The UK’s Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, introducing a series of updates to the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation., and the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR). This new privacy law aims to boost innovation and support the UK’s post-Brexit economy. In this blog, we offer a quick overview of some of the key reform points, including automated decision-making, scientific research provisions, Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs), and international data transfers.
While we wait on the full details of enactment dates, businesses should take a measured and strategic approach until the full scope of the legislation is clarified and official guidance is published.
The Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) has published preliminary information to support organisations and the public.
Watch On Demand: DUA Act webinar
FROM GDPR TO DUA: Compliance reform or strategic pivot?
The Data (Use and Access) BillA UK legislative reform package to update the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), aiming to streamline compliance, encourage responsible innovation, and strengthen the UK’s post-Brexit economy. has finally passed through Parliament and marks the first major reform to the UK GDPR since Brexit. But is this simply regulatory fine-tuning or the beginning of a new, more strategic shift in the UK’s approach to data governance? Join data protection experts from The DPO Centre as they unpack what this legislative change is likely to mean in practice.
Early overview on the most relevant UK data law updates
In the following sections, we outline key changes introduced by the DUAA and their potential impact on organisations operating in the UK.
Key changes to the UK GDPR and how to prepare
The DUAA introduces targeted updates to the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPR), Data Protection Act 2018, and the Privacy & Electronic Communications Regulations (PECR). These changes are seen as evolutionary rather than revolutionary – a supplementary law, not a replacement.
The core principles and obligations for data protection remain unchanged, and the practical impact of the updates will vary depending on your industry and your organisation’s specific data processing activities.
The government will phase the implementation of the new data law, allowing organisations plenty of time to meet additional requirements or make any changes to existing processes. Some provisions may take effect sooner, but most are expected to include a transition period, typically up to 12 months.
Much of the forthcoming guidance will depend on how the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICO) interprets the new provisions. Until this is published, organisations are advised to monitor developments, review current practices, and avoid making any hasty policy changes. Read the ICO’s preliminary information.
New Information Commission
One of the longer-term structural changes is the replacement of the current Information Commissioner’s Office with a new Information Commission. This body will have a corporate structure similar to OFCOM, with a Chief Executive. The change is expected to take effect in 2027.
International data transfers and EU adequacy
A key shift in the DUAA’s approach to international data transfers is the introduction of a new threshold, allowing the Secretary of State to assess whether a destination country’s data protection standards are ‘not materially lower’ than those of the UK. This is a subtle but significant departure from the GDPR’s stricter ‘essentially equivalent’ requirement.
While this update doesn’t trigger immediate changes, it could open the door to greater flexibility for the UK’s international data strategy in the future. That said, any significant divergence from EU standards could put the UK’s EU adequacy status at risk. With the European Commission’s review due in December 2025, organisations should stay alert. A negative outcome could require additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... for UK-EU data transfers.
We’ll continue to monitor developments and share updates as they unfold.
Updates on handling DSARs
The DUAA will make existing ICO guidance on Data Subject Access Requests (DSARs) part of UK law. If your organisation already follows DSAR best practices, your current processes are unlikely to need major changes.
Here’s what the new legal provisions clarify:
- The one-month deadline for responding begins only after you have confirmed the requester’s identity
- If you need clarification about the person submitting the request or details of the request, you can stop the clock until a reply is received
- You are only required to conduct a search that is ‘reasonable and proportionate’
One significant addition: if you withhold information based on legal privilege or client confidentiality, you must now clearly explain to the individual which exemption is being used and why. Individuals also gain the right to ask the ICO to review how these exemptions were applied, adding another layer of transparency and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..
Changes in automated decision-making rules
Under the UK GDPR, automated decisions that significantly affect individuals are tightly restricted. The DUAA eases those rules, but only for decisions that do not involve special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... (such as health, race, or biometric data). This could give organisations more flexibility to use AI-driven tools and processes.
The Act also introduces the concepts of ‘meaningful human intervention’ and ‘significant decisions’, helping to clarify when human oversight is required and what qualifies as a high-impact decision.
To prepare, organisations should review current automated workflows and ensure that, where they are needed, human review mechanisms are clearly documented and accountable. It would also be prudent to assess whether existing processes may allow for greater automationA process or a system that operates automatically. under the updated rules.
Direct marketing and Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
Under the DUAA, direct marketing is formally recognised as a legitimate interest. This means organisations may be able to rely on it as a lawful basis for processing personal dataInformation which relates to an identified or identifiable natural person., without needing to justify it through a balancing test in every instance. Arguably, this isn’t a new concept and the GDPR’s Recital 47 has long acknowledged that direct marketing may be considered a legitimate interest.
While this could create new opportunities for outreach, compliance with the Privacy and Electronic Communications Regulations (PECR) would still apply, along with the usual transparency, opt-out, and relevant requirements.
What ‘Recognised Legitimate Interests’ could mean for organisations
The DUAA introduces the concept of ‘Recognised Legitimate Interests’, removing the need to carry out a Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) only when processing personal data for specific and recognised purposes, outlined in Annex 1, Schedule 4 of the Data (Use and Access) Act 2025
These include:
- Disclosures to public bodies where data is needed to fulfil a public function
- Processing for national or public security, defence, or emergency response
- The prevention or detection of crime and safeguarding of vulnerable individuals
This provision could be useful for organisations that regularly share data with public authorities. Also, potentially useful for industries like Healthcare or Education, which often processA series of actions or steps taken in order to achieve a particular end. data to protect vulnerable individuals or prevent harm.
Revised scientific research rules
The DUAA formally defines scientific research, confirming that it can be commercial or non-commercial. This opens the door to greater flexibility in how personal data may be reused across compatible research projects.
This update is particularly relevant for Life Sciences organisations and academic institutions, as it may broaden the lawful use of data for secondary research purposes, whilst still operating within appropriate safeguards.
UK ePrivacy and cookie changes
Key updates to the UK’s ePrivacy and PECR rules include changes to cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., extending the exceptions to consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. from ‘strictly necessary’ to those of a certain ‘low risk’, such as basic analytics or website optimisation. Further guidance on these exceptions is expected, and we will share updates as soon as we have further clarification.
These changes offer more practical, business-friendly rules, but organisations will still need to provide clear information to users and ensure they are given a simple and accessible way to opt outA positive action to choose not to be part of an activity or to stop being involved in it..
Additionally, PECR fines are set to increase significantly, bringing them in line with UK GDPR penalties of up to £17.5 million or 4% of global annual turnover, whichever is greater.
Charities and soft opt-in new rules
The soft opt-in exemption to consent for electronic marketing is set to be extended to charities. This means that, provided certain conditions are met, charities can rely on opt-out rather than opt-in consent for marketing activities.
The Data (Use and Access) Act 2025 (DUAA) introduces targeted reforms that are evolutionary rather than transformational. It is certainly not GDPR 2.0. The core principles of UK GDPR remain, though organisations can expect a certain amount of increased certainty in some areas like automated decision-making, scientific research, and data sharing with public authorities. Other areas, such as smart data schemes and digital verification services, are also included in the Act.
Although many provisions won’t come into immediate effect, now is the time for you to engage with your Data Protection Officer (DPO), assess current practices, and prepare for detailed ICO guidance.
We will share further updates as they become available.
The DPO Centre provides expert data protection and privacy support to organisations across sectors, including advice on the evolving UK regulatory framework.
If you need help understanding how the Data (Use and Access) Act 2025 could affect your organisation, our team is here to support you. Get in touch to speak to one of our experts.
Fill in your details below and we’ll get back to you as soon as possible
