Data Use and Access Act 2025: what does it mean for your business?

The Data Use and Access Act 2025 (DUAA) received Royal Assent on 19th June, implementing a reform of data laws and updating existing UK data protection legislation (including UK GDPR). The government’s objectives for the DUAA were to grow the UK’s economy and public services via measures including increased data portability and a relaxation of requirements for certain data processing activities (e.g. automated decision making). Alongside this easing of regulation, the DUAA also introduces increased requirements for handling individual’s complaints and mandates more stringent protections for children online. Despite its protracted ping-pong over questions of training AI-models using copyrighted materials, regulation on these issues was not ultimately included in the scope of the DUAA. 

Key changes introduced under the DUAA

Businesses now need to familiarise themselves with the DUAA’s key measures, both to ensure continued compliance with UK data protection law and to take advantage of any efficiencies available to their operations and data use arising under the DUAA.

Lawful basis for processing

• Recognised legitimate interests: A new lawful ground for processing of "recognised legitimate interests" has been introduced, which does not require a legitimate interests assessment.
• Direct marketing: The DUAA confirms organisations can rely on legitimate interests for direct marketing.
• Permitted further processing: New provision has been made to permit further processing if the new purpose for processing is compatible with the original purpose data was collected for, without requiring a compatibility test.
• Automated decision making: Obligations surrounding use of automated decision making have been relaxed, provided special category data is not used.

Online privacy rules

• Cookie consent: Cookie rules have been relaxed, with increased circumstances where consent is not required. These include use of analytics cookies relating to website or service improvement and cookies which check website appearance and functionality. Sites must, however, still include ‘clear and comprehensive information’ available about these cookies and provide free methods to reject cookies. Any information derived from analytics cookies can only be used for purposes of website or service improvement.    
• Protection of children online: The DUAA requires that sites which children are likely to visit to review how to further protect children, including considering design of the site and children’s needs when processing their personal data. These requirements were previously in the ICO’s “age appropriate design code”, but are now a legal obligation under the DUAA.  

Data portability

• Scientific research: The definitions of scientific research has been broadened (and includes commercial research) and consent rules now allow for data collected to be reused in the same scientific field. These requirements were broadly outlined in the recitals to the UK GDPR but are now a legal obligation under the DUAA.
• Data Sharing: A number of Smart Data schemes will be introduced to enable greater data sharing in key sectors, including energy, finance, healthcare and transport.
• Digital ID: A new framework for digital verification services will be created, with the aim of mobilising the adoption of Digital ID as a verification method.

Data subject engagement

• DSAR requirements: The DUAA clarifies that businesses are only required to make "reasonable and proportionate" searches in response to a data subject’s request to access personal information held about them.
• Individual complaints: As a new requirement, organisations must help individuals wishing to complain. This includes having adequate complaints forms, acknowledging complaints within 30 days and responding without delay.

Regulator’s remit

• ICO changes: The regulator has been renamed the Information Commission, and is subject to changes in structure and increased investigatory powers.

• Increased fines: Unlawful direct marketing in the Privacy and Electronic Communications Regulations is now subject to fines at the same level as breaches under UK GDPR (e.g. for the most significant breaches, fines will be the higher of £17.5m or 4% of global turnover). This change reflects the UK's strong stance on unlawful electronic marketing to consumers and should be noted by organisations.

Entry into force

The DUAA’s provisions will enter into force in several phases, most requiring enabling secondary legislation. Currently, the ICO anticipates the first changes to be implemented by mid-December this year, with major guidance set to be published this winter or early in 2026. 

Getting your business ready

Ahead of the legislation coming into force, businesses should:

• Review and assess which changes impact data flows internally as well as in processing supply chains.
• Consider whether potential efficiencies are available as a result of changes to automated decision-making, new data sharing schemes, or innovation under the new scientific research rules.  
• Review grounds for processing and whether the new ‘recognised legitimate interests’ or legitimate interests for direct marketing impacts your operations.
• Audit complaints processes and update these as necessary to comply with new requirements.

In addition to the potential efficiencies under the DUAA, businesses may benefit from reviewing and implementing the ICO’s recent guidance on anonymisation of data, and the commercial opportunities that effective anonymisation may present.

If you'd like to discuss further how the DUAA impacts your business, your legal obligations regarding personal data, or data anonymisation strategies, please get in touch with our Commercial Technology team at [email protected].