The UK’s Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. It does not replace the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.) but rather amends and builds on it.
To understand how, it helps to know that the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. (DPA 2018) is the legislation that implements the UK GDPR. The DUAA makes targeted amendments to the DPA 2018, and by extension, those changes affect how the UK GDPR is applied in practice. So, while the DUAA technically modifies the DPA 2018, the practical impact is on the day-to-day operation of the UK GDPR.
For simplicity, in this guide, we compare the DUAA with the UK GDPR directly across core areas, including Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs), international data transfers, Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle., cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., and more. We help you make sense of what’s changing and what it could mean for your business.
Key questions answered
For additional information, watch our Privacy Puzzle webinar session discussing how the DUAA will likely impact certain day-to-day compliance practices.[/vc_column_text][/vc_column][/vc_row]
FROM GDPR TO DUA: Compliance reform or strategic pivot?
The Data (Use and Access) BillA UK legislative reform package to update the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), aiming to streamline compliance, encourage responsible innovation, and strengthen the UK’s post-Brexit economy. has finally passed through Parliament and marks the first major reform to the UK GDPR since Brexit. But is this simply regulatory fine-tuning or the beginning of a new, more strategic shift in the UK’s approach to data governance? Join data protection experts from The DPO Centre as they unpack what this legislative change is likely to mean in practice.
DUAA vs GDPR: What’s changing in practice
DSARs
| AREA |
UK GDPR |
DUAA |
BUSINESS IMPACT |
| Search scope |
You must carry out a ‘reasonable’ search, but there is no clear definition |
Now defined as ‘reasonable and proportionate’ |
May reduce search burdens, but ‘proportionate’ is still subjective and could lead to disputes if data is withheld |
| Response timeframes |
1 month to respond, extendable to 2 months for complex cases, and clock stopped if ID is requested |
Same timeframes apply, with clearer guidance on when the clock can stop |
Offers more clarity, but misuse of stopping the clock may trigger complaints or enforcement |
International data transfers
| AREA |
UK GDPR |
DUAA |
BUSINESS IMPACT |
| Adequacy |
Transfers allowed to countries awarded ‘adequacy’ with ‘essentially equivalent’ protections |
Replaces EU adequacy framework with the UK’s ‘data protection test’ using a new ‘not materially lower’ standard |
The UK could approve more countries with this new standard, but divergence from the EU could risk the UK’s adequacy status |
| SCCs and safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... |
Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and TransferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. Risk Assessments (TRAs) are used to meet EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). data transfer requirements |
The UK is developing its own approach to SCCs and transfer mechanisms |
UK SCCs may differ, creating legal and contractual complexities for businesses operating across both UK and EU jurisdictions |
| AREA |
UK GDPR |
DUAA |
BUSINESS IMPACT |
| Recognised Legitimate Interests |
No recognised list – all legitimate interests require a full Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) |
Introduces a statutory list of ‘recognised legitimate interests’ that do not require a balancing test |
Businesses should update LIA templates to note the new ‘recognised’ interests |
| Direct marketing |
Recital 47 acknowledges direct marketing may be considered a Legitimate Interest |
Direct marketing is formally recognised as a Legitimate Interest |
Reinforces current practices but businesses should still conduct balancing tests for transparency and fairness |
ePrivacy and Privacy and Electronic Communications Regulations (PECR)
| AREA |
UK GDPR |
DUAA |
BUSINESS IMPACT |
| Cookies |
Regulated under PECR – consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. required for cookies except those that are ‘strictly necessary’ |
Expands exemptions to those of a certain ‘low risk’, such as basic analytics or website optimisation |
Businesses will need to adjust their banners if taking advantage of the new exemptions, and ‘low risk’ cookies require an opt-out |
| PECR fines |
Violations of PECR can be fined up to £500,000 |
Maximum fines increasing up to £17.5M or 4% of global annual turnover, whichever is greater |
Significantly increases risk – organisations must assess current practices to strengthen PECR compliance |
Other key areas of change
| AREA |
UK GDPR |
DUAA |
BUSINESS IMPACT |
| Automated decision-making |
Strict limits on decisions that significantly affect individuals, especially where special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... is used |
Eases rules for decisions not involving special category data and introduces the terms ‘meaningful human intervention’ and ‘significant decisions’ |
More flexibility to use AI tools, but oversight is still needed – businesses must define human review processes and ensure transparency |
| Complaints |
Individuals can lodge complaints with the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR)., but there’s no explicit duty on controllers to handle complaints directly |
Introduces a statutory ‘right to complain’ to the data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data., who must respond within 30 days |
Controllers must now provide a clear complaints processA series of actions or steps taken in order to achieve a particular end. and update privacy notices |
| Charities soft opt-in |
Soft opt-in for email marketing only applies to commercial organisations sending messages to existing customers |
Extends soft opt-in to non-commercial organisations such as charities |
Charities can send marketing emails to supporters more easily but must offer an opt-out at point of collection and in subsequent communications, and meet transparency obligations |
| Regulatory oversight |
Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICO) enforces GDPR compliance with consistency with the EU |
ICO remains the enforcer with a new structure and name: the Information Commission. Some powers are redefined under the DUAA, with added authority for the Secretary of State over adequacy and data categories |
Businesses must adapt to possibly more UK-specific guidance and codes |
Next steps for businesses
Start by engaging with your Data Protection Officer (DPO) and privacy team to assess how your current practices align with the DUAA. Core GDPR principles still apply, but this is a valuable opportunity to review and strengthen your governance framework in light of the UK-specific changes.
Immediate attention should go to your DSAR process. The DUAA introduces a new ‘reasonable and proportionate’ search term, which you will need to interpret and apply within your organisation. Although this may make DSAR handling more practical, careful judgement and clear documentation will still be required to keep disputes to a minimum, especially while we await updated guidance from the ICO on elements like proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. of searches.
For organisations transferring data internationally, be prepared for potential changes to Standard Contractual Clauses (SCCs) and keep an eye on EU adequacy decisions.
Finally, stay informed. The ICO has released initial information, with formal guidance expected. We will continue to share updates and insights as official guidance is released.
Read the ICO’s preliminary information
If your organisation would benefit from guidance on the DUAA, GDPR, or broader UK and EU privacy compliance, The DPO Centre’s team of highly experienced DPOs can help.
Contact us for more details.
Fill in your details below and we’ll get back to you as soon as possible
