The Data (Use and Access) Act of 2025 received royal assent on June 19, 2025 (DUAA). It reforms UK Data protection legislation including the UK GDPR, the DPA 2018, as well as the Electronic Communications (EC Directive) Regulations 2003 (PECR). The changes will take effect between June 2025 and June 2026.
The new law will be rolled out in stages, with most provisions set to take effect within two to six months, although certain measures could require up to a year to be fully implemented. The precise timeline table and ICO's detailed Guidance on the subject is yet to be published.
What is the DUAA?
The UK’s new Labour government announced plans to reform data protection laws in July 2024 through the Digital Information and Smart Data Bill, later renamed the Data (Use and Access) Bill. Presented to the House of Lords in October 2024, the bill included many DPDI-inspired amendments while leaving out more controversial elements. It passed Parliament and received Royal Assent on July 19, 2025, becoming the Data (Use and Access) Act 2025.
Earlier plans to overhaul core concepts – such as removing the requirement for Data Protection Officers or changing the definition of “personal data” – were dropped in the final Act. The law retains the familiar UK GDPR framework, so businesses won't need to eliminate DPO roles or redraw boundaries of what is personal data. The focus is on incremental improvements rather than radical divergence.
The DUAA aims to energize the economy, modernize public services, and simplify the lives of Britons. Its main provisions include sharing health data between institutions (e.g., between hospitals), data retention during judicial investigations, as well as online identity verification, accompanied by the creation of a trust label for service providers.
Alongside data-sharing provisions, a substantial part of the Act refines the UK’s data protection regime. Rather than a radical overhaul, these changes streamline or clarify existing obligations Key updates that businesses must heed include:
New compliance and data protection requirements for organizations
Subject | DUAA | Your organization |
|---|---|---|
Scientific research & broad consent | The DUAA clarifies when it is permissible to use personal data for scientific research, including commercial research, and allows for 'broad consent' covering a field of study. | Under UK GDPR, consent for using personal data traditionally had to be specific and informed. DUAA relaxes this for research contexts: researchers may obtain consent for broad or evolving research areas when it’s not feasible to fully specify the purpose at the outset. |
Solely automated decision-making | Creates a more permissive framework for businesses to leverage automated decision-making (including AI and machine learning systems), provided certain safeguards are in place. The Act defines “no meaningful human involvement” as the threshold for a purely automated decision. However, the current GDPR/UK GDPR strict restrictions will continue to apply to sensitive data. | Organizations may use solely automated decisions in more situations without human intervention, as long as they implement protections for individuals including transparency (informing people when a significant decision about them is automated), the ability for individuals to challenge or appeal the outcome, and the option to request human review of that decision. Businesses using AI should assess if any human input in the process is truly “meaningful”. |
New basis for specific "recognized legitimate interests" | Exempts from balancing the rights of individuals and the pursued interest. The list of recognized legitimate interests is annexed to the UK GDPR. This includes national security; responding to an emergency; detecting, investigating or preventing crime; and safeguarding. s | If a business is processing data for a listed purpose (for example, running network security measures or emailing existing customers about similar products), it can rely on this lawful basis without conducting the normal “Legitimate Interests Assessment” balancing. Organizations must still respect opt-outs and other applicable laws (e.g. PECR for marketing communications). |
Rights & processes for individuals
Subject | DUAA | Your organization |
|---|---|---|
DSARs & deadlines | DUAA introduces a “stop-the-clock” mechanism: if an organisation needs more information to verify the requester’s identity or to clarify the scope of the request, it can pause the normal one-month clock until the requester responds. When information is withheld on the grounds of legal professional privilege or client confidentiality, organisations will now be required to clearly notify individuals of the precise exemption invoked and the reasons for its application. | Businesses should update SAR procedures, however the use of the stop the clock has to be handled with precaution in order not to let it lead to complaints. |
DSARs & efforts for search | firms are only required to undertake “reasonable and proportionate” searches for data when responding. In other words, you must make sincere efforts to find personal data but are not expected to exhaustively search every system if disproportionate. | The search burden seems to be reduced, however the subjectivity of the term "proportionate" can be problematic. |
Data Protection by design for children's protection | Organisations offering online services likely to be accessed by children now have an explicit legal duty to consider children’s privacy and wellbeing when designing and delivering those services. This essentially enshrines aspects of the ICO’s Age Appropriate Design Code (Children’s Code) into law, ensuring that platforms and apps take into account the best interests of child users | Organizations that haven’t already aligned to the Children’s Code should do so, as it’s becoming a compliance requirement rather than just regulatory guidance. |
New complaints procedure | Requires organisations to establish a process for individuals to lodge data protection complaints directly. If an individual believes a company is misusing their data or not respecting their rights, the company must have a clear internal channel (for example, an online complaint form or email) to handle such complaint. Controllers are obliged to acknowledge receipt within 30 days. | Businesses should implement or review internal complaint handling workflows and privacy policies – potentially similar to how consumer complaints or subject access requests are managed – and train staff to deal with data protection concerns. |
Sector-specific focus on marketing
Subject | DUAA | Your organization |
|---|---|---|
PECR | Maximum fines for breaches of the e-Privacy rules in PECR (Privacy and Electronic Communications Regulations) have been raised to UK GDPR level. The ICO can now impose administrative fines up to £17.5 million or 4% of global annual turnover (whichever is greater) which is a dramatic increase from the previous £500,000 cap. It means that violations related to unsolicited marketing calls/emails, misuse of cookies or tracking, and other electronic privacy offenses carry the equivalent financial risk as for personal data breaches. | With higher fines now possible for PECR breaches, businesses should closely review their digital marketing practices. |
Exemption of consent for low-risk cookies | Expands the categories of cookies and similar tracking technologies that can be set without obtaining prior consent. Under PECR, only cookies “strictly necessary” for a service were exempt from consent. Now, analytics cookies used purely to collect statistical information for service improvement, functional cookies for user preferences or automatic sign-in, cookies used to detect faults or locate users during emergencies, are exempted. | Businesses should update their cookie policies and Consent Management Platforms/banners to reflect these exemptions, potentially simplifying user consent flows on websites and apps. However, these “low-risk” uses must be transparent and offer an opt-out, and any data collected must not be used beyond the stated improvement or functionality purpose. |
Charity “Soft Opt-in” | Non-profit organisations (charities, political parties, etc.) are now allowed to rely on the “soft opt-in” exception for email/text marketing. | The usual soft opt-in conditions still apply: the communications must relate to the organisation’s own aims (similar context), and an opt-out/unsubscribe option must be prominently provided in every message. |
Direct marketing | Confirms that direct marketing can constitute a legitimate interest under UK GDPR. This codifies what was in GDPR’s recitals: using personal data for marketing (e.g. maintaining a customer mailing list, profiling for marketing) is generally allowed under the “legitimate interests” basis, subject to the usual opt-outs and fairness considerations. | The practical effect is to give businesses more confidence in choosing legitimate interest (instead of consent) as the lawful basis for certain marketing data uses since the law now explicitly recognizes it. Keeping in mind the PECR rules, being that the legitimate interests will remain a basis only when the law doesn't require consent. |
From ICO to an "Information Commission" with stronger enforcement powers
The Act restructures the Information Commissioner’s Office into an “Information Commission” (a multi-member body) and grants it stronger investigative and enforcement powers.
The Commission can compel organisations (and their staff) to provide information or documents relevant to an inquiry, and even mandate witness attendance for interview.
Enforcement notices or assessment notices no longer need paper delivery or consent of the recipient. The regulator can serve legal notices electronically, including to companies overseas that operate in the UK, which streamlines cross-border enforcement
The Information Commission can form expert stakeholder panels to help shape codes of practice or assess impacts of regulatory. While not directly a burden on businesses, this suggests more consultative and possibly sector-specific guidance will emerge, to which companies should pay attention.
DUAA and data transfers
The UK regime keeps the GDPR’s hierarchy: first look for adequacy (now called “data protection test”), then safeguards (like SCCs, BCRs), and finally derogations.
The DUAA adopts the same approach as the DPDI Bill by introducing a new “data protection test” for international data transfers. Under this test, safeguards in third countries must not be materially lower than those in the UK.
Concerning the exporters’ obligations, they must also apply a data protection test, but it’s less stringent. The transfers are allowed if the exporter “acting reasonably and proportionately” believes the standard isn’t materially lower.
However, because “materially” isn’t precisely defined, this could both widen the range of eligible jurisdictions and potentially trigger EU concerns, complicating future adequacy decisions.
An indirect but notable legal risk involves international data transfers. The European Commission is currently reassessing the UK’s adequacy decision (which allows EU-to-UK personal data flows) in light of these reforms. The Commission extended the UK’s adequacy status to December 27, 2025 while it evaluates DUAA’s impact.
Given that the Act’s changes to privacy law are modest, experts believe a positive adequacy renewal is likely. However, any perception that UK data protection standards have materially lowered could jeopardize this status.
Next steps
Loss of adequacy would impose costly compliance hurdles on businesses exchanging data with Europe. Thus, companies should monitor this development; at present no action is needed.
The ICO is planning to update and amend its guidance over the coming months. For now the ICO provides practical guidelines to help organizations become familiar with the changes.