ARTICLE
13 August 2025

Are You Ready For The UK's Data Use And Access Act 2025 (DUAA)?

TS
Taft Stettinius & Hollister

Contributor

Taft Stettinius & Hollister logo
Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
Explore Firm Details
On June 19, 2025, the United Kingdom Parliament enacted the Data Use and Access Act 2025 (DUAA).
United Kingdom Privacy
Jordan Jennings
Your Author LinkedIn Connections

On June 19, 2025, the United Kingdom Parliament enacted the Data Use and Access Act 2025 (DUAA). The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). While the DUAA imposes new requirements on organizations subject to UK privacy legislation, it also clarifies several provisions, making privacy compliance in the United Kingdom more manageable.

The changes under the DUAA began in June 2025 and will be phased in over the next year through June 2026.

Here is a breakdown of the key changes under the DUAA.

  • New Lawful Processing Basis. Under Article (Art.) 6 of the UK GDPR, there are currently six (6) lawful processing bases that permit a person or organization to process personal data. Processing for "legitimate interests" has traditionally been a balancing test where organizations are required to balance their business needs for using the personal data against the risks to the rights and freedoms of the individual when processing their data. The DUAA creates a new processing basis, "recognized legitimate interest" providing automatic instances in which businesses can process personal data without the need to conduct a balancing test. These recognized legitimate interests include processing for direct marketing, transfer of personal data among multi-national companies for internal administrative purposes, data processing for crime prevention, safeguarding, responding to emergencies and other specified legitimate interests.
  • New Complaint Requirements. The DUAA amends the Data Protection Act by requiring organizations, that are data controllers, to help individuals seeking to make a complaint about how their personal data is being processed, such as providing an electronic complaint form through the organization's website.
    • Complaint Confirmation. An organization must acknowledge receipt of the complaint within 30 days.
    • Complaint Investigations and Outcomes. An organization must also, without undue delay, take appropriate steps to respond to the complaint, such as making inquiries into the subject matter of the complaint and informing the complainant about the progress of the complaint; and (b) inform the complainant of the outcome of the complaint.
  • Clarified Data Subject Rights (DSRs) Requirements. The DUAA eases the DSR obligations imposed on organizations by (i) clarifying when the clock starts and stops when responding to data subject requests and (ii) providing a baseline requirement when locating requested information.
    • Clock Stoppage. Typically, data controllers have one month from the date the request is received to respond to the request. Under the DUAA, the clock will now stop when a data controller is unable to respond to the data subject because additional information from the data subject or identity verification of the data subject is needed. Once the necessary information from a data subject is received, the response time under the UK GDPR's Art. 12 resumes.
    • Proportionate Searches. Along with the clock-stoppage provision, the DUAA requires organizations to make reasonable and proportionate searches for information when responding to data subject requests. Under the DUAA, the UK GDPR's Art. 15 is amended to provide that "the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data." What this means is that data controllers are not expected to go on an extravagant and overburdensome hunt for information. Outlining what is a "reasonable and proportionate" process based on the data subject request at issue will help organizations better manage their time when responding to such requests.
  • Relaxed Consent Requirements for Certain Cookies. The DUAA permits certain cookies to be used without requiring individuals' consent. This relaxed requirement applies to low-risk cookies such as cookies solely used to collect information for statistical purposes or to improve website functionality.
  • Enhanced Children's Data Protection Requirements. The DUAA adds heightened data protection requirements when considering appropriate technical and organizational measures under Art. 25 of the UK GDPR. The DUAA amends the UK GDPR to provide that a data controller must consider the "children's higher protection matters," such as considering (a) how children can be best protected and supported when using the services; and (b) that children merit specific protection to their personal data because they may be less aware of the risks and consequences associated with certain personal data processing and have different needs at different ages and stages of development.
  • Clarifies What Automated Decision-Making (ADM) Is. The DUAA clarifies that ADM (e.g., AI) is processing where there is "no meaningful human involvement." This revised definition eases the ADM obligations on organizations leveraging ADM tools where there is a human component involved in the decision-making. Additionally, under this change, organizations can use ADM tools in significant decisions (e.g., decisions that have a legal effect or other significant impact on the individual e.g., lending applications, job applications) in wider circumstances but must implement certain safeguards, such as (i) providing people with information about significant decisions made about them using ADM; (ii) enabling individuals to make representations about and to challenge such ADM decisions and (iii) enabling individuals to obtain human intervention when using ADM tools.
    • ADM Tools Used to Process Sensitive Personal Data. The DUAA also allows ADM tools making significant decisions to use sensitive personal data when either the decision is based on personal data the individual has given explicit consent to be processed, or the decision is required by law.
  • Promotes Data Sharing Schemes for Regulated Sectors and Tasks Regulators with Implementing New Tools/Standards. The DUAA empowers the Secretary of State and other regulators to develop additional legislation to permit data sharing and statutory frameworks across regulated sectors in the United Kingdom. The DUAA introduces frameworks and registers such as (i) the digital verification services (DVS) trust framework designed to enable individuals to prove their identity online; (ii) the National Underground Asset Register (NUAR) where authorized users input data into and have access to a map of certain underground infrastructure for repair and safety purposes; (iii) a digital register for birth and death dates; and (iv) a digital preservation process, implemented by the UK's Office of Communication (OFCOM) requiring website operators to allow parents to preserve data on a website (e.g., social media) when the site is related to a child's death.
  • Abolishment of the UK Information Commissioner's Office ("ICO"). The DUAA amends the Data Protection Act to abolish the UK ICO and replace the ICO with the UK "Information Commission" – a governing body selected by the Secretary of State, comprised of between 3 and 14 individuals that will have the same powers as the ICO.
  • Simplified Data Transfer Requirements. Currently organizations that transfer personal data from the United Kingdom to countries that are deemed by the UK ICO to lack adequate data protection laws ("Third Countries"), such as the United States, are required to rely on a data transfer mechanism before exporting the data from the UK to Third Countries. The DUAA now permits the Secretary of State to conduct a data protection test to determine whether the Third Country offers protection that is "materially lower" than the protections offered under the UK GDPR. This "materially lower" distinction will likely permit more countries to be considered adequate and lead to more carveouts and exemptions for data transfers – eliminating the need for data transfer mechanisms, such as execution of model transfer contracts like the UK International Data Transfer Agreement ("IDTA"), participation in the Data Privacy Framework and so on. The UK ICO's international data transfer agreements and guidance webpage currently provides that due to the DUAA, guidance on data transfers is "under review and may be subject to change."
  • New Scientific Research Carveouts. The DUAA clarifies instances when personal data can be used for scientific research and expands the "scientific research" definition to include commercial, historical, public health, technological development, fundamental and applied research within that definition.
    • Broad Consent for Scientific Research. The DUAA also permits "broad consent" may be used for scientific research. What this means is consent for "scientific research" is appropriate even if every specific research purpose is not listed.
    • Privacy Notices. The DUAA also allows personal data that was collected for a different purpose, to be reused for scientific research without giving individuals a privacy notice, if that would involve a disproportionate effort. Thus, if a company discloses on its website that data collected from the site may also be used for scientific research, there is no need to provide individuals with a separate research-specific notice.

Key Takeaways

While the DUAA creates many favorable changes for organizations doing business in the UK, there are several new amendments which will require businesses to develop and implement new processes to be compliant with UK privacy legislation. In preparation for the DUAA amendments, organizations should:

  • Meet with your privacy and IT teams to discuss the DUAA amendments;
  • Identify how the DUAA amendments impact your organization and existing processes;
  • Review existing data subject rights processes and manuals;
  • Begin strategizing how your organization will create a complaint process for individuals in the UK;
  • If your organization collects personal data of children (UK individuals under 16), determine whether heightened technical and organizational measures are needed on your website(s)/mobile application(s);
  • Ask for help!

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jordan Jennings
Jordan Jennings
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More