What UK Businesses Need to Know
The Data (Use and Access) Act 2025 (DUAA) is now law. It received Royal Assent on 19 June 2025 and its provisions have been rolled out in stages. If you run a business in England and Wales, the changes affect you directly, whether you realise it yet or not.
The DUAA does not replace the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations 2003 (PECR), but it makes changes to all three. The aim is to make compliance simpler, encourage innovation, and support responsible data sharing, while maintaining the core protections individuals rely on.
Richard Hull, Data Protection Solicitor, JPP Law, puts it this way:
“The Data (Use and Access) Act 2025 is best viewed as a modernisation of UK data protection law. It seeks to strike a balance between supporting innovation and economic growth while preserving public trust in how personal information is used. Organisations should not assume the changes are purely administrative. The Act introduces new obligations, new rights for individuals and revised compliance expectations, meaning now is the ideal time for businesses to review their data protection framework before the remaining provisions take effect.”
That last point is important. Some provisions are already in force. Others land in June 2026. Businesses that treat this as background noise are taking a risk.
When Do the Changes Take Effect?
The first DUAA provisions came into force on 19 and 20 August 2025.
In practical terms: some provisions took effect immediately upon Royal Assent, most of the remaining data protection provisions came into force on 5 February 2026, and the new complaints handling requirements followed on 19 June 2026.
The staggered commencement approach, and particularly the timing of the latest announcement, which gave organisations only a very short window before most of the DUAA provisions became operative, has drawn criticism from some commentators. The lesson for businesses: do not wait until commencement is imminent to start preparing.
The Key Changes
Recognised Legitimate Interests
The DUAA introduces a seventh lawful basis for processing personal data under Article 6(1) of the UK GDPR: “recognised legitimate interests” (RLI). A lawful basis is the legal justification an organisation relies on when processing personal data.
The processing activities considered to fall within recognised legitimate interests include: processing necessary for national security, public security and defence purposes; processing necessary for the detection, investigation or prevention of crime; responding to requests made by bodies acting in the public interest; and processing necessary for the safeguarding of vulnerable individuals.
Processing personal data based on “recognised legitimate interests” will not require a further “balancing test” to be carried out. A balancing test, or legitimate interests assessment, is the exercise organisations normally perform to weigh their interests against the impact on individuals. For activities in the recognised list, that exercise is no longer required.
For most commercial activities, however, the standard legitimate interests test still applies. This means organisations must continue to carefully assess and document their reasoning, particularly where data use may not be obvious to individuals.
Automated Decision-Making
This is considered one of the boldest changes introduced by the DUAA. The previous rules were framed as a general prohibition on automated decision-making, except where certain limited conditions applied. According to the UK Government, the rules were too complex, leaving organisations unclear when they could engage in such activity.
Automated decision-making (ADM) means using technology to make decisions about individuals without meaningful human involvement. Credit scoring, recruitment screening, and insurance pricing are common examples.
In practical terms, businesses may now rely on lawful bases such as legitimate interests for ADM that does not involve special category data (such as health information). Where ADM is used, organisations must still implement safeguards. Those safeguards include providing people with information about significant decisions made about them, enabling them to make representations, and enabling them to obtain human intervention.
This is a significant shift in approach from the EU position under GDPR and makes it considerably easier for UK businesses to use automated decision-making in their internal processes than in the EU.
Subject Access Requests: Clearer Rules
A subject access request (SAR) is the mechanism by which an individual asks an organisation what personal data it holds about them. The DUAA clarifies how those requests should be handled.
The DUAA clarifies that searches in response to SARs are limited to “reasonable and proportionate” searches, and codifies the “stop the clock” provision, where the response deadline is paused when further information is required from the requester. Controllers must be able to demonstrate that clarification is reasonably required in order to respond.
Employers and organisations may benefit from clarified and streamlined requirements for responding to SARs. These changes codify what was already good practice and ICO guidance. For many businesses, the practical effect is modest, but the rules are now on a statutory footing, which means the ICO can enforce against them directly.
Cookies and Electronic Communications
The DUAA brought changes to the cookie regime under PECR, which came into force on 5 February 2026.
Previously, organisations needed consent for almost all cookies except those strictly necessary to provide a service. The DUAA now allows information society service providers, that is, websites and mobile apps, to set certain low-risk cookies, such as statistical cookies, without obtaining prior user consent. However, this is not an unrestricted exemption: organisations still need to inform users, and higher-risk cookies such as advertising and social media cookies continue to require consent.
The enforcement stakes have also risen significantly. The maximum fines under PECR now match those under the UK GDPR: the higher of £17.5 million or 4% of global annual turnover. Previously, the maximum fine was £500,000. That is not a marginal increase. It elevates cookies from a “website issue” to a genuine legal and financial risk area.
International Data Transfers
The DUAA reformulated the test for assessing a third country’s adequacy in connection with international data transfers. The newly introduced “data protection test” requires the Secretary of State to assess whether the standard of protection in a third country is “not materially lower” than the standard in the UK.
This replaces the previous “essentially equivalent” standard. The data protection test is also to be applied by controllers and processors before they may transfer personal data to a third country in reliance on “appropriate safeguards”, such as standard contractual clauses. Standard contractual clauses are pre-approved contract terms used to legitimise data flows to countries without an adequacy decision.
On 19 December 2025, the European Commission renewed the UK’s adequacy decision until 27 December 2031, indicating that the UK’s current legislative direction is not, for now, considered to undermine the overall level of data protection in the UK as assessed from an EU perspective. Transfers from the EU to the UK can therefore continue under the existing framework for the time being.
Children’s Online Protections
One of the most significant changes brought about by the DUAA is the new requirement for certain online services likely to be accessed by children. Such services must now take account of specified “children’s higher protection matters”, including how best to protect and support children when using the service and the fact that children merit specific protection with regard to their personal data.
The DUAA formalises the ICO’s Children’s Code, making it a legal obligation for service providers to consider children’s needs when designing their platforms. If your business operates any digital service that children are likely to use, this is a direct operational obligation, not simply an aspirational standard.
The New Complaints Procedure (June 2026)
One of the most significant new obligations under the DUAA is the requirement for all organisations to establish a formal data protection complaints procedure by 19 June 2026.
Under section 164A of the Data Protection Act 2018, inserted by Section 103 of the DUAA, individuals are granted a statutory right to complain directly to a data controller if they believe their personal data has been processed in breach of data protection law. There are no exemptions.
Once a complaint is received, the controller must acknowledge it within 30 days. The statutory clock begins the day after receipt, including where the complaint is received on a weekend or public holiday. The organisation must begin enquiring into the complaint without undue delay.
The ICO also expects controllers to publicise their complaints process in their privacy notice, in responses to data subject access requests, and at the point of data collection. Privacy notices will need updating before 19 June 2026 to include information about the right to complain to the controller.
What Businesses Should Do Now
While the changes are not a complete overhaul, they do require a proactive review of existing practices. Key areas to focus on include reviewing cookie use, consent mechanisms and tracking technologies. More broadly, the following actions are worth prioritising:
Review your lawful bases. If you rely on legitimate interests for any processing, check whether the new recognised legitimate interests category applies and update your records of processing activities (ROPAs) and privacy notices accordingly.
Audit your automated decision-making. If you use automated tools to make decisions affecting individuals, map those processes and confirm the safeguards you have in place.
Update your cookie notices and banners. Conduct an audit of cookies and tracking technologies to check if a new exemption applies, and update cookie notices or banners to reflect new exemptions and consent requirements.
Review your SAR process. Confirm that your procedures reflect the “reasonable and proportionate” search standard and the stop-the-clock provisions.
Build your complaints procedure. With the requirement for organisations to implement a formal procedure for handling data protection complaints, businesses must review their data protection practices and update policies and procedures.
If you want to be certain of compliance, our data protection solicitors offer a data protection audit service. They can work through each of these areas with you and identify where your current framework needs updating.
Where the DUAA Sits in the Wider Picture
The DUAA is part of the UK’s post-Brexit effort to shape its own data protection landscape. It forms part of the UK Government’s wider data reform programme, designed to modernise how personal data is used across the economy while maintaining core privacy protections. The Government has positioned the reforms as a way to reduce unnecessary administrative burden on organisations and improve the practical use of data.
That stated aim is broadly reflected in the Act. Some of the changes genuinely reduce compliance burden. Others, the complaints procedure, the elevated PECR fines, the children’s online protections, add material obligations. Any business that treats the DUAA as purely deregulatory is misreading it.
The ICO, which continues as the UK’s data protection regulator (though it is expected to be renamed the Information Commission), is continuing to publish updated guidance as each stage comes into force. The ICO has signalled a measured approach to enforcement during this transition period, particularly for areas where guidance is not yet finalised. That measured approach will not last indefinitely. The window to get your house in order is now.
