The Data Use and Access Act 2025 received Royal Assent on 19 June. Implementation of the new law will commence in phases with most provisions expected to come into force within two to six months, while some may take up to a year.
The key objectives of the DUA Act involve enabling data sharing and the introduction of digital verification schemes. Alongside this, we’ll see amendments to UK GDPR, the Data Protection Act 2018 and the Privacy & Electronic Communications Regulations (PECR). The level of impact will very much depend on your sector and data processing activities.
No radical shake-up
While significant, this legislation does not usher in radical changes and organisations do not face a big shake up of their approach to data protection compliance. This is not GDPR 2.0. The fundamental principles and obligations for data protection remain unchanged. We predict it will be business as usual for the majority of organisations, with some changes here and there.
Time to prepare
While limited provisions may take immediate effect, there will be time to prepare before the majority of provisions take effect, possibly up to 15 months after the law is enacted. The precise timescales have yet to be published, and we’d advise keeping abreast of developments, and ICO guidance as it comes out. Nothing needs to be done right away.
AI transparency and copyright not included
It’s worth noting the House of Lords lost its battle on AI. A key sticking point, which stalled progress of the Bill until now, was the Lords introducing successive amendments to transparency requirements for data used to train AI models, and the use of copyright materials to train AI. In the end these attempts failed, but an agreement was reached with the Government to publish a report on copyright and AI proposals in the coming months.
15 key changes ahead
1. Solely automated decision-making
UK GDPR currently places strict restrictions on automated decision-making (including profiling) which result in legal or similarly significant effects. This will be relaxed so it only applies to automated decisions using special category data. With any other personal data, there will be a requirement to put in place certain safeguards, such as giving individuals the ability to contest decisions and request human intervention.
This change will give organisations more flexibility to make automated decisions using personal data (but not special category data). For example, when utilising AI systems. To prepare for this change, re-assess your use of solely automated decision-making and look to review relevant processes and policies.
As part of the recently launched ICO AI and Biometrics Strategy, the regulator has committed to:
■ updating its guidance on automated decision making (ADM) and profiling by autumn 2025
■ a public consultation on this updated guidance
■ developing a statutory code of practice on AI and ADM
2. Data Subject Access Requests (DSARs)
Provisions to be introduced on DSAR handling give a statutory footing to existing ICO guidance. In practice this is unlikely to mean any significant changes if you’re already following regulatory guidance, but it does give a degree of extra confidence by being written into UK law. The key points are:
■ the timescale for responding within one calendar month does not start until the organisation is satisfied the requestee is who they say they are
■ when seeking clarification, the clock can be paused while awaiting the individual’s response
■ organisations can conduct a “reasonable and proportionate” search for personal data.
When withholding information is based on legal professional privilege or client confidentiality, a new requirement will mean organisations have to explicitly inform individuals about the specific exemption being applied and the reasons. Individuals will also have the right to request the ICO reviews how these specific exemptions have been applied.
To prepare, you can start to review your current DSAR procedure, if relevant plan how to update response templates to include more explicit information and bolster internal documentation used to justify reliance on these exemptions.
3. The right to be informed
The obligation to provide privacy information to individuals (e.g. under Article 14, UK GDPR) will not apply if providing this information “is impossible or would involve disproportionate effort”.
This is most likely to be particularly relevant where organisations have gathered personal data indirectly, i.e. not directly from the individuals. This was a point of contention in the Experian vs ICO case, where Experian argued it would be disproportionate effort to notify and provide privacy information to the millions of people whose data they process from the Edited Electoral Roll.
4. New Complaints procedure
The legislation includes a new right for individuals to raise complaints related to use of their personal data. These new rules will require controllers to make sure they have clear procedures to facilitate complaints, including providing a complaint form. Complaints will require a response within 30 days. Alongside this, certain organisations may also be obligated to notify the ICO of the number of privacy-related complaints they receive during a specified time period.
Some sectors, such as financial services and those which fall in scope of FOI requests, are already obliged to have complaints procedures in place to meet their legal obligations. These may need adapting to cover these new requirements while for others, procedures will need to be put in place. Privacy notices will also need to be updated to reflect this change.
5. Legitimate Interests & direct marketing
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This not insignificant line currently rests in a GDPR recital, and as such it’s not legally binding and simply provides a helpful interpretation of the law. However, under the DUA Act it will unambiguously set in stone that legitimate interests is an acceptable lawful basis for direct marketing purposes.
While there are concerns this will lead to more ‘spam’ marketing, I’d stress the direct marketing rules under PECR will still apply, so legitimate interests will only be an option when the law doesn’t require consent.
6. Recognised legitimate interests
The concept of ‘recognised legitimate interests’ is to be introduced, whereby organisations will not be required to conduct a balancing test (i.e. Legitimate Interests Assessment) when relying this lawful basis – but only for specific, recognised purposes. The list of recognised legitimate interests includes the following (and may be expanded):
■ Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
■ Disclosures for national or public security or defence purposes, emergencies.
■ Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.
In preparation, you can start by reviewing processing activities which rely on legitimate interests and assess if any will become ‘recognised’. I can see this being particularly helpful for private and third sector organisations which have direct relationships with public bodies involving the sharing of personal data.
7. Charities and the marketing ‘soft opt-in’
The use of the ‘soft opt-in’ exemption to consent for electronic marketing will be extended to charities. This means charities will be able to provide supporters and donors with an ‘opt-out’ mechanism rather than an ‘opt-in’ to marketing emails (and/or SMS), as long as the following specific conditions are met:
■ The sole purpose of the direct marketing is for the charity’s own charitable purpose(s)
■ Contact details were collected when the individual expressed an interest in the charity’s purpose(s) or offered or provided support to further the charity’s purpose(s).
■ An opportunity to refuse/opt-out is given at the point of collection, and in every subsequent communication.
To prepare charities can consider whether they wish to switch from consent, and assess if this will relatively straight-forward to implement in practice or not. Pros and Cons of the ‘soft opt-in pros.
8. Cookies & similar technologies
The DUA Act will include extending the exceptions to consent from only ‘strictly necessary’ to include other specific types of ‘low risk’ cookies and similar technologies. The exemption will be permitted for certain statistical purposes and optimising website appearance, as long as clear information is provided and users are given a straight-forward ability to opt-out.
Alongside these changes under DUA, the ICO is reviewing PECR consent requirements to in its words; “enable a shift towards privacy-preserving advertising models”. This autumn, a statement is expected on ‘low risk’ advertising activities which in the ICO’s view are unlikely to cause harm or trigger enforcement action. You can read more about this in the ICO’s package of measures to drive economic growth.
In preparation, cookie audits can be conducted to identify which cookies used may qualify as ‘low-risk’, and prepare to update your consent management platform (CMP) and the cookie information provided.
9. PECR Fines
Fines for infringements of the Privacy & Electronic Communications Regulations, which govern electronic direct marketing, cookies and similar technologies, are set to significantly increase.
Currently the maximum fine under PECR is currently capped at just £500k. The limits will be brought in line with the much more substantial fines which can be levied under UK GDPR – up to a maximum of £17,500,000, or 4% of the organisation’s total annual worldwide turnover from the preceding financial year, whichever is higher.
Bear in mind the ICO issues more fines under PECR than UK GDPR or DPA, so the message is clear; make sure you comply with the PECR rules as the cost of enforcement action could be far higher.
It’s also worth noting what constitutes ‘spam’ is to be extended to include emails and text messages which are sent, but not received by anyone. This will mean the ICO will be able to consider much larger volumes in any enforcement action.
10. Compatible processing
Currently, UK GDPR makes it tricky to reuse personal data for new purposes, and DUA Act aims to make this slightly easier by listing specific compatible purposes for which organisations will not need to undertake a compatibility assessment.
11. Scientific research
There are detailed changes in relation to scientific research. To briefly summarise, the definition of ‘scientific research’ is to be clarified and will explicitly state research can be a commercial or non-commercial activity. Consent for scientific research is to be adapted, in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.
12. Data protection by design to protect children
When assessing appropriate ‘technical and organisational measures’ in relation to online services likely to be accessed by children, organisations will be legally obliged to take account of how children can best be protected right from the design phase, confirm that children merit additional protection, and have different needs at different ages and stages of development. Such measures strengthen the need to adhere to the UK Children’s Code.
13. Smart Data Schemes
The DUA Act will give the Government the ability to pass secondary legislation to enable business data sharing. The aim is to implement Smart data schemes to grow the UK economy, encourage competition and benefit consumers. Currently we have data sharing models for open banking, and the plans is similar models will be extended to other sectors such as telecoms, healthcare, insurance and energy.
14. Digital verification services
The Act will create a framework to enable the introduction of trusted digital verification services. The idea is people will be able to prove their identity via trusted digital identify providers, without having to provide a physical form of ID or other form of documentation.
Digital ID verification has been adopted successfully by certain businesses, but take up is patchy and the Government is keen to accelerate progress. It’s hoped this new framework will simplify processes such as registering births and deaths, starting a new job, and renting a home.
15. New Information Commission
The Information Commissioner’s Office is set to be replaced by an Information Commission, which will be structured in a similar way to the FCA, OFCOM and the CMA – as a body corporate with an appointed Chief Executive. It’s anticipated this change will come into effect in 2027.
What about UK adequacy?
The DUA Act will be carefully scrutinised by the European Commission when it reviews adequacy decisions for the UK. These currently allow for the free flow of personal data between the EEA and UK, without the need for additional risk assessments or safeguard measures. The outcome of the EC review of these decisions is expected in December 2025. It’s hoped there’s nothing to scare the horses and UK adequacy will be renewed. Nonetheless, this is one to watch.
In summary, although reform has its critics, the changes to be introduced by the DUA Act are not overly dramatic. More detail and regulatory guidance will gradually become available, and I’d stress there’s no need to do anything immediately. Over the coming months we’ll be sure to keep you updated on developments.
Search
Contact Us
Newsletter
