The UK Data Use and Access Act 2025 – what businesses need to know

The Data Use and Access Act 2025 (the DUAA) introduces significant updates to UK data protection law. While it does not replace the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), the DUAA amends and builds on them to modernise how personal data is used, accessed and protected in an increasingly digital economy.

Given these changes, businesses should proactively assess the impact of the DUAA on their operations focusing on whether any updates will be required to their internal processes and policies, (including cookie policies, privacy policies and privacy notices).

Below are some of the key changes under the DUAA.

International transfers

The threshold of assessing international transfers has shifted slightly. Instead of requiring ‘essentially equivalent’ protection, the transferee country must now meet a not ‘materially lower’ standard compared to that provided under UK law. The DUAA’s provisions effectively replace Chapter V of the UK GDPR in this respect.

Subject access requests (SARs)

Under the DUAA, organisations are required to respond to subject access requests by providing personal data that can be located through searches that are “reasonable and proportionate.”

Recognised legitimate interests processing

A new category of recognised legitimate interests allows processing without balancing against the individual’s rights, for activities such as national security or public safety. The DUAA also clarifies that certain activities (e.g. direct marketing, intra-group transfers (which includes transfers between affiliate institutions, subsidiaries or group companies), network security) are more likely, but not automatically, to satisfy legitimate interest requirements.

Automated decision making (ADM)

While the DUAA relaxes some previous restrictions, there is still a prohibition on the application of ADM involving special category personal data and where there is ‘no meaningful human involvement’.

Scientific research

The definition of ‘scientific research’ under the DUAA can include any research that can be reasonably classified as scientific whether it is commercial or non-commercial. Historical research is also amended to expressly include genealogical research.

Data protection complaints

Organisations must help those wishing to raise a complaint regarding their use of personal information (e.g. by providing an online complaints form / process) and must respond within 30 days ‘without undue delay’.

PECR

The DUAA makes a number of changes to PECR including:

a) Fines – fines for breaches of PECR have been increased to UK GDPR levels (the higher of £17.5 million or 4% global annual turnover)

b) Cookies and tracing – organisations will now be able to set some types of cookies without visitors’ consent, for example, in relation to those that may be collected for statistical purposes or to improve functionality of the website. This exception will be subject to various conditions, including around transparency, the right to object and not using the collected data for any purpose beyond the scope of the exceptions.

Organisations operating in the EU will have to consider whether there is any practicality in having varied approaches amongst different jurisdictions

c) Soft opt-in for charities – charities may now rely on the soft opt-in rules for electronic marketing communications, which were previously not available to them, provided all other statutory conditions are met.

Information Commission

The Information Commissioner’s Office (ICO) will become the Information Commission and will now be able to conduct mandatory interviews and demand production of documents during investigations.

Smart data

The DUAA establishes a framework for smart data schemes, enabling individuals and businesses to securely share data with authorised third parties with the aim of promoting innovation, competition across sectors like finance, utilities and telecoms. Users will be able to share data such as pricing, usage and service performance. The government aims for these schemes to support tools like personalised recommendations, cost-saving advice and simple provider switching.

Further details will follow through secondary legislation with energy sector identified as an early focus, particularly for carbon reporting and price transparency.

Digital verification services

The DUAA updates the UK’s rules on digital ID services, including e-signatures and eIDs. A new trust framework will set out standards for providers, who can apply for certification and be listed on an official register. The DUAA will also enable data sharing between certified providers and public bodies enabling digital IDs to be used for checks like right to work or rent. The aim of this to increase efficiency by reducing the need for organisations to collect personal data.

Next steps

Organisations may wish to review their data governance, update documentation and contracts, assess compliance gaps and monitor upcoming secondary legislation, particularly if they operate in regulated or data driven sectors. Organisations should monitor forthcoming secondary legislation implementing aspects of the DUAA, particularly sector-specific rules, and update contracts with suppliers/partners accordingly.

Our experienced team can help ensure your commercial agreements evolve with your business needs while maintaining robust legal protection. Contact us to discuss how we can support your contract review and optimisation strategy for 2025 and beyond.