations for digital verification services, enhance national security measures for provider registration and increase oversight and consultation. Key provisions of the framework include simplifying regulations to make digital verification services more efficient and accessible.

Restructuring the ICO

The Act introduces a structural and strategic reform of the ICO. Under the new framework, the ICO will transition from its status as a corporation sole to a corporate body formally established as the Information Commission led by a Chair and supported by a non-executive board.

Importantly, the Commission will now be required to consider the public interest in driving innovation and supporting competitive markets. This will be in addition to its core responsibilities for safeguarding privacy and upholding data protection standards. The reform is designed to enable more commercially balanced regulatory outcomes and enhance the ICO’s ability to respond effectively to the evolving data economy.

Penalties for Non-Compliance

The Act enhances PECR enforcement powers, bringing penalties in line with UK GDPR. It permits fines of up to 4% of global turnover or £17.5 million, whichever is greater, significantly raising potential penalties for non-compliance.

It is important for UK organisations to begin assessing the Act’s potential impact on their data management and compliance frameworks. It is important to note that the Act amends the current UK legislation under UK GDPR, the Data Protection Act 2018 and the Privacy Electronic Communications Regulation (PECR) and it is therefore important that organisations continue to adhere to the already existing requirements in addition to the these amendments – most of the new provisions are expected to come into force either two or six months after Royal Assen but some may take up to 12 months.

The UK Data Use and Access Act

The Labour Government introduced the Data Use and Access Bill in the House of Lords in October 2024. The Act’s progression was marked by extensive legislative scrutiny, including nine rounds of exchanges, commonly referred to as "ping pong" between the House of Commons and the House of Lords.

The Act’s final stages were delayed due to prolonged discussions concerning the use of copyrighted material in artificial intelligence training. Despite these debates, the legislation retained broad cross-party support. In the final debate, held on 11 June 2025, the House of Lords chose not to insist on its previous amendment, which would have imposed further legislative obligations on the Government regarding copyright infringement and AI transparency, however it is worth noting that the Government has indicated plans to introduce a separate AI Bill, which may address the concerns raised during these discussions. Furthermore, the Act does require the Secretary of State to lay a progress statement before Parliament within 6 months of enactment.

The new legislation does not constitute as significant a departure from the United Kingdom’s existing data protection framework as had been proposed under earlier Conservative-led reforms. The Act amends rather than replace the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation. It has been drafted to maintain alignment with the core principles of European Union data protection law and the jurisprudence of the European Court of Justice. This alignment is critical to preserving the United Kingdom’s adequacy status which allows the continued flow of personal data from the European Union to the United Kingdom. Only time will tell if the new Act will be viewed positively by the EU in this regard.

For UK organisations, the proposed changes may signal a shift in data management policies, requiring adjustments to compliance frameworks and operational processes and organisations are encouraged to liaise closely with their Data Protection Officers (DPOs) and monitor forthcoming guidance from the ICO. Now is an opportune moment to assess internal practices, particularly in areas such as legitimate interests and the handling of Data Subject Access Requests and to reinforce the robustness of your data governance framework.

We will continue to publish updates on ICO guidance. We would also be delighted to discuss any queries you have or provide further information. You can also visit our find out more about our data protection services or contact Christopher Beveridge.