CATEGORY: Best practiceData Protection

How the Data Use and Access laws are changing UK data protection laws

The Data (Use and Access) Act 2025 (DUAA) is a new Act of Parliament that updates some laws about digital information matters. 

It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights.   

Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.   

The DUAA has received Royal Assent on the 19th June 2025.  Government will phase implementation of the new law, commencing different changes using secondary legislation between June 2025 and June 2026.  

Key Changes Introduced by the DUAA 

• International Data Transfers: 
  The DUAA introduces a new standard for transferring personal data internationally. Instead of requiring that foreign protections be “essentially equivalent” to UK standards, the new threshold is that they are “not materially lower.” This could impact the UK’s data adequacy status with the EU, as the EU may review whether UK data transfers still meet its requirements. 

• New Legal Basis for Data Processing: 
  The Act creates “Recognised Legitimate Interests” as a new legal basis for processing personal data. This allows certain activities—such as fraud prevention, public safety, and national security—to be carried out without the need for a traditional legitimate interest balancing test. The Act also clarifies what constitutes a legitimate interest, including direct marketing and internal administrative transfers. 

• Facilitating Innovation and Research: 
  The DUAA clarifies when personal data can be used for scientific research, including commercial research. It allows for “broad consent” to be given for research in a general area, and, in some cases, permits the reuse of personal data for research without issuing a new privacy notice, provided other safeguards are in place and information is published online. 

• Automated Decision-Making: 
  The Act expands the lawful bases that organisations can use for significant automated decisions about individuals, potentially allowing the use of legitimate interests for such processing, as long as appropriate safeguards are maintained. However, this does not apply to special category data, which remains more strictly protected. 

• Cookie and Electronic Communications Rules: 
  The DUAA relaxes some consent requirements for cookies, such as those used for statistical purposes or improving website functionality, making it easier for organisations to use these technologies without explicit user consent. 

• Data Portability and Digital Identity: 
  The Act enhances data portability, enabling secure sharing of customer and business data with authorised third parties through “smart data schemes” and “data intermediaries.” It also establishes a legislative framework for digital verification services, supporting the use of digital identities in the UK. 

• Regulatory Changes: 
  The Information Commissioner’s Office (ICO) will be succeeded by a new body, the Information Commission, with a board structure and expanded enforcement powers. Penalties for breaches under the Privacy and Electronic Communications Regulations (PECR) will be aligned with those under the UK GDPR. 

• Data Subject Access Requests (DSARs): 
  The Act introduces new requirements and clarifications around DSARs, aiming to make the process clearer and more efficient for both organisations and individuals. 

Implications for Organisations and Individuals 

• Organisations will find some processes simplified, particularly around research, innovation, and certain types of data processing. 

• The changes are designed to promote economic growth and innovation, while still upholding fundamental privacy rights. 

• Most changes offer new opportunities rather than imposing strict new compliance burdens, though organisations will need to adapt to updated requirements as provisions are phased in over the next 12 months. 

• The ICO (and its successor) will provide updated guidance to help organisations navigate these changes. 

Reforms to the ICO 

• Corporate restructuring 
  The current Information Commissioner’s Office (a "corporation sole") will be rebranded as the Information Commission, a statutory corporate body. Instead of a single Commissioner, there will now be a Chair, a Chief Executive (CEO), and a Board of executive/nonexecutive members, resembling oversight models like Ofcom or the CMA. 

• Expanded enforcement powers 
  The Act adds new tools to the regulator’s toolkit: the ability to compel witnesses to interviews, request technical reports, and issue fines up to £17.5 million or 4% of global turnover under PECR. 

• Increased transparency and accountability 
  The DUAA mandates that the Information Commission must publish annual performance analyses and reports on regulatory action, detailing investigations, timelines, and powers used—strengthening oversight and public confidence. 

 Timeline for Change 

• The Act received Royal Assent on 19 June 2025. 

• Most reforms are phased in over 2–12 months via Commencement Orders—steering the transition smoothly. 

• Structural changes (corporatisation, new governance, board roles) are expected around 2027 

  

Further information from Information Commissioner's Office (ICO) 

The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations? 

The Data Use and Access Act 2025 (DUAA) - summary of the changes to data protection law 

The ICO plans for new and updated guidance