The Data Use and Access Act 2025 (DUAA) is now law!

On Thursday 19th June 2025, the UK’s DUAA finally came into UK law. That marks the end of a fairly tortuous route of changes passing through a change of Government, and then plenty of back and forth in recent months through a ping pong process between the House of Commons and House of Lords. 

Some elements of DUAA will come into force straight away (some even on a backdated basis!), and the remainder will come into effect over the coming months. A fairly complicated timetable requiring a deep dive into the legislation itself in relation to parts that might be relevant to your business operations, and beyond the scope of this article! 

DUAA will create a fairly complicated ecosystem of what we’ll call applicable UK data protection legislation in this article. Instead of creating an entirely new law, DUAA amends several pieces of UK legislation – including from the perspective of this article, the: 

• General Data Protection Regulation (GDPR). 
• Data Protection Act 2018 (DPA). 
• the Privacy & Electronic Communications Regulations (PECR). 

It’s not easy to wrap your brain around the wording of the amendments, particularly in the end of June 2025 heatwave! We’ve been busy squirreling away creating our own amalgamated version to work out what has changed, until an official keeling schedule version is published. Given some amendments are already in force, giving accurate client advice requires an understanding of the changes to the various bits of applicable UK data protection legislation that then interact in a complicated web. 

Evolution or Revolution? 

Most commentary suggests that, overall, the DUAA is more of an evolution, rather than revolution of the existing law. We believe though, that for some there are some fundamental changes that will undoubtedly impact their business operations. We’ve been keen to explain this in an article, but waiting for the final version of the DUAA to be published, to check for any final changes creeping into the new law.

The Government and the newly named Information Commission (more on this below) continue to emphasise keenly that the focus of DUAA is to facilitate innovation. They point in particular to expansion of how data can be used legitimately for research (including for commercial purposes), broader use of automated decision making (except if using special category data), and a relaxation of cookie rules - alongside a significant increase in possible fines under PECR.

The DUAA also aims to make various, otherwise more onerous obligations, easier for organisations to comply with. For example, in some key areas like:

• By creating a soft opt-in for charities to carry out email direct marketing.
• Setting out specific “recognised legitimate interests” where balancing test is no longer needed when carrying out a legitimate interests assessment (LIA). 
• By recognising that legitimate interests are likely to exist when carrying out direct marketing - making an LIA under the GDPR in this situation for e.g. hard copy postal marketing, much easier. Note though that PECR still applies to electronic direct marketing – meaning you can’t get away from justifying appropriate consents are in force etc.

In this article, we will stick to considering the key impacts of DUAA from a UK data protection perspective, touching on some interconnected AI use. In particular, we will give you our take on how it will impact your organisation’s GDPR compliance – and what actions you should take. 

For organisations in the law enforcement or intelligence services sectors, or involved in national underground asset registers or smart meters or impacted by e.g., the Online Safety Act, then there’s other nuggets in DUAA for you to consider also…but we can’t cover everything in this article. 

DUAA allows quite a lot of freedom for the Government to add further details via regulations, so we’ll all have to keep an eye out for those in time. 

Has the ICO produced new guidance on DUAA? 

The ICO has pleaded for some time to publish updated guidance covering the impacts and changes of DUAA to the applicable data protection legislation (e.g. to its detailed guide to the GDPR, guides to marketing and codes of practice etc.). It will be working on this over the next wee while for sure – we suspect given the time to upgrade previous guidance following implementation of the GDPR (still a work in progress), there may be nothing wee about the time taken though. 

Although its general guidance will need updated in time, on 19 June 2025, the Information Commission published its own initial summaries and guides on the changes under DUAA. In particular:

• The ICO’s detailed guide on the changes: see here . 
• A helpful guide highlighting the changes from the perspective of the individual, see here . This emphasises that not much has changed and clearly flags to individuals that UK organisations now have greater flexibility to use personal data.
• An updated list of the upcoming guidance to keep an eye out for, see here .

What are the top changes to be aware of?  

Here's our overview of: 

• The top issues and what you may need to consider to stay compliant from a data protection perspective. 
• How to make the most of some new areas of flexibility, or at least areas of newfound legal certainty. 

Grab something cold to drink and here we go:

1. International Data Transfers
2. Penalties under PECR increased to £17.5m – marketing risks go up!
3. Cookie Rules
4. Direct Marketing by Charities by Electronic Mail 
5. Handling Data Subject Access Requests (DSARs) and other Individual Rights Requests 
6. New Complaints Process Needed
7. Automated Decision-Making (ADM) 
8. Changes to GDPR Legitimate Interests Legal Bases 
9. Privacy Notice Changes
10. Processing for Compatible Purposes
11. Expansion of Research Provisions
12. Processing for Research Archiving and Statistics
13. Children’s Higher Protection Matters
14. Newly named Information Commission 
15. AI & Copyright Transparency

1.    International Data Transfers

The DUAA introduces the concept of the “Data Protection Test”, which must be applied by the Government when determining adequacy of a particular country. This test takes a lot of the current guidance and case law on international data transfers and sets it out in law. 

Fundamentally, it requires the Government to consider if a country offers a standard of data protection for individuals which is “not materially lower” than under the UK GDPR and DPA 2018. 

This is a significant change from the existing position where organisations must consider whether the relevant law and practice is “essentially equivalent” – so it is essentially a relaxation from the current position. The EU are set to consider later this year, whether the changes under DUAA mean that the EU are happy to continue the current adequacy arrangements between the EU and the UK. Some commentators have expressed concern over this relaxation. Watch this space!  

When organisations are undertaking international data transfers, in addition to the normal suite of safeguards that must be complied with already, DUAA now requires organisations to consider if the Data Protection Test is met in relation to that transfer or type of transfer. 

Action:  

• Review international data transfer assessments and other processes, to reflect the Data Protection Test under DUAA. If any transfers are in play, or were on hold awaiting more clarity on how to assess a transfer, then you may wish to dust those off, and look again.

If you need assistance with ensuring compliance in relation to international data transfers, we’re happy to help. 

2.    Penalties under PECR increased to £17.5m – marketing risks go up!

Fines under PECR have increased from £500,000 to align with the GDPR’s maximum limits of £17.5m, or 4% of total worldwide annual turnover, whichever is higher.

Action:  

• Review existing marketing practices, and ensure compliance with all the applicable data protection legislation, including ensure GDPR compliant consent is obtained for direct marketing where required under it and PECR (see also paragraph 5 below for a good news story if you are a charity and paragraph 6 in relation to your website and app compliance). 
• Update corporate risk registers to clarify your organisation’s stance on exposure to fines under PECR – now substantially increased, and the ICO has definitely had a focus on fining in this area. 

If you need assistance with reviewing your existing marketing practices for compliance (including reviewing consent mechanisms and marketing policies) or carrying out marketing specific training, we’re happy to help.

3.    Cookie Rules

The DUAA revises cookie regulations, making cookie banner, and other tracking technology requirements more flexible in certain contexts. Under the DUAA, there is no longer a prohibition on cookies, if used where:

• Solely to collect statistical data with a view to improve the performance or service provided by a website (though you’ll still need a cookie banner with an easy opt-out).
• The individual is given clear information, and they have given consent.
• Necessary solely for carrying out transmission over a communication network.
• Strictly necessary to provide online services. There are specific examples, including: protection of information, security of devices, fraud prevention and detection and, fault prevention or detection, or (where necessary for the service) authentication or recording selections or information put into the website by the individual.
• Solely to adapt the services appearance or functions in accordance with the individual’s preferences. 
• Solely to work out location when the individual requests emergency assistance.

Action: 

• Update your cookie policies and website banners to reflect new rules.

If you need assistance with completing a cookie audit or reviewing your existing cookie compliance, we’re happy to help. 

4.    Direct Marketing by Charities by Electronic Mail 

The DUAA introduces a change to the PECR to establish a soft opt-in process allowing charities to send electronic mail for the purposes of direct marketing. Specific criteria will still need to be followed to ensure this is carried out in a compliant manner – following the existing soft opt-in rules for other non-charitable organisations. This is, nevertheless, a significant change for charities. It allows them to communicate more effectively with individuals who have expressed an interest in the charity, or offered or provided support to the charity previously.

Action:  
If you are a charity:

• Consider your marketing procedures, and establish whether the new soft opt-in process could help you communicate more widely with third parties. 
• Update privacy notices accordingly, reflecting your legal basis (for example, legitimate interest, supported by the new soft opt-in?), and establish a simple method for individuals to opt-out of electronic direct marketing.

If you need assistance with reviewing your existing communications, marketing and consent mechanisms, we’re happy to help.  

5.    Handling Data Subject Access Requests (DSARs) and other Individual Rights Requests 

The DUAA brings the following welcome updates: 

• Clarification of the time limits for responding to rights requests, such as DSARs. The “applicable time period” no longer runs from when you receive the request, it now runs from the latest of:
  • When the controller receives the request.
  • When the controller receives information to verify the requester’s identity.
  • When the fee charged (if any allowed and applicable), is paid.

Codification of a “reasonable and proportionate” search standard for DSARs. This provides organisations legal certainty around the position already made clear under ICO guidance. This change is already in force. Although not covered in this Article, it is worth noting that there are a reasonable number of new changes introduced to the DPA for those law enforcement and intelligence services organisations processing DSARs. 

Action: 

• Update your handling processes for Individual Rights Requests (including DSARs), generally, including in relation to searches being carried out, and to clarify the ability to “stop the clock”.  
• Train staff on changes to these processes.

If you need assistance with reviewing your Individual Rights Requests (including DSARs) policies, we’re just been updating ours and are happy to help.

6.    New Complaints Process Needed

Controller organisations are now required to offer individuals a complaints procedure. This procedure should enable individuals to bring complaints to the controller, which should then be acknowledged within 30 days, and responded to without undue delay.

Action: 

• Update privacy notices to explicitly offer a complaints process.
• Ensure processes are in place to meet the required complaints procedure deadlines.

If you need assistance with reviewing your privacy notices and creating compliant complaints handling processes, we are happy to help. 

7.    Automated Decision-Making (ADM) 

The DUAA changes are likely to help organisations using tools such as profiling to make decisions. This will most likely help those using AI tools. 

The changes mean:

• ADM is now only prohibited when making a “significant decision” based entirely or partly on processing special category data – a substantial relaxation of the current prohibition.
• A significant decision is one that, in relation to the individual, produces a legal effect, or a similarly significant effect.
• If you are using ADM to make significant decisions using special category data, the old set of exclusions apply, so you can make significant decisions if one of the following conditions is met:
  • (1) The decision is based entirely on processing which the individual has given explicit consent; or,
  • (2) (a) The decision is:
    • (i)    necessary for entering into or performing a contract with the data subject; or,
    • (ii)    It is required or authorised by law, and
  •       (b)    It is necessary for reasons of substantial public interest.
• Any ADM that involves a significant decision (whether with special category data or non-special category data) must be subject to appropriate safeguards – including requiring information about the decisions, allowing representations, allowing a request for human intervention, and allowing for the decision to be contested. 
• The meaning of ADM always meant where a decision was made by solely automated decisions. This is now clarified to mean there is “no meaningful human involvement in the taking of the decision”. So, a token human intervention would not be sufficient to take ADM outside the restriction.

Action:  

• Check what processing activities your organisation carries out that currently involve ADM, or if projects could be revisited that previously were limited by the prohibition on ADM when processing non-special category data. The removal of the prohibition of non-special category data might provide opportunities. 
• Ensure you have complied with wider requirements of the GDPR – e.g. privacy by design and default, carrying out DPIAs, establishing legal basis, transparency in your privacy notices about your ADM etc. 
• Consider changes that might be required to your individual rights handling processes, around your use of ADM (including profiling). 
• Update ADM related policies to reflect new flexibility under DUAA.

If you need assistance with updating your ADM policies and procedures, we’re happy to help. 

8.    Changes to GDPR Legitimate Interests Legal Bases 

It’s perhaps a little mind boggling at this stage but the changes to legal bases are two-fold, sounding similar but different in terms of practical compliance steps. 

A.    A new “Recognised Legitimate Interests” Legal Basis

The DUAA introduces an additional new legal basis of “recognised legitimate interests”, added in as Article 6)(1)(ea) of the GDPR, and in detail in its Annex 1. Annex 1 (inserted into the UK GDPR by Schedule 4 - lawfulness of processing: recognised legitimate interests to the DUAA), makes clear that: 

i.     This legal basis can only be relied on to lawfully process personal data where the processing is necessary (so you still need to ensure you’ve met a necessity test and be able to demonstrate this where appropriate) for the purposes of making a disclosure of personal data to another person in response to a request from the other person. 

The request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) GDPR (i.e. in short, public task/ public interest processing). 

This section also adds some wording to clarify that the existing public task basis only applies to the organisation’s own tasks. This means an organisation supporting a public authority in the exercise of its tasks should rely on another basis, such as legitimate interests (or the new recognised legitimate interest’s basis). 

ii.     The data processing activities this applies to are set out in more detail in that Annex but relate to processing related to: 

• National security, public security and defence.
• Responding to emergencies. 
• For the purposes of detecting, investigating or preventing crime, or apprehending or prosecuting offenders. 
• Safeguarding vulnerable people. 

Provided these criteria are met, we understand these recognised legitimate interests will no longer require e.g. the balancing test part of a Legitimate Interests Assessment (LIA).

B.    Clarification of existing Legitimate Interests Legal Basis

DUAA also sets out 3 specific examples of processing activities which may be carried out under the existing legitimate interest’s legal basis at Article 6)(1)(f) of the GDPR. This is where they are necessary for:

• Direct marketing (although PECR still applies to any electronic direct marketing).
• Intra-group transmission of personal data where necessary for internal administrative purposes.
• Ensuring security of network and information systems.

As we understand it, reliance on this legal basis will still require a LIA to be carried out, as you would expect to do so for GDPR compliance at the moment. However, as the legitimate interests themselves are now clearly set out in law (not just buried as examples in the GDPR’s recitals as they were before), the LIA – including the balancing test to be carried out under it - should be much quicker and easier to comply with in practice.  The ICO’s DUAA Guidance states that as these “examples are taken from the recitals to the UK GDPR … the effect is to make existing interpretative guidance in the recitals legally binding.”

Action: 

• Review your data mapping and/or ROPAs to identify where you are relying on legitimate interests or recognised legitimate interests and make this clear. Ensure that you have the right compliance measures in place to rely on the legal basis, including carrying out documented LIAs where required. 
• Update any intra-group data transfer agreements and arrangements to reflect the changes. 
• Update all relevant privacy notices (job applicant, employee, website, app etc. privacy notices) to make clear what legitimate interests are relied on and explain these, and where appropriate, your compliance measures in relation to the same. 

If you need assistance with reviewing your ROPAs or legal bases assessment (including LIAS and in DPIAs) or with updating privacy notices, we are happy to help.

9.    Privacy Notice Changes

The DUAA brings in some changes to requirements that organisations have to provide people with privacy notice information. 

• Under Article 13 GDPR which applies to organisations who collect personal data directly from data subjects, DUAA clarifies that that the organisation doesn’t have to provide a privacy notice if:
  • it intends to further process personal information for research purposes, in accordance with DUAA provisions covering this type of use; and
  • providing the privacy notice is impossible or would involve a disproportionate effort.

         The organisation is still required, however, to protect individual’s rights in other ways, e.g., by making the information publicly available.

• Under Article 14 GDPR which applies to organisations who obtain personal data from third parties other than the data subject, there is no real change to current requirements, but there are some useful clarifications to help simplify understanding and set out in law that disproportionate effort depends on, among other things:
  • The number of data subjects involved. 
  • The age of the personal data. 
  • If appropriate safeguards have been applied to the processing.

         This codifies existing GDPR recitals. 

If you need assistance with reviewing your privacy notices, we are happy to help. 

10.    Processing for Compatible Purposes

The DUAA amends the GDPR’s purpose limitation principle to introduce a set of conditions which will allow organisations to process personal data for new purposes. which are considered compatible in law, with the original purpose. 

In addition to establishing an appropriate lawful basis, the organisation must, however, still make a determination that the purpose is compatible, taking into account factors, such as the link with the original purpose, the context of collection, the possible consequences of the new purpose, the existence of appropriate safeguards (such as encryption or pseudonymisation).

The DUAA clarifies in law certain purposes which will be considered compatible. 

These include:

• A new purpose for which the individual has consented. 
• Processing for research, archiving and statistical purposes.
• Processing which is for the purpose of ensuring the processing complies with the Data Protection Principles, or demonstrating it does so.
• The specific situations set out in a new Annex 2 – safeguarding, taxation etc.

Action: 

• Check your ROPA and privacy notices, to ensure that all your processing purposes are clear. 
• Consider whether there are any other compatible purposes that you may be able to justify and make clear in the ROPA and privacy notices – for example, carrying commercial research on a data set collected for an original purpose of say marketing, may now be justifiable.

If you need assistance considering if your processing is for compatible purposes, we’re happy to help. 

11.    Expansion of Research Provisions

Under DUAA, the definition of scientific research now clearly includes any “…processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.”  

This includes “processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific” .

The concept of consent has also been clarified in law in relation to research activities. Organisations are now clearly permitted to collect valid consent to an ‘as yet undetermined’ area of scientific research, provided that research is ethical, and individuals are able to consent to that part of the research.

The DUAA makes it clear that you do not have to provide updated privacy notices if you are using data collected directly from an individual, only for research, archiving or statistical purposes – where doing so would be impossible or involve disproportionate effort.

Action: 

• If you undertake research, or plan to, consider how the clarification of the scope of scientific research, consent, and notification, could help your organisation. In particular, where previously it was uncertain if the research provisions supported commercial research, and when collecting valid consent to ‘as yet unclear’ areas of research was not previously possible.
• Consider updating your privacy notices and ROPAs.

If you need assistance considering your processing for these purposes, we’re happy to help. 

12.    Processing for Research Archiving and Statistics

The DUAA specifically allows organisations to carry out processing which is necessary for “Research, archiving and statistics” purpose (RAS Purposes). 

Personal data may only be processed for RAS Purposes if:

• the processing consists of the collection of the personal data (whether from the data subject or otherwise), 
• the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or 
• without the processing, the RAS purposes cannot be fulfilled.

That RAS Purposes must be carried out subject to “appropriate safeguards” for the rights and freedoms of individuals. For example:

• it can not be likely to cause substantial damage or substantial distress to the individual; 
• it can not be processed to make decisions about the particular individual that the personal data relates to (unless it is for “approved medical research”, by approved organisations); 
• you must respect data minimisation (for example, by implementing pseudonymisation).

Action: 

• Consider what research purposes you are currently undertaking, or where you could potentially expand your research activities. 
• Ensure you have appropriate safeguards in place in relation to processing for RAS purposes, and document those.

If you need assistance considering your processing for these purposes, we’re happy to help.

13.    Children’s Higher Protection Matters

The DUAA introduces a statutory obligation on organisations providing “information society services” (being services provided over the internet) to consider children’s higher data protection matters. This means organisations must consider:

• “(a) How children can best be protected and supported when using the services; and,
• (b) The fact that children:
  • (i) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and 
  • (ii) have different needs at different ages and at different stages of development.”

Action: 

• Consider whether your online services are aimed at, or could be accessible by, children. 
• Where applicable, consider application of and compliance with the ICO’s Children’s Code and carry out DPIAs where appropriate.

If you need assistance with ensuring compliance when processing children’s data, we’re happy to help. 

14.    Newly named Information Commission: 

The ICO will be restructured into the Information Commission, with a formal board and an appointed CEO.

Action: 

• Not much! Maybe check your privacy notices and internal policies, procedures and training materials for relevant definitions. For example, will the handy acronym “ICO” that we’ve all come to love continue to be used? 

15.    AI & Copyright Transparency: 

The DUAA does not include provisions requiring AI developers to disclose training data sources, despite concerns raised from artists and copyright holders and a lot of last-minute parliamentary ping pong discussing this issue.

Action: 

• If using AI, monitor upcoming copyright consultations for potential future changes.

If you need assistance reviewing your organisation’s use of AI generally, we’re happy to help.

We are always here to help if your organisation has questions about legal issues arising from the new DUAA or wish to explore the opportunities flowing from it. Please don’t hesitate to contact us anytime for a no-obligation chat.