Data protection rules in the UK have changed again. Parliament granted Royal Assent to the Data (Use and Access) Act 2025 (DUAA). 

This marks the most significant update to UK data protection law since Brexit. The Act reforms how data is governed, aiming to modernise regulation, enhance public service delivery, and encourage responsible innovation. For organisations, this means greater opportunities to share data securely while continuing to meet high protection standards.

Reforming the UK’s Data Framework 

The DUAA introduced amendments to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). These reforms seek to remove unnecessary barriers to data sharing while maintaining high data protection standards. 

A central element of the reform is the introduction of “smart data” frameworks. These schemes - such as open banking and business data portability, allow individuals and businesses to access and share data more easily and securely, enabling more tailored and efficient services. 

New Lawful Bases for Data Processing 

The Act introduces Recognised Legitimate Interests, which can be used without applying the usual balancing test. These include areas such as national security, public health, fraud prevention, and safeguarding.

For commercial purposes, such as marketing and internal data transfers, the standard balancing test still applies which ensuring individuals’ rights remain protected. 

Clarifying Rules Around Automated Decision-Making 

The DUAA provides clarity on automated decision-making (ADM). It permits ADM where it does not involve special category data and where safeguards are in place. These include:

• The right to human review.

• Transparency around decision-making processes.

• Mechanisms to challenge outcomes.

This offers certainty for organisations using AI-driven tools, while protecting individuals from unfair or opaque decisions. 

Changes to Consent Requirements 

Consent requirements have been simplified, particularly online. For example, websites are no longer required to obtain explicit consent for cookies used for analytics or site functionality; A clear informational notice is sufficient. 

Charities also benefit, as they may now apply a soft opt in approach for email marketing to previous donors, reducing administrative burden. 

A More Proportionate Approach to DSARs 

The Act has introduced a more practical framework for Data Subject Access Requests (DSARs). As organisations are now required only to conduct searches that are “reasonable and proportionate” based on circumstances.  

A new “stop-the-clock” provision also allows statutory response deadline to be paused, while waiting for necessary clarification, this easily compliance without restricting rights to access their data. 

Enhancing Safeguards for Children 

Organisations offering services that are likely to be accessed by children must now implement measures that reflect the developmental needs of young users. Building upon the Age-Appropriate Design Code, further strengthening protections around children’s digital data. 

Stronger ICO Powers 

The Act also expands the enforcement powers of the Information Commissioner’s Office (ICO), including the ability to:

• Compel organisations to produce technical reports.

• Require individuals to give evidence during investigations.

• Issue fines under PECR of up to £17.5 million or 4% of global annual turnover.

This reflects the government’s commitment to ensuring data handling is not only compliant but also ethical and transparent.

Implementation Timeline 

The DUAA is being rolled out in stages:

• 20 June 2025: The new DSAR provisions came into effect immediately following Royal Assent 

• June 2025 to June 2026: Remaining measures will be introduced gradually over the next 12 months 

• Ongoing: The ICO and other regulatory bodies will continue to release updated guidance and sector-specific resources to support implementation 

Preparing for Compliance 

The Data (Use and Access) Act 2025 introduces a modernised framework that supports both innovation and the responsible handling of personal data. Organisations should review and where necessary, update policies, training, and governance procedures to align with the new requirements.

As the provisions continue to roll out, staying informed and responsive will be essential. The latest government guidance is available at:  www.gov.uk/guidance/data-use-a...