UK’s Data Use and Access Act 2025: What It Means for Organisations

Published at 13:25 on 08 Aug 2025

On 19 June 2025, the UK Parliament enacted the Data Use and Access Act 2025 (DUAA)—a long-anticipated refinement of the UK’s data protection framework. While not a wholesale overhaul, the DUAA introduces targeted amendments to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR). For organisations operating in or with the UK, the DUAA signals a shift toward greater flexibility, innovation, and regulatory clarity.

Table of Contents

What Is the DUAA?

The DUAA is designed to modernise the UK’s data governance landscape by:

  • Promoting responsible data sharing
  • Supporting digital identity verification
  • Enabling scientific and commercial research
  • Easing compliance burdens for organisations

Rather than replacing existing laws, the DUAA amends them to reflect evolving technological, economic, and societal needs. Most provisions will be phased in between August 2025 and June 2026 via secondary legislation.

Key Changes Introduced by the DUAA

The DUAA introduces low-risk exemptions for cookies used in statistical analysis, fraud prevention, and website functionality. Consent is no longer required for these categories, reducing “consent fatigue” and aligning with commercial realities.

This means that organisations can streamline cookie banners and focus consent mechanisms on high-risk tracking technologies.

2. Automated Decision-Making (ADM)

The DUAA expands the lawful bases for processing to ADM (which was previously restricted to contract and consent), allowing organisations to rely on legitimate interests in certain contexts (although not for processing sensitive (special category) information). Safeguards remain essential, including transparency, human intervention, and challenge mechanisms.

Businesses using AI and algorithmic profiling can operate with greater confidence, provided they uphold fairness and accountability.

The Act clarifies that commercial research qualifies as scientific research. Individuals may now provide broad consent for research areas, rather than granular consent for each data use. Organisations will also be allowed to use people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort. So long as their rights are protected in other ways and explained in a published privacy notice.   

Life sciences, digital health, and AI sectors will benefit from streamlined consent models, especially when processing sensitive data.

4. Recognised Legitimate Interests

A new lawful basis allows data processing without the traditional balancing test (and LIA) for specific purposes, including:

  • Crime prevention
  • National security
  • Emergency response
  • Safeguarding vulnerable individuals

This means that organisations can act swiftly in critical scenarios without complex legal assessments.

5. Restructuring the Information Commissioner’s Office (ICO)

The ICO will undergo internal reforms to improve transparency, responsiveness, and guidance delivery. A new governance framework will support its expanded role in overseeing digital identity, open data, and emerging technologies

New Requirements

Children and online services

Organisations that provide an online service that is likely to be used by children, are now explicitly required to take their needs into account when deciding how to use their personal information.

Data protection complaints

The DUAA requires organisations to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. Organisations also have to acknowledge complaints within 30 days and respond to them ‘without undue delay.’

Other issues

Further Processing Compatibility

The DUAA introduces a non-exhaustive list of compatible purposes for further processing, such as legal compliance and public interest archiving. This reduces uncertainty around data reuse.

Soft opt in’ for charities

The amendments allow charities to send electronic mail marketing to people whose personal information is collected when they support, or express an interest in, that charitys’s work, unless they object.

What’s Next for Cross-Border Data Transfers?

The DUAA’s alignment with EU standards was a critical factor in the European Commission’s decision to renew the UK’s adequacy status. On 22 July 2025, the Commission launched the renewal process, concluding that the UK continues to offer an essentially equivalent level of protection.

Adequacy Decision Timeline

  • June 2021: Original adequacy decision granted
  • June 2025: Scheduled expiry
  • December 2025: Extended deadline for renewal
  • July 2025: Draft adequacy decision published

Pending approval by the European Data Protection Board, EU Member States, and European Parliament, the renewed adequacy decision could remain valid until 2031.

Organisations can continue transferring personal data between the UK and EEA without additional safeguards, preserving operational continuity.

DUAA Preparation Checklist

The UK ICO has published this helpful preparation checklist:

  • Familiarise yourselves with the changes that the DUAA makes to data protection law using this guidance. Read our detailed summary, if you want more information. 
  • If you provide an online service that children are likely to use, make sure you are doing enough to satisfy the new explicit requirement to consider their needs. You should be on track if you already conform to our AADC.
  • Start thinking about how you can help people to make complaints.  
  • Review the changes that support innovation and make things easier and consider whether you want to take the opportunity to do anything differently or streamline your processes.  

Further Reading: 

DUAA Overview

ICO: What the DUAA Means for Organisations

Cookie Reform

JD Supra: Cookie Consent and the ICO’s New Approach

Scientific Research & Consent

Gov.uk: DUAA Data Protection and Privacy Changes

EU Adequacy Renewal

Lexology: EU Initiates Renewal of UK Adequacy Decision

Daily News Context

BankersAdda: Daily Current Affairs 22 July 2025

Keen to get updates like that in your inbox? Subscribe to our newsletter for our bi-monthly newsletter.

  • This field is for validation purposes and should be left unchanged.

  • We collect and handle all personal information in accordance with our Privacy Policy.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.