The Data (Use and Access) Act (DUAA) 2025 is the most significant shift in UK data law since GDPR, and if you’re already managing compliance under UK GDPR and the Data Protection Act 2018, you’ll need to get to grips with its new rules quickly.
Whether you’re running AI models in a tech company, managing consent for marketing campaigns, processing subject access requests in HR, or supplying services in health, finance or government contracts. The DUAA will change how you handle personal data. Some changes will ease the pressure, such as reduced cookie consent requirements and more explicit rules on automated decision-making. In contrast, others will bring more onerous obligations, higher fines, and stricter oversight.
Our data protection solicitors can help you understand how the reforms impact your sector, adapt your compliance frameworks, and provide you with the confidence to meet contractual and regulatory expectations without slowing down your business.
Contents:
How could the DUAA impact your business?
The DUAA doesn’t replace the UK GDPR, the Data Protection Act 2018 (DPA), or the Privacy and Electronic Communications Regulations (PECR), but it amends specific provisions within these laws, as well as initiates new frameworks – including digital verification services, measures for electronic birth and death registration, and Smart Data Schemes.
The impact of the DUAA on you will depend on forthcoming regulatory guidance and secondary legislation. The law will be implemented in phases, so not all obligations will take effect immediately; instead, they will be introduced over time.
You may benefit from clarified rules and streamlined processes in certain areas – including cookie consent exemptions, automated decision-making reforms, codified subject access request search rules and a new ‘recognised legitimate interests’ lawful basis for processing.
At the same time, however, enforcement powers and risk are increasing in some areas, particularly regarding direct marketing under PECR (with maximum fines increased to the higher of £17.5 million or 4% of global turnover) and strict complaints handling requirements.
If you process personal data, the DUAA will impact you in various ways, and some industries will feel the impact more than others.
Exploring the impact on specific key industries briefly:
Scientific research
The DUAA introduces various potential benefits for scientific research. It inserts statutory definitions into the UK GDPR for “scientific research”, “historical research”, and “statistical purposes”, and expressly covers technological development, applied or fundamental research, and public health research. “Scientific research” is defined broadly to cover both non-commercial and commercial research. This could provide you with more clarity if you are engaged in fields such as R&D and health studies.
There are also essential changes regarding consent – put simply, by providing greater clarity and flexibility around consent requirements (including provisions allowing further processing for scientific research where purposes evolve). This could help you if you are not fully clear on your scientific research purposes from the outset of a project.
There is also a limited exemption to the right to be informed, where you may not need to give data subjects privacy information regarding further data processing; for example, where processing is only for scientific research and providing the information would involve disproportionate effort, provided safeguards are in place.
Strategic priorities to consider:
- Map out the use of personal data across your current and planned research.
- Consider updating your privacy notices, consent language, and data protection policies to reflect statutory definitions and consent provisions.
- Train your researchers and ethics teams on relevant DUAA changes which impact projects.
Health and life sciences
If you operate in health and life sciences, the DUAA opens new opportunities, notably by clarifying lawful bases and enhancing flexibility for data sharing and medical research. It makes certain amendments to the Health and Social Care Act 2012.
The DUAA proposes provisions that may facilitate easier access to NHS patient data across trusts, GPs, and ambulance services, which could help reduce delays and improve service integration.
A new helpful ‘recognised legitimate interests’ lawful basis includes safeguarding vulnerable individuals and responding to emergencies, but removes the requirement for a full legitimate interest balancing test (though processing must still be necessary and fall within the list of recognised legitimate interests).
You may also benefit from the more flexible provisions around scientific research, including compatible processing relaxations and transparency exemptions.
There are also important updates to information standards for health and social care.
Strategic priorities to consider:
- Audit your data sharing practices and identify new opportunities under the DUAA.
- Review your research projects and consider opportunities around the relaxation of rules, including research consent.
- Consider whether you can rely on recognised legitimate interests for specific types of processing.
Financial services
If you are in the financial sector, the DUAA will be highly relevant – particularly through its Smart Data provisions and updates around fraud prevention and automated processes, which will need careful preparation.
The DUAA also creates a more transparent legal framework permitting you to carry out solely automated decision-making (such as AI-based assessments) using a broader set of lawful bases, including legitimate interests, provided that the required legal safeguards are in place, and this doesn’t involve special category data.
You may also benefit from the new list of recognised legitimate interests, which includes specific purposes such as fraud prevention and crime reporting. This change enables you to use data for these purposes without conducting a formal Legitimate Interest Balancing Test, saving time since such activities will be deemed legitimate by default.
Strategic priorities to consider:
- Explore potential use of recognised legitimate interests for data processing for matters such as fraud prevention or customer due diligence.
- Prepare for how Smart Data and digital verification schemes could impact and improve your operations.
- Evaluate whether automated decision-making reforms can enhance eligibility checks or improve automation processes.
Technology and digital platforms
If you operate in the technology sector or provide digital platforms, you are likely to feel the impact of the DUAA in several ways. For example, reconsidering cookie consent and cookie banners to face increased regulatory scrutiny regarding PECR compliance.
The DUAA allows you to use certain non-intrusive cookies (e.g. cookies for collecting statistical information to improve a service and for functional purposes), without consent, as long as an opt-out is offered. This may reduce the need for intrusive cookie banners in some instances.
A new framework for digital verification services will allow for the rollout of trusted digital verification schemes. This may help you streamline your onboarding and compliance checks.
If you provide online services that are likely to be accessed by children, you will be required to consider the needs of children when deciding how to use their data. This is particularly critical if your services are offered to children.
Strategic priorities to consider:
- Review your cookie banners, policies and consent practices.
- Evaluate whether automated decision-making reforms can be leveraged
- Prepare for potential opportunities and responsibilities around digital identification verification.
- Verify compliance with direct marketing laws, as fines are increasing significantly.
HR and recruitment
If you manage HR functions or recruitment, the DUAA introduces clarifications which could help you when handling multiple subject access requests. For instance, it clarifies that you only need to carry out ‘reasonable and proportionate’ searches in subject access requests, as opposed to more extensive searches.
Further, it clarifies matters around timeframes for responding and when the clock pauses. These statutory provisions could give you greater confidence, reassurance and certainty when handling subject access requests (particularly from problematic employees). For example, you will not need to carry out exhaustive, disproportionate searches – especially for large, complex or ambiguously worded requests.
However, the DUAA will also require you to tighten up processes – with new requirements around responding to data subject complaints. You will have a more onerous obligation to acknowledge complaints within specific timeframes. Implementing a complaints process in line with DUAA rules will therefore be critical.
Broader bases for automated decision-making may also be helpful from a hiring perspective.
Strategic priorities to consider:
- Update your subject access request policies and processes to reflect the DUAA changes and train the responsible individuals accordingly.
- Train your managers and recruiters on automated decision-making changes and safeguards, e.g. where you use algorithmic tools for recruitment purposes.
- Consider implementing or updating your complaints process in line with the DUAA, including providing a complaints form.
Marketing and eCommerce
The DUAA makes key changes that can significantly impact your marketing and e-commerce activities. For example, you can use specific types of non-intrusive cookies without consent. However, you must ensure any direct marketing and cookie application is carried out strictly in line with legal rules, as the Information Commissioner’s Office (ICO) actively enforces non-compliance in this area and will have enhanced powers to apply UK GDPR level fines.
If you work in marketing, you may benefit from clarified legitimate interest rules. The DUAA clarifies that direct marketing can rely on legitimate interests for these processing activities; however, it is essential to carry out a Legitimate Interest Assessment (LIA).
The DUAA could also potentially open opportunities for you to work with more cross-border collaborators, partners and suppliers, as international data transfers will be assessed by a ‘not materially lower’ test.
If you are a charity, you may also benefit from the ‘soft-opt in’ extension, which has been applied to charities.
Strategic priorities to consider:
- Review your cookie banners and consent processes.
- Prioritise general PECR direct marketing compliance, as you will face increased penalties and risk in this area.
- Carry out or update any Transfer Risk Assessments as necessary to comply with the lower thresholds for international data transfers, but ensure you comply with all applicable data transfer rules (and monitor new regulatory guidance).
Supplying to the Public sector
If you are a supplier to the public sector, the DUAA creates new frameworks that will directly affect the way you manage data in contracts with government bodies and local authorities. Public sector organisations will be expected to rely more heavily on recognised legitimate interests – for example, safeguarding national security or preventing crime – and they will also participate in national data-sharing platforms such as the National Underground Asset Register.
For you as a supplier, this means:
- Increased scrutiny of how you handle personal and operational data shared with public bodies.
- A likely requirement to demonstrate DUAA compliance in tenders, audits and ongoing contracts.
- The need to align your own data governance and security standards with new public sector expectations around lawful bases and transparency.
Strategic priorities to consider:
- Review contract terms to ensure your processing activities align with DUAA obligations placed on public bodies.
- Conduct supplier-side audits and document compliance frameworks that can be evidenced to contracting authorities.
- Train teams on handling government-related data responsibly and prepare for increased frequency of due diligence checks.
Timeframes for compliance
The progress of the DUAA is currently in the early stages and subject to further secondary legislation and regulatory guidance, so you should watch this space closely and plan for its gradual implementation.
Only limited provisions took effect immediately on 19 June 2025; however, most will come into force gradually through secondary legislation.
You can follow the progress on the implementation provisions here.
Regardless of which sector you operate in, you should plan for the gradual implementation of the DUAA rules and seek legal advice from data protection solicitors on how the law will impact you and when you need to implement changes to your operations.
Key compliance actions
The DUAA marks a significant development in UK data protection law. With thoughtful preparation, it offers you opportunities to streamline compliance and support responsible innovation.
We’ve explored some potentially necessary compliance actions from a sector-focused perspective. However, you need to start preparing for the upcoming changes in the rules.
Key actions you can take now include:
- Review and map out all personal data flows across your business functions.
- Ensure your Record of Processing Activities (RoPA) is up to date and accurately records your processing activities, particularly if changes are needed under the DUAA.
- Refresh your data protection compliance and consider which policies, processes and documents need to be updated in line with the DUAA rules.
- Revise your subject access and complaints processes.
- Train your staff on relevant changes under the DUAA.
- Reconsider whether you need to appoint a DPO, particularly to help upskill your business and get to grips with the new law and its requirements.
- Consider how the DUAA changes could benefit your organisation and how you may be able to leverage them, such as relaxations in certain areas.
- Review your PECR compliance and address any gaps promptly, particularly given the increased fines and the ICO’s heightened focus on this area.
- Review your data sharing arrangements and be ready to audit any suppliers to ensure their compliance with the DUAA.
- Monitor upcoming guidance and secondary legislation.
- Importantly, don’t rush to introduce radical changes to your processes before seeking legal advice, as the changes under the DUAA are still relatively new. Plan changes appropriately and carefully, and seek advice from specialist data protection lawyers.
Preparing your business for change
The Data (Use and Access) Act 2025 is already reshaping the compliance landscape. Still, with most provisions rolling out gradually over 2025 and 2026, the steps you take now will decide whether you’re scrambling later or using the reforms to your advantage. For some teams, this means streamlining SAR processes or refreshing privacy notices; for others, it involves rethinking cookie strategies, planning for Smart Data, or reviewing how research data is handled. For suppliers to the public sector, it will be essential to evidence DUAA compliance in tenders and contracts, as government buyers will expect higher standards of data governance.
Our data protection solicitors work with in-house legal teams, compliance leads and operational managers across industries to translate complex reforms into practical next steps. Whether you need sector-specific training, supplier-side audits, or contract reviews for public sector work, we can help you develop a strategy that ensures compliance, reduces risk, and strengthens your commercial position. Acting early means you stay in control, rather than letting the DUAA dictate your pace of change.
