The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. Although it is not yet in force, the DUAA introduces a number of significant changes to the UK’s data protection framework. Rather than replacing existing legislation, it modifies key instruments such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
These amendments are particularly relevant for organisations subject to legal compliance obligations or those operating under ISO standards related to data management, privacy, and information security.
Key Developments
• Regulatory Body Reform
The Information Commissioner’s Office (ICO) will be restructured and rebranded as the Information Commission, reflecting broader institutional reform and anticipated changes in oversight and enforcement strategy.
• Predefined Legitimate Interests
Certain activities — including direct marketing, intra-group administrative data transfers, network security functions, and public interest disclosures — will be automatically recognised as legitimate interests. This eliminates the need for data controllers to conduct individual legitimate interest assessments in these cases.
• Revised Subject Access Request (SAR) Requirements
The DUAA clarifies that controllers are only expected to undertake a “reasonable and proportionate” search when responding to a SAR. Importantly, the response deadline will not begin until the data subject’s identity has been verified, offering organisations greater clarity and procedural control.
• Automated Decision-Making
The scope of restrictions on automated decisions producing legal or similarly significant effects has been narrowed. These rules will now apply only when special category data is involved, allowing broader use of AI-driven decisions based on general personal data, such as financial or demographic information.
• New Complaint Handling Duties
Data controllers must now implement formal complaints-handling procedures — including accessible tools such as online forms — and must acknowledge receipt of complaints within 30 days. This change places greater emphasis on transparency and accountability in how organisations respond to data subject concerns.
• Cookie and Tracking Consent Adjustments
Cookies used for purposes such as analytics, website optimisation, or saving user preferences will no longer require prior consent. This change streamlines compliance obligations for website operators, particularly under ISO standards related to privacy and usability.
• Enhanced Penalties under PECR
The maximum fines under the PECR will be aligned with those under UK GDPR, increasing potential financial exposure for non-compliance with electronic communications rules.
• Smart Data Sharing Frameworks
The DUAA introduces provisions for “smart data” initiatives, allowing consumers to request that their data held by service providers be securely transferred to authorised third parties. This supports innovation in customer-centric digital services, while raising new data protection considerations.
• Digital Verification Standards
The legislation also paves the way for updated regulatory rules around digital verification tools such as e-signatures and electronic ID systems — developments likely to affect organisations pursuing digital transformation or remote onboarding processes.
What This Means for Your Organisation
Much of the DUAA is framework legislation, and its full impact will depend on the publication of accompanying regulations. Organisations operating within the UK — particularly those certified under ISO/IEC 27001, ISO/IEC 27701, or ISO 9001 — should begin reviewing existing data governance frameworks to assess alignment with the DUAA’s new requirements.