Introduction
On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, marking a significant shift in the UK’s data protection landscape. Designed to modernise aspects of the UK GDPR, DPA 2018, and PECR, the DUAA introduces changes aimed at empowering businesses to innovate while maintaining robust protections for personal data.
In this blog, we break down the key implications of the Act for UK businesses, offer practical next steps, and explain how our consultancy can support your compliance journey.
What Is the Data (Use and Access) Act 2025?
The DUAA is a major legislative update that modifies but does not replace the UK’s core data protection laws. Its aim is to make data protection more flexible, remove ambiguity, and create a business-friendly environment without compromising individual rights.
The Act includes updates that:
- Clarify the use of personal data in research and innovation.
- Ease some restrictions on automated decision-making.
- Permit the use of some cookies without prior consent.
- Allow charities to send marketing emails under certain conditions without consent.
- Introduce a new lawful basis called recognised legitimate interests.
- Require organisations to implement a formal data protection complaints process.
These changes are intended to reduce administrative burdens while maintaining high standards of accountability and transparency.
Key DUAA 2025 Changes You Need to Know
Recognised Legitimate Interests
A new lawful basis under UK GDPR, this change offers a presumption of compliance for certain public-interest or business-critical activities, such as preventing crime or ensuring network security. This means no need for a legitimate interest assessment (LIA) in specified contexts.
Tip: Review your existing lawful bases and consider where this new provision may simplify your operations.
Automated Decision-Making
The Act clarifies and eases restrictions around automated decisions. In some contexts, organisations may now rely on automated decisions with reduced obligations to provide human intervention.
Action: Audit any automated systems in place, especially in credit scoring, recruitment, or marketing, and determine if your processes are affected.
Cookies and Online Tracking
The DUAA allows the use of strictly necessary cookies and certain analytics cookies without consent—a major shift from the current opt-in model under PECR.
Action: Update cookie banners and privacy notices accordingly, but don’t remove them entirely — transparency is still required.
Marketing by Charities
Charities are now permitted to send electronic mail marketing without prior consent in specific scenarios, provided they meet certain criteria.
Implication: If you advise non-profits or are part of one, review your lawful bases and consider how this change can support fundraising efforts.
Mandatory Complaints Handling Process
All organisations must now implement a formal procedure for individuals to raise and resolve complaints about their data use.
Action: Create or refine your internal complaints handling process. This will also assist with ICO investigations if a complaint escalates.
Regulatory Powers and Enforcement
The ICO’s enforcement toolkit is also expanding. Under DUAA, the ICO can:
- Compel witness attendance for interviews.
- Request technical documentation or audit reports.
- Impose PECR fines up to £17.5 million or 4% of global turnover (whichever is higher).
These increased powers show the ICO’s intent to take a more active stance on compliance monitoring and enforcement, especially in tech-heavy industries.
Timeline: When Do You Need to Comply?
The DUAA will be implemented in phases, via secondary legislation. Most provisions will come into effect within 2 to 6 months after Royal Assent, with some changes potentially taking up to 12 months. Now is the time to prepare as waiting until the final deadlines may expose your organisation to unnecessary compliance risk.
Practical Steps for Businesses
Here’s how your business can prepare today:
Identify Your Vulnrebilities – Assess how DUAA affects your use of cookies, profiling, complaints handling, and lawful bases.
key Analysis To Update policies and training – Align internal documentation and train staff on the new requirements.
Risk Assessment & Engage your DPO or advisor – Or partner with a trusted data protection consultancy (like us!) to manage the transition.
Remediate By Outsourcing your Data Protection Compliance – Outsource your compliance requirements to expert team like us to ensure compliance.
Why This Matters for UK Businesses
John Edwards, the UK Information Commissioner, described the DUAA as a “catalyst for innovation and growth”. But that only applies if organisations take proactive steps to integrate these changes.
Ignoring DUAA could mean missing out on opportunities to simplify operations, reduce compliance burdens, and even gain competitive advantage through trusted data use.
How We Can Help
Our consultancy supports businesses of all sizes with:
- Gap analysis against DUAA requirements
- Policy and procedure updates
- Staff training and complaint-handling workshops
- Privacy notice reviews
- Automated processing and cookie audits
Whether you need a full compliance review or just help interpreting the new rules, we’re here to help you turn complexity into confidence.
Final Thoughts
The Data (Use and Access) Act 2025 is a meaningful evolution of UK data protection law — balancing innovation with accountability. Businesses that act now can embed these principles into their operations and take a leadership position in compliant, responsible data use.
At Compliance Direct Solutions, we specialise in helping businesses navigate complex data protection laws like the DUAA with clarity and confidence. Whether you need tailored guidance, policy updates, or full compliance support, our experts are here to ensure your organisation is not only compliant — but ahead of the curve. Get in touch today to see how we can support your business.
