The Data (Use and Access) Act 2025 - what does it mean for your business?

The most notable new requirements are as follows:

Data protection complaints

There is a new requirement on organisations to help individuals complain about how their personal information is used.  In practice, this could mean making a dedicated, electronic complaints form available to customers for that purpose. Organisations must now also acknowledge complaints within 30 days and must advise individuals of the outcome of their complaint ‘without undue delay’.

Children and online services

For organisations providing online services likely to be used by children, DUAA introduces a specific obligation to take their needs into account, including by considering the following factors:

• how children can be best protected and supported;
• the fact that children are less aware of the risks and consequences involved and therefore merit specific protection; and
• the different needs children have at different ages and developmental stages.

Research and development

Useful to organisations developing AI products and tools, DUAA clarifies the meanings of ‘scientific research’, ‘historical research’ and ‘statistical purposes’ under the UK GDPR. Notably, ‘scientific research’ now expressly includes ‘commercial research’ and ‘processing [personal data] for technological development or demonstration’.

Automated decision-making (ADM)

DUAA also extends the range of circumstances in which an organisation can use non-sensitive personal data to make significant decisions about people solely by automated means (i.e. without meaningful human involvement).  Subject to specific safeguards, DUAA effectively relaxes the UK GDPR restriction on ADM, allowing an organisation to rely on any lawful basis (except the new ‘recognised legitimate interest’ basis – see below) when it makes significant automated decisions about people.  This relaxation is likely to benefit the many organisations already using or wanting to use AI to make business decisions, such as in a recruitment context.

Recognised legitimate interests

DUAA introduces a new, standalone lawful basis under Article 6 UK GDPR, labelled ‘recognised legitimate interests’.  This new ground is distinct from the pre-existing lawful basis of ‘legitimate interest’.  It is designed to give organisations confidence to use personal data in specific ‘recognised’ scenarios - including crime prevention, safeguarding and responding to emergencies - without the need to carry out a balancing test (known as an ‘LIA’) against the rights of the affected individuals. (Organisations should note, however, that the ‘necessity’ test is still required.)

Legitimate interests 2.0

Separately, DUAA amends the pre-existing legitimate interest lawful basis, by giving examples of processing that may fall under its remit.  These include direct marketing, intra-group transfers of data for administrative purposes, and ensuring the security of network and information systems.

Purpose limitation

DUAA sets out a new list of personal data reuses, which organisations can assume to be compatible with the purposes for which they originally collected the data.  DUAA stipulates two slightly different sets of rules for reusing data, depending upon whether the organisation’s original purpose was based on consent or a different lawful basis.  The new reuse provisions are additional to and do not replace the core Article 6 requirement to satisfy a lawful basis for processing generally.

Subject access requests

DUAA helpfully clarifies that an organisation’s obligation, when searching for information in connection with a subject access request, is only to carry out ‘reasonable and proportionate searches’ for relevant information.

International transfers

Alongside some terminology changes (adequacy arrangements will now be referred to as ‘transfers approved by regulations’ and all others as ‘transfers subject to appropriate safeguards’), DUAA tweaks the standard to be met when transferring personal data internationally, including when relying on contractual safeguards. The standard requiring that ‘the protection of natural persons guaranteed by the UK GDPR is not undermined’ is updated to requiring that the standard of protection ‘is not materially lower’ than that provided under the UK GDPR. This will now be known as ‘the data protection test’, which must be met ‘reasonably and proportionately’.  In effect, this update codifies the previously case-law based requirement to conduct a transfer risk assessment (TRA) for transfers subject to appropriate safeguards.

Amendments to the Privacy and Electronic Communications Regulations (PECR)

Contrary to speculation, DUAA does not remove the requirement for cookie-consent banners.  However, it does relax the rules around consent for certain cookies - specifically, those used to collect information for statistical purposes and improve website functionality.

In practice, this means that organisations will be able to update their consent-collection mechanisms (banners) so that users consent to the use of certain cookies by default. Businesses should be aware that the use of other cookie types (such as those used for advertising purposes) will continue to require express prior consent, so cookie pop-ups on websites will need to remain for now.

Charities and direct marketing

DUAA introduces a new ‘soft opt-in’ option for charities, allowing them to send electronic mail marketing (including email and SMS) without consent.  This new option is available provided the marketing is aimed at furthering the organisation’s charitable purposes and is subject to compliance with certain rules regarding how the data was obtained and offering opt-out opportunities.

DUAA introduces changes that enhance the ability of the UK regulator (currently the Information Commissioner's Office (ICO) – soon to be the ‘Information Commissioner’ under DUAA) to enforce data protection law. The updates are designed to make enforcement more proportionate and effective, whilst aligning certain penalties to a level that may have a greater impact on non-compliant organisations.

Increased fining powers

Under PECR, the ICO’s maximum penalty has been raised from £500k to match the UK GDPR standard. This means the ICO can now issue fines of up to £17.5 million or 4% of a company’s global annual turnover (whichever is higher) for breaches of PECR. This is significant given the increasing regularity with which the ICO has been issuing financial penalties for breaches of marketing rules (such as marketing calls or emails without the necessary consents in place).

Enhanced regulatory powers

The ICO has been given new powers to compel cooperation during audits and investigations. This includes the ability to issue ‘interview notices’ that can require a person to attend a formal interview and ‘assessment notices’ that can mandate an organisation to produce a report to assist in an investigation.

What should you be doing?

Online service providers:

• Take all necessary steps to ensure compliance with DUAA’s new requirements regarding protecting children online. Use the ICO’s Age Appropriate Design Code as your starting point.

All organisations:

• Refresh your data protection complaints procedure, considering how you will make complaints easier in practice.
• Assess whether you can now rely on ‘recognised legitimate interests’ for activities such as crime prevention or responding to emergencies, without needing to conduct a balancing test/LIA (though remember the need to consider/conduct a data protection impact assessment (DPIA) in innovative and high-risk scenarios).
• Review your uses of personal data and consider whether you can take advantage of the new rules to reuse for compatible purposes.
• Update your subject access request procedure to reflect the clarified scope of conducting ‘reasonable and proportionate searches’ for relevant information.
• Update your TRA methodology for international data transfers to align with the new ‘data protection test’ and its requirement for a ‘reasonable and proportionate’ approach.
• Re-evaluate your data processing for research purposes, including for AI development, in light of the updated definitions of ‘scientific research’ and ‘commercial research’.
• Review your use of ADM processes to determine whether DUAA's relaxation of restrictions allows you to rely on a broader range of lawful bases for making significant decisions about people (subject always to the relevant safeguards).
• Update the cookie consent-collection mechanisms on your business website in line with the relaxed rules for statistical and website functionality cookies (ensure you still obtain express consent for other cookie types, such as those used for advertising purposes).
• Make your marketing teams aware of the higher enforcement risk and penalties under PECR and review their strategies to ensure compliance.
• Consider how you might benefit from DUAA’s developments more broadly, to ensure you are maximising the value of your data in line with the updated legal framework.