Data protection changes ahead: what employers need to know about the DUAA 2025

The Data Use and Access Act 2025 (the ‘DUAA’), which received Royal Assent on 19 June 2025, aims to promote innovation and reduce compliance burdens by updating key UK data protection laws, including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Key Changes

1.Data Subject Access Requests (DSARs)

The DUAA clarifies that organisations are only required to conduct “reasonable and proportionate” searches when responding to DSARs. It also permits organisations to pause the response timeline when further information or identity verification is needed. These changes codify existing case law and align the UK GDPR with current ICO guidance.

Notably, the proposal from the DPDI Bill to allow refusal of DSARS on grounds of vexatiousness has been dropped. Controllers must continue to rely on the existing threshold of a request being manifestly unfounded or excessive to justify refusal.

2.International data transfers

The DUAA introduces a new threshold for assessing international data transfers. Rather than requiring “essentially equivalent” protection, the new test is whether the protection in the recipient country is not “materially lower” than under UK law. The DUAA’s provisions effectively replace Chapter V of the UK GDPR in this respect.

3.Automated decision-making

The DUAA relaxes some previous restrictions by allowing the full range of lawful bases, including legitimate interests, for automated decision-making, provided appropriate safeguards are applied. However, automated decisions involving special category personal data remain prohibited where there is ‘no meaningful human involvement’.

4.Data protection complaints

Organisations must assist individuals wishing to raise a complaint regarding the organisation’s use of their personal data. This may include providing a complaint form which can be completed electronically or by other means.

If an organisation receives a complaint, it must acknowledge receipt of the complaint within 30 days and respond without undue delay.

5.Information commission

The Information Commissioner’s Office (ICO) will become the Information Commission and will now be able to conduct mandatory interviews and demand production of documents during investigations.

Next steps

Provisions of the DUAA will be phased in between June 2025 and June 2026. Employers should assess the impact of the DUAA on their operations and consider whether updates are needed to policies such as their data protection policy and privacy notices.

Our Employment law team can provide guidance on data protection compliance, including updating relevant policies and procedures.

Contact us if you need support with your data protection compliance.