On 19 June 2025, the UK Parliament enacted the Data Use and Access Act 2025 (DUAA)—a long-anticipated refinement of the UK’s data protection framework. While not a wholesale overhaul, the DUAA introduces targeted amendments to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR). For organisations operating in or with the UK, the DUAA signals a shift toward greater flexibility, innovation, and regulatory clarity.
The DUAA is designed to modernise the UK’s data governance landscape by:
Rather than replacing existing laws, the DUAA amends them to reflect evolving technological, economic, and societal needs. Most provisions will be phased in between August 2025 and June 2026 via secondary legislation.
The DUAA introduces low-risk exemptions for cookies used in statistical analysis, fraud prevention, and website functionality. Consent is no longer required for these categories, reducing “consent fatigue” and aligning with commercial realities.
This means that organisations can streamline cookie banners and focus consent mechanisms on high-risk tracking technologies.
The DUAA expands the lawful bases for processing to ADM (which was previously restricted to contract and consent), allowing organisations to rely on legitimate interests in certain contexts (although not for processing sensitive (special category) information). Safeguards remain essential, including transparency, human intervention, and challenge mechanisms.
Businesses using AI and algorithmic profiling can operate with greater confidence, provided they uphold fairness and accountability.
The Act clarifies that commercial research qualifies as scientific research. Individuals may now provide broad consent for research areas, rather than granular consent for each data use. Organisations will also be allowed to use people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort. So long as their rights are protected in other ways and explained in a published privacy notice.
Life sciences, digital health, and AI sectors will benefit from streamlined consent models, especially when processing sensitive data.
A new lawful basis allows data processing without the traditional balancing test (and LIA) for specific purposes, including:
This means that organisations can act swiftly in critical scenarios without complex legal assessments.
The ICO will undergo internal reforms to improve transparency, responsiveness, and guidance delivery. A new governance framework will support its expanded role in overseeing digital identity, open data, and emerging technologies
Organisations that provide an online service that is likely to be used by children, are now explicitly required to take their needs into account when deciding how to use their personal information.
The DUAA requires organisations to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. Organisations also have to acknowledge complaints within 30 days and respond to them ‘without undue delay.’
The DUAA introduces a non-exhaustive list of compatible purposes for further processing, such as legal compliance and public interest archiving. This reduces uncertainty around data reuse.
The amendments allow charities to send electronic mail marketing to people whose personal information is collected when they support, or express an interest in, that charitys’s work, unless they object.
The DUAA’s alignment with EU standards was a critical factor in the European Commission’s decision to renew the UK’s adequacy status. On 22 July 2025, the Commission launched the renewal process, concluding that the UK continues to offer an essentially equivalent level of protection.
Pending approval by the European Data Protection Board, EU Member States, and European Parliament, the renewed adequacy decision could remain valid until 2031.
Organisations can continue transferring personal data between the UK and EEA without additional safeguards, preserving operational continuity.
The UK ICO has published this helpful preparation checklist:
DUAA Overview
ICO: What the DUAA Means for Organisations
Cookie Reform
JD Supra: Cookie Consent and the ICO’s New Approach
Scientific Research & Consent
Gov.uk: DUAA Data Protection and Privacy Changes
EU Adequacy Renewal
Lexology: EU Initiates Renewal of UK Adequacy Decision
Daily News Context
BankersAdda: Daily Current Affairs 22 July 2025
Keen to get updates like that in your inbox? Subscribe to our newsletter for our bi-monthly newsletter.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
