The Data (Use and Access) Bill (DUA Bill) has now completed its passage through Parliament and has received Royal Assent, becoming the Data (Use and Access) Act 2025. This landmark legislation modernises the UK’s data protection framework, introducing significant changes for all organisations processing personal data within the UK.
Contents:
What does the DUA Act mean for your business?
The Bill was officially cleared by both Houses of Parliament as of 11 June 2025, and received Royal Assent on 19 June 2025 as the Data (Use and Access) Act 2025. Now is a good time to review your cookie policies, automated decision-making systems, and procedures for handling data subject access requests to ensure compliance.
If you’re involved in scientific research or the further processing of personal data, it’s important to familiarise yourself with the Act’s updated definitions and legal bases. And if your organisation operates internationally, particularly with the EU, you should keep a close eye on the EU’s adequacy review, which has been extended until the end of 2025.
The Data Use and Access Act 2025 is not a complete replacement for the UK GDPR, but it does represent a clear step towards a more bespoke UK data protection framework. It simplifies some rules, introduces stricter ones elsewhere, and points to a future in which the UK’s regulatory approach may gradually diverge from the EU’s, bringing both opportunities and challenges for how you handle data in or from the UK.
How does the new Act fit with existing UK data protection laws?
Businesses in the UK will now need to comply with all three data protection laws:
- UK GDPR: The retained version of the EU GDPR, adapted for UK law post-Brexit.
- Data Protection Act 2018 (DPA 2018): Which supplements and provides context to the UK GDPR, including specific rules for public bodies, criminal offence data, and national security.
- Data (Use and Access) Act 2025: The latest legislation, which amends and builds upon the UK GDPR and DPA 2018, introduces new rules and frameworks (e.g., recognised legitimate interests, updated DSAR handling, smart data schemes).
What this means in practice:
- The UK GDPR remains the primary framework.
- The DPA 2018 still provides important legal details and national-specific provisions.
- The Data (Use and Access) Act 2025 is not a wholesale replacement; instead, it modifies and extends existing laws. Its provisions will override or supplement aspects of the UK GDPR and DPA 2018 where relevant.
So, rather than replacing the existing legal framework, the 2025 Act slots into it, creating a more UK-specific data protection regime.
This layered compliance approach means businesses must:
- Continue applying the UK GDPR and DPA 2018 as the legal backbone,
- Understand how the 2025 Act changes or adds to these obligations,
- Adjust policies, procedures, and contracts accordingly to reflect the updates.
What are the key changes?
- Simplifying legitimate interest assessments: The Act introduces “recognised legitimate interests,” simplifying compliance for certain activities such as crime prevention and safeguarding, though its scope is limited.
- International data transfers: The test for transfers outside the UK will shift from “essentially equivalent” to “not materially lower” protection, a subtle but important change for global businesses.
- DSARs and data subject rights: The Act codifies the requirement for “reasonable and proportionate” searches when responding to data subject access requests, potentially reducing administrative burdens.
- Cookies and marketing: Consent will no longer be required for some non-intrusive cookies, but marketing and cookie compliance will face tougher enforcement, with fines up to £17.5 million or 4% of global turnover.
- Automated decision-making and AI: Restrictions on automated decisions are relaxed except for special category data, supporting innovation but requiring careful risk management.
- Smart data schemes and digital ID: New frameworks will enable more secure data sharing and digital identity verification, opening opportunities for innovation but demanding robust compliance.
- Regulator powers: The Information Commissioner’s Office (ICO) will be replaced by the Information Commission, with enhanced investigatory and enforcement powers.
What should you do now?
Review and update data policies
- Audit current data practices: Map out all personal data flows, including international transfers and third-party sharing.
- Update privacy notices: Reflect new rights, including the statutory right to complain and the changes to DSAR handling.
- Review legal bases: Assess where “recognised legitimate interests” may apply, but do not over-rely on this new basis – its scope is narrow and still requires broader compliance with UK GDPR principles.
Revisit marketing and cookie compliance
- Reassess cookie banners and consent mechanisms: Although some cookies may be exempt from consent, ensure you meet the relevant criteria before modifying your practices.
- Strengthen marketing governance: With higher penalties and increased ICO scrutiny, review all direct marketing and soft opt-in practices, especially if you’re a charity or use email/SMS marketing.
Prepare for Smart Data and Digital ID
- Engage with new frameworks: If your business could benefit from smart data schemes or digital verification, start planning for compliance and potential integration.
- Update contracts and data sharing agreements: To ensure that third-party agreements reflect the new legal landscape and data sharing standards.
Train Your Team
- Educate staff on new rules: Run training sessions on the Act’s changes, especially around DSARs, cookies and legitimate interests.
- Embed data ethics and accountability: The Act’s focus on ethical data use and transparency means staff must be aware of both legal and reputational risks.
Monitor regulatory guidance and secondary legislation
- Stay alert for regulatory guidance: Watch out for news and updates on implementation from the ICO, which will become the Information Commission.
- Prepare for enhanced enforcement: With the new Information Commission’s greater powers, expect more active investigations and higher penalties for non-compliance.
Our Senior Commercial Technology & Data Protection Solicitor, David Sant, comments:
The Data (Use and Access) Act 2025 is a game-changer for UK data protection. While some compliance burdens may ease, the risks of non-compliance, especially in areas such as marketing and international transfers, are now far greater. Our advice: don’t wait for enforcement. Review your data practices now, update your policies, and train your people. Early action will put you ahead of the curve and help you leverage the Act’s opportunities safely.”
“The Act’s new frameworks for smart data and digital ID will create real opportunities for innovation. But with opportunity comes responsibility. Businesses must ensure robust governance and ethical data use to build public trust and avoid regulatory pitfalls.
What's next?
The Data (Use and Access) Act 2025 represents more than a regulatory update – it marks a strategic shift in how UK businesses handle, manage, and safeguard personal data. By taking action early, you can mitigate compliance risks, foster trust with stakeholders, and confidently leverage emerging frameworks such as smart data initiatives and digital identity systems.
But the work doesn’t stop here. As secondary legislation, regulatory guidance, and practical enforcement measures continue to develop, it’s essential to stay abreast of ongoing changes and new implementations.
If you need tailored support in updating your policies, managing risk, or aligning with evolving UK GDPR standards, our data protection solicitors can help. We can guide you through the legal, operational, and reputational implications, ensuring your business is ready to lead in a changing regulatory environment.
About our expert
