The Data (Use and Access) Act (DUAA) received Royal Assent on June 19, 2025. The DUAA reforms how the United Kingdom (UK) manages non-personal and personal data and aims to unlock the effective use of data.
The Act amends, but does not replace, the laws previously regulating data protection, such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PERC).
While the Data Use and Access Act 2025 (DUAA) officially became law upon receiving Royal Assent in June 2025, most of its provisions will come into effect on dates set by the Secretary of State through secondary legislations.
What are the most important data protection changes and implications for businesses covered in Part 5 of the Act?
- Recognized legitimate interests
Companies can now process personal data for specific public benefit purposes like sharing data with public bodies, safeguarding vulnerable individuals and crime prevention based on recognized legitimate interests and without the need to conduct the legitimate interest assessment. Schedule 4 of the DUAA inserts a new annex into the UK GDPR and sets out the conditions that an organization needs to meet when relying on the new recognized legitimate interests as a lawful basis for processing.
- Clarity on processing activities that can rely on legitimate interest
The Act includes processing activities that may rely on a legitimate interest to include direct marketing; intra-group transfers for administrative purposes; and security of network and information systems. Formerly included in the Recital of the UK GDPR, the provision was not binding but now it is expressly provided in the DUAA.
- Automated decision-making
Unlike the restriction in the UK GDPR, Section 80 of the DUAA relaxes the restriction on automated decision-making so long as appropriate safeguards are in place. These safeguards include transparency about how decisions are reached, opportunity for data subject to contest the decision and to obtain human involvement. This is a welcome development for many companies aiming to automate internal processes and adopt AI in the UK.
It’s important to mention that automated decisions using special category of personal data are still not permitted.
- Data Subject Access Request
The DUAA simplifies the process by allowing controllers to pause the response deadline if they require more information to identify the relevant data or processing activities, relating to the request. Furthermore, when responding to a DSAR, the controller can provide a response to the data subject after conducting only a reasonable and proportionate search.
- Transfer of personal data to a third country or an international organization
The Act replaces the adequacy decision required under the UK GDPR with a “data protection test.” The test assesses whether the protection in the destination country is not materially lower than in the UK and considers more factors than those outlined in the UK GDPR. The Secretary of State would approve international transfer to third countries and international bodies that pass the test.It is important to mention that international transfer under the Act only applies when there is a data protection test, subject to appropriate safeguard (same as the GDPR) and reliance on a derogation for specific situations (same as the GDPR).
- Children and online services
The DUAA requires companies providing online services that are likely to be used by children to take their needs (as people requiring specific protection) into account when deciding how to use their personal information. Companies can already satisfy this requirement if they conform to the ICO’s Age-Appropriate Design Code (AADC).According to the Information Commission’s Website, the Code is however currently under review.
- Data protection complaints
Data subjects are allowed to make direct complaints to the controller; if the data subject considers that there is an infringement in the processing of their personal data. The DUAA therefore requires companies to take steps to assist Data Subject who want to make such complaints, for example, providing electronic complaints form as suggested by the ICO. A 30-day rule to acknowledge complaints and respond to data subject applies.
- Research
The Act expands the definition of processing that can be covered under historic, statistical and scientific. For example, scientific research can now include commercial or non-commercial activity, as well as study for technological development. It also provides factors to consider when assessing whether further processing of personal data for scientific, historical, archiving or statistical purposes, without informing data subject, if that would involve a disproportionate effort.
- Cookies and electronic communications
The Act also amends certain provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
*Cookie consent: Companies can set some types of cookies without having to get consent. Although these cookies would still require clear information be provided to data subject and the option to opt-out. These exceptions include cookies collecting statistical information about how the service or website is used, cookies that enable website functionality or preferences of users, and cookies allowing for geographical tracking for the provision of assistance in response to an emergency communication.
*Cookie consent rule: Consent is also required from companies that instigate the storage or have access to stored data.
*Soft opt-in for charities: Charities and non-profits may now rely on the soft opt-in rule when sending direct marketing by email, provided recipients have a clear opportunity to opt out.
*Increased fines: The DUAA aligns the maximum penalties for PECR breaches, including cookie violations, with those under the UK GDPR, which allow fines of up to £17.5 million or 4% of global annual turnover.
*Code of Conduct: The Information Commission (formerly ICO) may now encourage representative bodies to design codes of conduct to assist with compliance with the PECR as well as accredit such bodies.
Actions required from companies
- Assess current legal basis for processing within your organization and adjust your documents (privacy policy, ROPA, etc) to reflect the requirement of the Act.
- Implement a complaint process that ensures data subject can submit complaints directly to the company as well as deal with complaints promptly.
- Review current legal basis for cookies and tracking technologies.
- Consider privacy by design when processing personal data of children and in particular comply with the ICO’s Age-Appropriate Design Code (AADC).
At ePrivacy GmbH, we can support your organization with complying with the DUAA and keep you abreast of the ongoing development in the UK.