After a lengthy period of parliamentary ping pong, the Data (Use and Access) Act 2025 (DUAA) became law on 19 June 2025.

The DUAA aims to make it easier for organisations to protect personal data whilst facilitating innovation and growth, though it also introduces some hefty new enforcement provisions which businesses will want to be aware of. The DUAA amends the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulation 2003 (PECR). Provisions of these laws not otherwise amended by the DUAA continue to apply.

Key Takeaways

Rather than overhauling the UK’s data protection regime, the DUAA introduces amendments which refine existing law rather than creating radical changes. For businesses, the key points to review in order to ensure compliance with the DUAA will be:

• Direct marketing and cookies – new increased fining powers for breaches of PECR mean that compliance is more important than ever;
• DSARs – certain points around how organisations respond to DSARs have been clarified by the DUAA, DSAR response protocols may need to be amended in light of this;
• Data processing – some useful clarity has been given regarding processing on the basis of legitimate interests, as well as a reminder that any processing of children’s data must be carefully considered; and
• Uses of ADM – some of the restrictions around using ADM for personal data have been relaxed by the new legislation, meaning that ADM uses and policies may merit being updated.

Read on for details of the notable changes coming in with the DUAA:

1. Amendments to PECR

Increased Fining Powers

Perhaps the most significant change under the DUAA is that the ICO will now have the power to issue fines for breaches of PECR up to a maximum of £17.5 million or 4% of the organisation's annual global turnover, whichever is higher. This brings the previously much smaller penalties for breaches of PECR into line with those under the UK GDPR.

Business should note that compliance with PECR is an area that the ICO is actively monitoring. The ICO uses automated tools to detect non-compliant cookies and routinely issues fines for breaches of direct marketing rules. It is highly likely that the ICO will use these increased fining powers to take harsher action against non-compliance with PECR.

Cookies and Consent

The DUAA confirms that user consent will no longer be required for certain categories of cookies. This includes cookies used for statistical purposes to improve the service, functional cookies relating to website appearance, those falling within the “strictly necessary” exception to consent (including security purposes), and personalisation cookies for repeat user authentication and preference retention.

Outside of these categories, businesses must continue to clearly inform users about cookies and their purpose and obtain explicit consent before deployment.

Direct Marketing

Regarding direct marketing – that is the communication of marketing material directed to particular individuals, including via email, social media marketing, phone calls etc – the DUAA provides some useful clarification:

(a) direct marketing can be a legitimate interest for processing personal data; and

(b) charities will now have the ability to rely on “soft opt-in” for direct marketing. Previously limited to commercial organisations, the soft opt-in allows organisations to send direct marketing to their customers or individuals who have expressed an interest, provided that certain requirements are met including giving the opportunity to opt-out in all subsequent communications.

Notification of Data Breaches

Finally on amendments to PECR, the DUAA increases the time within which electronic communications providers need to notify the ICO of a data breach to 72 hours, aligning with the UK GDPR.

2. Data Subject Access Requests (DSAR)

Under the UK GDPR, individuals have the right to make a DSAR which, whilst fundamental to data subjects’ control of their data, can place significant demands in time and resources for many businesses. The DUAA clarifies that:

(a) organisations need to carry out “reasonable and proportionate” searches for documents when responding to DSARs. This update comes into effect immediately;

(b) organisations can ‘stop the clock’ on time limits to respond to a DSAR where they cannot proceed without further information or ID verification from the data subject. The time will be paused until such information is provided. This reflects current ICO guidance; and

(c) to refuse a DSAR, organisations must demonstrate that a request is manifestly unfounded or excessive, as well as inform the data subject why the request was refused, and of their right to complain to the ICO.

In addition, the DUAA introduces a new right for data subjects to complain to the data controller if they consider that the controller is not abiding by UK data protection rules. The controller must enable data subjects to make such complaints and must respond “without undue delay”.

3. Automated Decision Making (ADM)

For ADM (that is, a decision with no meaningful human involvement) which produces legal or similarly significant effects, the DUAA will relax the current requirement for individual consent and expand the available legal bases under which organisations can use ADM for personal data.

Processing with ADM will be permitted provided that an organisation has a lawful basis to do so and implements appropriate safeguards. Safeguards must include transparency, the ability for data subjects to challenge significant decisions made by ADM and obtain human intervention. Individuals also still have the right to object to processing by ADM in accordance with the UK GDPR.

Note that these amendments do not apply to special category personal data which remains subject to stricter ADM restrictions under existing UK GDPR rules.

4. Legitimate Interests

The DUAA introduces new “recognised legitimate interests” which will automatically be considered a lawful basis for processing data, removing the need for a legitimate interest assessment (LIA). The list includes safeguarding vulnerable individuals, public safety, and detecting, investigating or preventing crime. Note this does not remove the need for a LIA in other cases.

The DUA also sets out a (non-exhaustive) list of processing activities which can constitute legitimate interests under the standard test, including direct marketing, intra-group administrative transfers, and processing to ensure network and information security. Whether an organisation can rely on legitimate interests will remain fact dependent and organisations must still complete an LIA for such processing, but the comfort the DUAA provides is in confirming that legitimate interests can apply to these activities.

5. International Data Transfers

For the purposes of international data transfers, the DUAA reframes the test to assess third countries’ data protection standards, and seeks to establish a more flexible, risk-based approach. The test will now be whether the standard of data protection in the third country is “not materially lower” than the UK.

This is expected to provide a more flexible approach than the previous standard under the UK GDPR (and the EU GDPR) that the third country must have “equivalent” protections.

6. Children and online services

The DUAA reinforces that organisations offering online services likely to be accessed by children must take children’s needs into account when determining how to use their personal data. This is in line with the ICO’s existing Age Appropriate Design Code.

7. Timelines

Most provisions of the DUAA must be brought into effect by secondary legislation and are expected to be implemented between June 2025 – June 2026. A commencement schedule will be released in due course.

8. On the Horizon: EU Adequacy Assessment

The amendments brought in by the DUAA are under close review in the context of the UK’s adequacy decision from the European Commission which currently facilitates the smooth transfer of data between the UK and EU.

The UK’s adequacy assessment was due to expire in June 2025, but the Commission has extended its deadline until 27 December 2025, in order to evaluate the impact of the DUAA.

To maintain adequacy, the UK’s data protection regime must offer essentially equivalent protection to the EU GDPR. The Commission will be particularly focused on the DUAA’s amendment to the test for international data transfers, with the standard now being “not materially lower” than the UK. The concern of the Commission will be that granting adequacy to the UK will facilitate the transfer of data from the EU to the UK, but once here, under the UK’s new test EU data may be sent to third countries which the EU itself may not deem to offer equivalent standards of protection.

However, it is widely expected that neither the reframing of this test, nor any of the other changes introduced by the DUAA will diverge so significantly from the EU GDPR that they would jeopardise the EU’s adequacy assessment for the UK.

Watch this space!