ARTICLE
16 July 2025

The Data (Use And Access) Act's Data Protection Reforms – What Now?

TS
Travers Smith LLP

Contributor

Travers Smith LLP logo
It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
Explore Firm Details
The Data (Use and Access) Act (DUAA) was a long time in the making: it finally received Royal Assent on 19 June 2025 after weeks of "ping-pong" between the two Houses of Parliament...
European Union Privacy
Louisa Chambers,James Longster, and Helen Reddish
Your Author LinkedIn Connections

The Data (Use and Access) Act (DUAA) was a long time in the making: it finally received Royal Assent on 19 June 2025 after weeks of "ping-pong" between the two Houses of Parliament over transparency measures in relation to AI and copyright - measures that were ultimately dropped. The DUAA includes a package of data protection and e-privacy reforms, introduces frameworks for smart data and digital verification schemes and puts the National Underground Asset Register on a statutory footing. Now it is finally here, what happens next? This briefing sets out key takeaways for businesses in relation to the DUAA's data protection reforms.

1 Timing: most measures require secondary legislation to take effect

The Government will phase implementation of the new law, most of which will need to be brought into effect by secondary legislation. The clarification regarding reasonable and proportionate searches in relation to subject access requests is one of only a handful of provisions to apply from Royal Assent (and it has retrospective effect from 1 January 2024). In August 2025, some (but not all) of the ICO's new powers, including the right to call for documents, come into force. It is likely that the data protection and e-privacy reforms, and the other new/updated ICO powers, will be brought in within the next six months, but the rest of the DUAA is likely to take longer (up to 12 months) to get off the ground.

2 There's only a modest impact for most businesses from a data protection perspective

Businesses do not need to make significant changes to their data protection compliance regimes to comply with the DUAA. If they must also comply with EU GDPR, there is even less scope for change, as they will be unable to benefit from the DUAA's limited relaxations in relation to their EU operations.

Automated decision making (ADM)

  • The most far-reaching change to privacy rules to be introduced by the DUAA is the relaxation of ADM requirements, i.e. where a "significant decision" with legal or similar effects is made without meaningful human involvement. Unless special category data is involved, in which case ADM is prohibited unless a narrow set of exceptions apply, the DUAA liberalises ADM to enable controllers to rely on other lawful bases, such as legitimate interests. Meanwhile, the DUAA bolsters data subject rights around ADM, e.g. for data subjects to make representations, contest the decision and require human intervention.

Expanding AI use cases

Once these changes are brought in, it should make it easier for businesses to expand their use of AI in areas such as recruitment. Nonethless, as AI in recruitment is a key area of focus for the ICO, it will be important to keep on top of new guidance in this area before making significant operational changes. The ICO has said that it plans to issue guidance on ADM in Spring 2026.

Data subject rights

While businesses may have hoped for measures to stem the tide of subject access requests (SARs), they will see few changes in practice to SARs because the DUAA has largely codified existing ICO guidance in this regard

  • There is a new right for data subjects to complain to the data controller. Controllers will need processes to respond to complaints (such as providing a complaint form which can be completed electronically and by other means), acknowledge complaints within 30 days and respond to them "without undue delay". They will need to amend privacy policies to reflect the complaints process.

  • The DUAA has put on a statutory footing current ICO guidance, clarifying that searches in response to subject access requests are limited to "reasonable and proportionate" searches and, in relation to subject access response times, allowing for "stop the clock" where further information is required. SAR handling policies, template letters and staff training should be amended accordingly, if they do not already provide for this.

Cookies

  • The DUAA removes the consent requirement for specified non-intrusive cookies (and similar technologies) including (i) an expanded list of "strictly necessary" cookies (including for security, fraud prevention, fault detection and authentication) and (ii) those used for statistical analysis and improving website functionality. In the latter case, the user must still be informed about these cookies and be given the right to opt out of them. Moreover, businesses which use cookies for advertising and marketing still need to obtain consent. This means that, for most businesses, cookie banners will stay, but there may be more flexibility to rationalise consent boxes. Cookie policies will also need to be updated.

  • However, the price of getting direct marketing and cookie compliance wrong will be higher as a result of the DUAA. Maximum fines under the Privacy and Electronic Communications Regulations 2003 (PECR), currently £500,000, and other ICO enforcement powers for breaches of the cookie and direct marketing rules, are to be aligned with the UK GDPR's much larger fines (up to £17.5 million or 4% of global turnover). It is worth noting here that e-privacy compliance is already a key area of enforcement by the ICO and will continue to be so.

Legitimate interests

  • Most businesses will not benefit from the list of "recognised" legitimate interests which cover public interest purposes such as national security and defence, responding to emergencies and safeguarding vulnerable people.

  • There is a list of other types of processing in the DUAA which "may" count as legitimate interests - direct marketing purposes, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems. Many businesses will already be using the legitimate interests basis for these types of processing, and they must still carry out a balancing test to rely on it, so these provisions are unlikely significantly to change the position on the ground.

Data transfers

A new "data protection test" in relation to international data transfers applies to enable the Secretary of State to make new adequacy regulations, but it also applies where businesses are carrying out transfer risk assessments in respect of the adequacy of safeguards such as standard contractual clauses. The new test arguably offers more flexibility to take a risk-based approach (provided transfers are subject to the UK GDPR only) than the GDPR "essential equivalence" test: it enables the exporter to consider "reasonably and proportionately" whether the standard of protection in the recipient territory is not "materially lower" than in the UK.

Reforming the ICO

We are all going to need to remember (when the restructuring of the Information Commissioner's Office (ICO) occurs) to refer to the Information Commission rather than to the ICO and update documentation accordingly. On 30 June 2025, the ICO announced Paul Arnold as being the first CEO of the future Information Commission. Other changes to the Information Commission should be relatively invisible to businesses unless they face enforcement action. In these unfortunate circumstances, a business may find itself on the wrong end of the Information Commission's increased information gathering and investigatory powers which could ramp up the pressure, particularly in the context of a data breach.

3 The DUAA is unlikely to jeopardise the UK's adequacy

There is now greater legislative certainty for the EU to make its adequacy assessments in respect of the UK which have enabled the free flow of personal data from EU Member States to the UK following Brexit (the review deadline was postponed from June until 27 December 2025). While there has been an open letter from privacy activists urging the European Commission to withdraw the UK's adequacy, the DUAA itself is unlikely to be seen as jeopardising adequacy, but the Commission will not look exclusively at the DUAA in making its assessment.

4 The ICO has issued guidance on the DUAA and there is plenty more to come

The ICO has issued both high level and more detailed guidance on the DUAA reforms. We can expect much more guidance e.g. on complaints, data transfers, recognised legitimate interests and cookies (all scheduled for Winter 2025/26) and automated decision making (Spring 2026).

5 What now?

While there are specific considerations for certain types of business, such as those providing online services to children or carrying out scientific research, most businesses will be relieved to hear that readying themselves for the onset of data protection and e-privacy reforms under the DUAA should not be a particularly onerous task – a far cry, thankfully, from the scramble to comply with GDPR in 2018. Businesses should be reviewing their complaints processes, policies, templates and staff training to adapt them to the new changes, while monitoring for fresh ICO (or IC!) guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Louisa Chambers
Louisa Chambers
Photo of James Longster
James Longster
Photo of Helen Reddish
Helen Reddish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More