The Data (Use and Access) Act 2025 (DUAA) marks the first significant reform to the UK’s data-protection landscape since the introduction of the UK GDPR.
It doesn’t replace current data protection laws but instead makes specific targeted amendments to them.
So, for businesses and compliance teams, this isn’t a wholesale replacement of existing data-protection law but a step toward a more bespoke UK framework: some rules are simplified, new powers are given to regulators, and changes are phased in through 2026.
The result is both opportunity and risk - some changes can enable flexibility and innovation but also require updated processes, documentation and training.
This article explains what the Data Use and Access Act means in practice: how it amends the UK GDPR and other privacy laws, examples of key changes in force, and what practical steps your organisation should take now to prepare for ongoing compliance.
Talk to our data protection solicitors for clear, practical advice on adapting to the DUAA changes.
Contents:
What does the DUAA mean for your business?
The DUAA received Royal Assent on 19 June 2025. Its changes are being implemented in stages and major data protection changes came into effect on 5 February 2026.
Now is the time to carefully review your compliance practices against the relevant DUAA requirements. What you need to do now isn’t one-size-fits-all and depends on your business activities and how you use data in practice.
- Many businesses should review cookie compliance and procedures for handling data subject access requests (DSARs) - particularly because these issues can impact most commercial businesses.
- Some businesses will have more niche areas to consider. For instance - if you’re involved in scientific research, make sure you understand how the DUAA affects rules and definitions
- If you transfer personal data out of the UK review your data transfer governance. The DUAA introduces a new data protection test in the UK.
- There are also new rules to get to grips with - there will be an important new requirement for a data protection complaints procedure from 19 June 2026.
Overall, the DUAA is not a replacement for the UK GDPR and won’t impact your core compliance obligations, but it clarifies and amends some aspects of the UK data protection framework. It simplifies some rules, introduces stricter ones elsewhere, and points to a future in which the UK’s regulatory approach may gradually diverge from the EU’s, bringing both opportunities and challenges for how you handle data in or from the UK. If you’re also operating in the EU, remember the need to comply with separate EU laws as the DUAA only applies to the UK domestically.
How does the DUAA fit with existing UK data protection laws?
Businesses in the UK will need to comply with the following laws:
- UK GDPR: the primary framework for most personal data processing.
- Data Protection Act 2018 (DPA 2018): which supplements the UK GDPR, including specific rules for public bodies, criminal offence data, and national security.
- Data (Use and Access) Act 2025: introduces targeted amendments to the UK GDPR and DPA 2018, makes changes to PECR, and introduces some new rules and frameworks (e.g., digital verification and smart data schemes).
What this means in practice:
- The UK GDPR remains the primary framework.
- The DPA 2018 still provides important legal details and national-specific provisions.
- The Data (Use and Access) Act 2025 is not a wholesale replacement; instead, it modifies and extends certain existing rules
So, rather than replacing the existing legal framework, the DUAA slots into it, creating a more UK-specific data protection regime.
This layered compliance approach means businesses should:
- Continue complying with the UK GDPR and DPA 2018 as the legal backbone,
- Understand how the DUAA changes or adds to these obligations,
- Adjust your compliance strategy, policies, procedures, and contracts to reflect the updates brought by the DUAA
What are the key changes?
The DUAA brings a range of changes.
Some of the key changes for businesses to understand include:
- Recognised legitimate interests: introduces a defined category of 'recognised legitimate interests' for certain activities. Recognised legitimate interests are activities where the controller won’t need to carry out the usual full balancing test required under the legitimate interests lawful basis. This potentially simplifies compliance, but only in narrow circumstances.
- International data transfers: adjusts the UK’s approach to assessing protection when transferring data outside the UK, which may affect global transfer governance and contracting. This introduces a new ‘data protection test’ to check if protection in a destination country is not ‘materially lower’ than UK standards.
- DSARs and data subject rights: puts on a statutory footing the concept of 'reasonable and proportionate' searches when responding to DSARs, which may reduce administrative burden where requests are broad and give you more confidence to subjectively define your DSAR search scope
- Cookies and marketing: consent will no longer be required for some lower-risk cookies, while marketing and cookie compliance face tougher enforcement risk with much heavier potential fines.
- Automated decision-making and AI: relaxes restrictions in some contexts but keeps strict rules where special category data is involved — increasing the importance of careful review and risk assessment.
- Smart data schemes and digital ID: creates new frameworks designed to enable secure data sharing and digital identity verification, opening innovation opportunities but requiring robust governance controls.
- Regulator governance: the DUAA establishes the Information Commission and reforms the ICO governance model. You’ll need to update your data protection documentation references to align with this in due course.
What’s in force now and what’s next (key dates)
From a data protection standpoint, major data protection changes are live. This means you need to prioritise compliance now.
A requirement for organisations to have a data protection complaints procedure is due to commence on 19 June 2026, but the ICO has already published guidance and you should start preparing for this obligation now rather than leave it too late. A lot of businesses won’t have a formal complaints process in place and will need time to plan ahead and adapt to the changes.
What should you do now?
Review and update data policies and processes
- Audit current data practices: Map out all personal data flows, including international transfers and third-party sharing to know what data you use and how it flows through and out of your business
- Update privacy notices: Check if you need to reflect DUAA changes, including the right to complain.
- Review legal bases: Assess whether 'recognised legitimate interests' may apply but note that in practice its narrow scope and take advice if you’re unsure whether this covers your activities.
- Update contracts and documentation agreements: To ensure that contracts, including third-party agreements, reflect the DUAA changes where relevant.
Revisit marketing and cookie compliance
- Reassess your cookie banners and consent mechanisms: Although some limited types of cookies may now be exempt from consent, ensure you check carefully whether you meet the relevant criteria before modifying any of your cookie practices and take advice if you’re unsure.
- Strengthen direct marketing governance: With higher penalties and potentially increased ICO scrutiny, review all direct marketing and soft opt-in practices, especially if you’re a charity or use email/SMS marketing.
Train Your Team
- Educate staff on new rules: Run training sessions on the DUAA changes - especially around DSARs rules, direct marketing and complaints handling.
- Update your data protection policies: The DUAA’s changes mean you’ll need to bring your policies and procedures in line with any relevant changes for your business.
Prepare for Smart Data and Digital ID
- Consider new frameworks: If you think your business could benefit from smart data schemes or digital verification opportunities, start planning for compliance and potential integration.
Monitor regulatory guidance and secondary legislation
- Stay alert for regulatory guidance: Watch out for news and updates on implementation and guidance from the ICO, which will become the Information Commission.
- Prepare for potentially enhanced enforcement: With the new Information Commission’s greater powers, we could potentially see more active investigations and higher penalties for non-compliance. Watch this space and make sure you stay compliant and evidence your compliance to help limit risk as the DUAA progress and real impact unfolds over time.
When to get advice (common triggers)
Consider taking advice where any of the following apply:
- You face high-volume DSARs (especially employee-related) or repeated complaints and need to understand DUAA’s implications on your obligations.
- You carry out international data transfers (customers, group companies, service providers) and need to navigate and evidence your legal data transfer governance
- You have material direct marketing/adtech reliance, or multiple brands/business units running campaigns and need a review of your compliance risks in light of increased fines.
- You use automated decision-making/AI in ways that could affect individuals (especially involving special category data) and want to know how the DUAA impacts these activities and your obligations
- You’re heading into a fundraise, M&A or exit, where data governance and policy documents will face due diligence and you need your data protection house in order to avoid deal breakers
What's next?
The Data (Use and Access) Act marks a strategic shift in how UK businesses handle and safeguard personal data and gives you a good opportunity to refresh and improve your overall data protection compliance with fresh eyes
Most of the key data protection changes under the DUAA are already active. So, your business should focus urgently on assessing any changed or new compliance requirements and actioning them.
The complaints procedure changes come into force in June, but now is the time to start preparing for the upcoming changes so you’re ready when the rules kick in.
As a next step – take time to understand the DUAA, focus heavily on compliance and keep your data protection governance up to date and credible so customers, regulators and (where relevant) investors have confidence in your business.
If you need tailored support in understanding how the DUAA applies to your operations, updating policies, managing risk, or aligning operational practice with the evolving UK framework, our data protection solicitors can help.
About our expert
