Contact | Search |

The Data (Use and Access) Act receives Royal Assent, bringing change to the UK’s data protection regime

The Data (Use and Access) Act receives Royal Assent, bringing change to the UK’s data protection regime

On 19 June 2025, the UK’s Data (Use and Access) Act 2025 (the “DUA Act”) received Royal Assent.

This new legislation updates the UK’s current data protection regime which comprises of the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (the “PECR”). The DUA Act will come into force in phases, expected to commence at two, six and twelve months after Royal Assent, giving you time to implement the necessary data protection related changes to your organisation.

What does the DUA Act change and how does it impact organisations?

New ‘recognised legitimate interests’ lawful basis: when you use personal data for legitimate interests, you need to balance the impact on the people whose personal data you use, against the benefits arising from that use – this is commonly done by way of a legitimate interest assessment (“LIA”). However, the DUA Act now includes a list of recognised legitimate interests which means for such interests you don’t need to complete an LIA. This list will be in Schedule 4 to the DUA Act which inserts a new annex to the UK GDPR and includes interests such as:

  1. Sharing personal data if a public authority confirms it’s needed for their public task
  2. Using personal data to safeguard national security, public security, or defence
  3. Using personal data to respond to emergencies under the Civil Contingencies Act 2004
  4. Using personal data to detect, investigate, prevent crime, or prosecute offenders
  5. Using personal data to protect vulnerable individuals from physical, mental and emotional harm or neglect and support their well-being

A new ‘assumption of compatibility’: under the purpose limitation principle, if you re-use personal data you have already collected for a different purpose, you must ensure the new purpose is compatible with the purpose you initially collected it for. However, the DUA Act now includes a list of reuses of personal data that are assumed compatible with the original purpose. This list will be in Schedule 5 to the DUA Act which inserts a new annex to the UK GDPR. You can reuse previously consented personal data for a new purpose if necessary for one of the reasons below, but only if it’s not reasonable to obtain fresh consent, such as using personal data to:

  1. assess or collect taxes or duties; or
  2. comply with legal requirements.

‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail and SMS marketing to people whose personal data you collect when they support, or offer support or express an interest in, your work – providing you offered them a chance to opt out when you collected their personal data and you provide them with a chance to opt out in every electronic communication thereafter.

New cookie exemptions: the DUA Act allows you to set some types of cookies without having to get consent. Currently, you must get consent for all non-strictly necessary cookies. The list of exemptions will be in Schedule 12 to the DUA Act which inserts a new schedule to PECR, so you won’t need consent where the cookie or similar technology is for:

  1. the sole purpose of carrying out transmission of a communication over an electronic communications network;
  2. the non-exhaustive examples of strictly necessary purposes listed in the schedule, including security, fraud prevention, fault detection and authentication;
  3. the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
  4. the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
  5. the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance.

Reasonable and proportional search under data subject access requests (DSARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal data.

Complaints: individuals have certain rights such as the right to be informed, access, object, erase, restrict and rectify their personal data. The DUA Act introduces a right for people to complain to organisations and competent authorities if they think that they’ve used their personal information in a way that doesn’t comply with the law. This is similar to the complaints procedure under Freedom of Information Requests under FOIR. It places an obligation on organisations and competent authorities to:

  1. help people to make complaints, requiring them to take steps such as providing an electronic complaints form; and
  2. acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay.

They must also take appropriate steps in the meantime, such as making enquiries into the subject matter of the complaint and keeping the complainant informed about progress.

Using personal data for scientific research: the DUA Act makes it clearer when you can use personal data for the purposes of scientific research, including commercial scientific research. It makes the following clarifications:

  1. People can give “broad consent” to an “area of scientific research” rather than “specific” consent – as long as: the exact purpose was unknown at the time of consent, the consent aligns with recognised ethical standards for the research area, and individuals are given the option to consent to only part of the processing.
  2. You can re-use people’s personal data for scientific research without giving them a privacy notice, if that would involve a disproportionate effort, so long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.  

Automated decision making – personal data: previously, decisions based solely on automated processing of personal data were restricted unless they were necessary for a contract between you and the individual, permitted by UK law or done with consent from the individual. Now, the DUA Act removes this restriction and allows an organisation to make solely automated decisions in a wider range of situations as long as it has appropriate safeguards in place – such safeguards include:

  1. providing the individual with information about the decision;
  2. allowing that person to make representations about the decision;
  3. enabling that person to obtain human intervention about the decision; and
  4. enabling that person to contest the decision.

There is no change to the restrictions around decision based solely on automated processing of special categories of personal data – they are still restricted unless you have consent from the individual or it was necessary for substantial public interest under the Data Protection Act 2018.

International transfers: various changes have been made to help make transferring personal data internationally easier. For example:

  1. The protection standard for transferring data now requires that it “is not materially lower” than UK GDPR and Data Protection Act 2018 standards (previously, it required that “the protection of natural persons guaranteed by the UK GDPR is not undermined”). This is referred to as the data protection test.
  2. Schedule 7 of the DUA Act form formalises the requirement for an organisation to do a transfer risk assessment for transfers subject to appropriate safeguards (such as standard contractual clauses). It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”.

There are some operational and terminology changes such as: adequacy decisions are now called “transfers approved by regulations”, with the Secretary of State required to consider specific factors for the data protection test, implement ongoing monitoring instead of a four-year review period, gain new powers to recognise and introduce other transfer mechanisms, and make minor adjustments and restructuring to existing transfer requirements.

PECR breaches and enforcement: there are changes to the rules under PECR, including:

  1. the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay or within 24 hours, to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”, aligning it with the UK GDPR requirement to report a personal data breach;
  2. removing the requirement to establish that a contravention under PECR has caused substantial damage and distress; and
  3. allowing the ICO to impose monetary penalties up to a maximum of £17.5m for certain failures to comply, aligning it with the UK GDPR monetary penalty cap.

Changes to the ICO: there are multiple changes around the structure and powers of the UK’s data protection regulator, the Information Commissioner’s Office, such as:

  1. The ICO can compel individuals working for or on behalf of organisations to attend interviews and answer questions if there is suspected non-compliance or an offence under data protection law.
  2. An extension to the time for the ICO to issue penalty notices after a notice of intent from six months to six months or as soon as reasonably practicable.

Are there any new compliance requirements you have to meet?

Yes:

  1. If you provide an online service that is likely to be used by children, the DUA Act explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age Appropriate Design Code.
  2. If you don’t already do so, the DUA Act requires you to take steps to help people who want to make complaints about how you use their personal data, such as providing an electronic complaints form. You must to acknowledge complaints within 30 days and respond to them ‘without undue delay’.   

Next steps

  1. Familiarise yourself with the changes that the DUA Act makes to data protection laws.
  2. Map out how the DUA Act can make your organisations compliance with data protection laws easier – such as “should do” and “must do” lists.
  3. Introduce a complaints escalation mechanism to allow individuals to complain to your organisation if they feel that the organisation has not complied with data protection laws.
  4. Implement a data protection compliance programme accordingly.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our quarterly newsletter, The Data Download.

AUTHORS

Sacha Wilson Partner

Sacha is a commercial and regulatory lawyer with particular expertise in advertising, digital media and data privacy. He is joint head of the firm’s cross-departmental advertising practice.

Sacha is a commercial and regulatory lawyer with particular expertise in advertising, digital media and data privacy. He is joint head of the firm’s cross-departmental advertising practice.

Sacha advises clients from a variety of sectors, including some of the world’s best known brands, agencies and platforms. He advises on a range of commercial transactions and has particular expertise in advertising-related agreements (such as creative agency, media planning and buying, production and brand partnerships). He is particularly well known for his expertise in digital marketing and adtech.

Sacha also has expertise in general advertising compliance (including prize promotions, native advertising and influencer marketing) as well as ecommerce and online consumer regulations.

Sacha also works within the firm’s retail practice and regularly advises well-known retail brands on a range of retail-focused commercial agreements including distribution, licensing, and franchise agreements.

In relation to data privacy, Sacha has advised on all the key compliance areas, and has worked with a large number of clients on their data protection compliance programmes. He has particular expertise in the data privacy aspects of marketing, adtech and digital media. He frequently advises on the compliance aspects of adtech vendor arrangements, programmatic advertising, mobile apps and digital marketing activities.

Sacha is ranked for advertising and digital media in both The Legal 500 and Chambers and Partners. Sacha speaks and writes regularly about legal issues in the digital world and is frequently asked to speak at industry conferences and comment in the press.

Amy Bradbury Partner

Amy is a partner specialising in reputation management, information law and data privacy.

Amy is a partner specialising in reputation management, information law and data privacy.

Amy has a wealth of experience helping clients protect their reputation, personal information and data. She has a litigation background and advises on all legal areas relating to reputation protection and media law including defamation, privacy, confidentiality, data protection, freedom of information and harassment.

Amy’s practice is international and she acts for a wide range of clients including corporates and brands, global figures, business professionals, high net worth individuals and people in the media and entertainment industries.

Clients often seek Amy’s advice at times of crisis, including when faced with the threatened publication of damaging allegations, private information or personal data by media outlets or others. Amy also has particular expertise in contentious data protection issues including data subject access requests, data breaches and complaints to the Information Commissioner’s Office.

Amy is a ‘Recommended' reputation lawyer in the Spear's 500 index and is recognised in both Chambers and Partners and The Legal 500.

Nadia Ahmed Associate

Nadia is an associate specialising in data protection, privacy and information law.

Nadia is an associate specialising in data protection, privacy and information law.

She advises on compliance with data protection laws and information laws, including the UK and EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Freedom of Information Act (FOIA) and codes of practice issued by the ICO and other data protection regulators.

She assist clients with data protection agreements/addendums (DPA), data protection impact assessments (DPIA), drafting and reviewing privacy policies and cookies policies and cookie banners. Nadia handles contentious data protection matters too such as communications with the ICO, personal data breaches and data subject requests such as data subject access requests (DSAR). She keep clients informed of any changes to data protection laws and updated guidance from data protection regulators, and provides training to legal teams and employees on data protection best practices. Nadia has also been seconded to help ensure compliance with GDPR and information law procedures are effective and meet the necessary standards.

Nadia works with a wide range of clients, from small businesses to large corporations, to help them understand their legal obligations and develop data protection strategies and programmes for compliance with data protection laws. Such clients include those in the fashion and retail sector, streaming services, gaming, technology and more.

Nadia has completed the Certified Information Privacy Professionals/Europe (CIPP/E) by IAPP and is a member of the Society for Computers and Law.