GDPR – Data Use and Access Act (DUAA) – 2025/27
Gov.UK Statement:
The Data (Use and Access) Act 2025 (“DUAA”, “the Act”) received Royal Assent on 19 June 2025. This is a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register. It also includes some important changes to the UK’s data protection and privacy legislation, which are the subject of this page.
The DUAA will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards.
Summary Points of Change:
1.Solely automated decision-making
UK GDPR currently places strict restrictions on automated decision-making (including profiling) which result in legal or similarly significant effects. This will be relaxed so it only applies to automated decisions using special category data. With any other personal data, there will be a requirement to put in place certain safeguards, such as giving individuals the ability to contest decisions and request human intervention.
This change will give organisations more flexibility to make automated decisions using personal data (but not special category data). For example, when utilising AI systems. To prepare for this change, re-assess any use of solely automated decision-making and look to review relevant processes and policies.
As part of the recently launched ICO AI and Biometrics Strategy, the regulator has committed to:
2.Data Subject Access Requests (DSARs)
Provisions to be introduced on DSAR handling give a statutory footing to existing ICO guidance. In practice this is unlikely to mean any significant changes if the company is already following regulatory guidance, but it does give a degree of extra confidence by being written into UK law.
The key points are:
When withholding information is based on legal professional privilege or client confidentiality, a new requirement will mean organisations have to explicitly inform individuals about the specific exemption being applied and the reasons. Individuals will also have the right to request the ICO reviews how these specific exemptions have been applied.
To prepare, review the currently held DSAR procedure, and plan how to update response templates to include more explicit information and bolster internal documentation used to justify reliance on these exemptions.
3.The right to be informed
The obligation to provide privacy information to individuals (e.g. under Article 14, UK GDPR) will not apply if providing this information “is impossible or would involve disproportionate effort”.
This is most likely to be particularly relevant where organisations have gathered personal data indirectly, i.e. not directly from the individuals.
4.New Complaints procedure
The legislation includes a new right for individuals to raise complaints related to use of their personal data. These new rules will require controllers to make sure they have clear procedures to facilitate complaints, including providing a complaint form. Complaints will require a response within 30 days. Alongside this, organisations may also be obligated to notify the ICO of the number of privacy-related complaints they receive during a specified time period.
Privacy notices will also need to be updated to reflect this change.
5.Legitimate Interests & direct marketing
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This not insignificant line currently rests in a GDPR recital, and as such it’s not legally binding and simply provides a helpful interpretation of the law. However, under the DUA Act it will unambiguously set in stone that legitimate interests is an acceptable lawful basis for direct marketing purposes.
While there are concerns this will lead to more ‘spam’ marketing, the direct marketing rules under PECR (Privacy and Electronic Communications Regulations) will still apply, so legitimate interests will only be an option when the law doesn’t require consent.
6.Recognised legitimate interests
The concept of ‘recognised legitimate interests’ is to be introduced, whereby organisations will not be required to conduct a balancing test (i.e. Legitimate Interests Assessment) when relying this lawful basis – but only for specific, recognised purposes. The list of recognised legitimate interests includes the following (and may be expanded):
In preparation, a process should start by reviewing processing activities which rely on legitimate interests and assess if any will become ‘recognised’. This may be particularly helpful for private and third sector organisations which have direct relationships with public bodies involving the sharing of personal data.
7.Charities and the marketing ‘soft opt-in’
The use of the ‘soft opt-in’ exemption to consent for electronic marketing will be extended to charities. This means charities will be able to provide supporters and donors with an ‘opt-out’ mechanism rather than an ‘opt-in’ to marketing emails (and/or SMS), if the following specific conditions are met:
To prepare charities can consider whether they wish to switch from consent and assess if this will relatively straight-forward to implement in practice or not.
8.Cookies & similar technologies
The DUA Act will include extending the exceptions to consent from only ‘strictly necessary’ to include other specific types of ‘low risk’ cookies and similar technologies. The exemption will be permitted for certain statistical purposes and optimising website appearance, as long as clear information is provided, and users are given a straight-forward ability to opt-out.
Alongside these changes under DUA, the ICO is reviewing PECR consent requirements to in its words; “enable a shift towards privacy-preserving advertising models”. This autumn, a statement is expected on ‘low risk’ advertising activities which in the ICO’s view are unlikely to cause harm or trigger enforcement action.
In preparation, cookie audits can be conducted to identify which cookies used may qualify as ‘low risk’ and prepare to update the company consent management platform (CMP) and the cookie information provided.
9.PECR Fines
Fines for infringements of the Privacy & Electronic Communications Regulations, which govern electronic direct marketing, cookies and similar technologies, are set to significantly increase.
Currently the maximum fine under PECR is currently capped at just £500k. The limits will be brought in line with the much more substantial fines which can be levied under UK GDPR – up to a maximum of £17,500,000, or 4% of the organisation’s total annual worldwide turnover from the preceding financial year, whichever is higher.
Understanding the ICO issues more fines under PECR than UK GDPR or DPA, so the message is clear; ensure compliance with the PECR rules as the cost of enforcement action could be far higher.
It’s also worth noting what constitutes ‘spam’ is to be extended to include emails and text messages which are sent but not received by anyone. This will mean the ICO will be able to consider much larger volumes in any enforcement action.
10.Compatible processing
Currently, UK GDPR makes it tricky to reuse personal data for new purposes, and DUA Act aims to make this slightly easier by listing specific compatible purposes for which organisations will not need to undertake a compatibility assessment.
11.Scientific research
There are detailed changes in relation to scientific research. To briefly summarise, the definition of ‘scientific research’ is to be clarified and will explicitly state research can be a commercial or non-commercial activity. Consent for scientific research is to be adapted, in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.
12.Data protection by design to protect children
When assessing appropriate ‘technical and organisational measures’ in relation to online services likely to be accessed by children, organisations will be legally obliged to take account of how children can best be protected right from the design phase, confirm that children merit additional protection, and have different needs at different ages and stages of development.
Such measures strengthen the need to adhere to the UK Children’s Code.
13.Smart Data Schemes
The DUA Act will give the Government the ability to pass secondary legislation to enable business data sharing. The aim is to implement Smart Data Schemes to grow the UK economy, encourage competition and benefit consumers. Currently the UK have data sharing models for open banking, and the plan is similar models will be extended to other sectors such as telecoms, healthcare, insurance and energy.
14.Digital verification services
The Act will create a framework to enable the introduction of trusted digital verification services. The idea is people will be able to prove their identity via trusted digital identify providers, without having to provide a physical form of ID or other form of documentation.
Digital ID verification has been adopted successfully by certain businesses but take up is patchy and the Government is keen to accelerate progress. It’s hoped this new framework will simplify processes such as registering births and deaths, starting a new job, and renting a home.
15.New Information Commission
The Information Commissioner’s Office is set to be replaced by an Information Commission, which will be structured in a similar way to the FCA, OFCOM and the CMA – as a body corporate with an appointed Chief Executive. It’s anticipated this change will come into effect in 2027.
Timeline:
Summer 2025
Winter (2025/26)
Spring 2026
.png)
