Data Use and Access Act 2025
The Data Use and Access Act (DUAA) received Royal Assent on 19 June 2025. Designed to modernise the UK’s approach to data regulation, it introduces targeted updates to these core pillars of UK data law:
- Data Protection Act 2018 (DPA)
- UK General Data Protection Regulation (UK GDPR)
- Privacy and Electronic Communications Regulations (PECR)
What the DUAA means in practice
The Data Protection Act 2018 (DPA) is the legislation that implements the UK GDPR. The DUAA amends the DPA, which in turn shifts how organisations interpret and implement the UK GDPR. So, while the DUAA technically modifies the DPA, the practical impact is on the day-to-day operation of the UK GDPR.
Watch our DUAA webinar and hear specialist DPOs discuss the key updates
This page outlines the Data Use and Access Act 2025 and explains the key updates to the UK’s data protection laws
From DPDI to DUAA: A brief history
The DUAA builds on many of the ideas, provisions, and objectives outlined in the abandoned Data Protection and Digital Information (DPDI) Bill but leaves out the most controversial aspects of the previous proposal.
Initially proposed as a comprehensive overhaul of the UK’s data protection laws, the DPDI Bill faced much opposition. It was ultimately shelved when Rishi Sunak’s government announced a general election in May 2024.
What are the key changes to UK data protection laws?
For simplicity, we compare the DUAA with the UK GDPR directly across core areas. These include a restructure of the Information Commissioner’s Office (ICO), provisions to simplify Data Subject Access Requests (DSARs), changes to automated decision-making, and strengthening data security and data protection in the Health and Care sector.
An overview of these key changes can be found in the table below.
Additionally, you can find more information in our blogs:
UK GDPR VS DUAA
| Area | UK GDPR | DUAA |
|---|---|---|
| Legitimate Interests | Requires a balancing test (known as a Legitimate Interest Assessment, or LIA) for all processing under this lawful basis | Introduces ‘recognised legitimate interests’ for which no balancing test will be required, including direct marketing and security processing |
| Scientific research | Broad interpretation with examples such as “technological development and demonstration, fundamental research, applied research, and privately funded research” | Expands and clarifies the definition of scientific research to explicitly include both commercial and non-commercial research |
| Further processing of personal data for scientific research purposes | Allows for further processing of personal data if it is compatible with the original purpose | Updates provisions to make it easier for clinical trial sponsors to obtain broad consent from research participants to reuse their data for scientific research purposes |
| DSARs | Gives individuals the right to access their personal data held by organisations | Provides greater clarity on DSAR response obligations such as timeframes and ‘reasonable search’ |
| International data transfers | Transfers of personal data outside the UK must use appropriate safeguards such as Binding Corporate Rules (BCRs), the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs | Codifies a ‘data protection test’ for assessing adequacy – which may result in an easier pathway to future international adequacy decisions made by the Secretary of State |
| UK Regulator | The Information Commissioner’s Office (ICO) is an independent body, established to uphold information rights | Restructures the ICO into the Information Commission, including the establishment of a formal Board – intended to improve governance |
| Automated decision making | Article 22 places strict restrictions on solely automated decision-making, including any AI systems that have legal or similarly significant effects on individuals | Narrows the scope of restrictions to only explicitly prohibit automated decisions made using special category data |
| Cookies | Except for ‘strictly necessary’ cookies, all cookies require informed consent prior to deployment | Aims to reduce the frequency of cookie pop-ups for UK users by removing the cookie consent requirement for specified purposes (e.g. statistical purposes) |
| PECR fines | Current fines under the Privacy and Electronic Communications Regulation (PECR) are capped at £500,000 | Maximum fines brought in line with the current UK GDPR thresholds (up to £17.5M or 4% of annual turnover of preceding financial year, whichever is higher) |
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible