Back to Insights

DUA 2025: Key Impacts on UK Data Protection Law

by Eileen Barr
Hands typing on a laptop with padlock icons representing UK data protection and security under the Data Use and Access Act 2025

Data Use and Access Act 2025: What You Need to Know About Changes to UK Data Protection Law

The Data Use and Access Act 2025 (DUA) became law on 19 June 2025. While it doesn’t completely overhaul the UK’s data protection framework, it introduces updates to existing laws. Organisations should take note of these key changes and prepare accordingly.

Subject Access Requests and People’s Rights

Searches

DUA clarifies that organisations are only required to conduct a “reasonable and proportionate” search when responding to a SAR. This aligns with existing good practice, but it’s a welcome legal clarification.

What is considered reasonable and proportionate must be determined on a case-by-case basis. Strong records management—such as defined rules for where personal data is stored—and documenting your search efforts will help demonstrate compliance.

Timescales

DUA also codifies existing practices relating to:

  • Clarification requests
  • Charging fees
  • Verification of identity
 

The time limit for responding to a SAR:

  • Starts only once any applicable fee is paid and/or identity is verified.
  • Pauses if additional clarification from the requester is needed.
 

Importantly, organisations should not default to requesting clarification, charging fees, or demanding ID verification unless necessary.

Right to Complain

Previously, individuals could complain directly to the Information Commissioner’s Office. Under DUA, individuals must first raise their concerns with the organisation directly.

Organisations must:

  • Acknowledge complaints within 30 days
  • Respond without undue delay, explaining actions taken
 

They must also facilitate complaint submissions, for example, by offering online forms.

Your organisation should consider how it will implement a formal complaints procedure and update your privacy notices to reflect the potential use of personal data in handling complaints (if this isn’t acknowledged already).

Cookies

DUA allows the use of certain cookies without requiring user consent:

  • Cookies for statistical purposes to improve the service/website
  • Cookies that customise or enhance site appearance or functionality
  • Cookies used to provide emergency assistance
 

However, for cookies used for statistical or customisation purposes:

  • Users must be informed via cookie banners or notices
  • Users must be given a clear opt-out mechanism

Direct Marketing Fine Increases

The maximum fine for breaches under the Privacy and Electronic Communications Regulations (PECR) is increasing from £500,000 to the greater of £17.5 million or 4% of global annual turnover.

Charities and Direct Marketing

DUA extends the ‘soft opt-in’ (previously only available to commercial organisations) to charities.

This allows charities to send marketing emails to individuals who have previously engaged or expressed interest in the organisation, provided they:

  • Offer a clear opt-out
  • Meet other relevant conditions
 

Charities should assess how they can make use of this expanded exemption.

Relaxation of Rules Around Automated Decision Making

Currently, restrictions limit the use of automated decision-making and personal data where the decision making may have legal or significant effects on individuals

Relaxation of Restrictions under DUA

Organisations may use automated decision-making more freely, as long as the following safeguards are in place:

  • Individuals are informed about the decision-making process
  • Individuals can submit input or comments
  • Individuals can request human intervention
  • Individuals can appeal decisions

Automated Decision Making and Special Category Personal Data

Use of special category personal data in automated decisions will remain restricted. It will  only be permitted when:

  • Explicit consent is obtained
  • Processing is contractually necessary or required by law
  • It is necessary for substantial public interest

Legitimate Interests: Clarification and New Lawful Basis

Organisations may only use personal data where they have a legal justification for doing so. Data protection law sets out several justifications called ‘lawful bases’.

Legitimate Interests

One such basis is the ‘legitimate interest’ basis which allows organisations to use personal data to pursue a legitimate interest – but only where the rights and freedoms of the individuals’ whose data is to be used don’t outweigh that interest.

DUA provides explicit examples of what may constitute legitimate interests:

  • Direct marketing
  • Intra-group data transfers for administrative purposes
  • Network and system security

Recognised Legitimate Interests

DUA also introduces a new legal basis: Recognised Legitimate Interests, which applies to processing for defined purposes such as:

  • Sharing data with public authorities
  • National security
  • Safeguarding
 

These additions bring much-needed clarity

Purpose Limitation

One key requirement of data protection law is ‘purpose limitation’: organisations should be clear about how they will use personal data from the outset  and personal data must only be used for the specific purposes it was collected for—unless the new use is compatible with the original purpose. This is to ensure people’s personal data is only used in ways they expect.

DUA provides additional detail and examples to help determine compatibility, giving organisations more clarity when assessing reuse of personal data.

The Information Commissioner Is Being Replaced

The Information Commissioner oversees and enforces data protection compliance in the UK.

DUA replaces the Information Commissioner with a new Information Commission, which will have a different governance structure and refreshed powers.

However, for most organisations, day-to-day interactions are expected to remain broadly similar.

Transferring Personal Data Outside of the UK

If an organisation wishes to transfer personal data outside of the UK it may only do so if certain conditions are met.

Adequacy Decisions

One condition is that the recipient country ensures there is an adequate level of protection for personal data. This decision is made by the UK Government and is the current mechanism often relied on to allow personal data to flow from the UK to the EEA.

DUA looks to relax this requirement slightly, replacing the requirement for there to be an adequate level of protection to requiring that the level of protection for personal data in the country in question is not materially lower than the standard under UK law.

Data Protection Test

Transfers of personal data are also currently permitted if various safeguards are put in place by the exporter, including using binding corporate rules. In addition the transfer may only be made on the condition that individuals still have enforceable rights and effective legal remedies in respect of any transferred personal data .

Under DUA the requirement for safeguards will remain but the condition above is replaced with a requirement to meet ‘the data protection test’. This test is that the standard of protection which will apply to the transferred personal data in the transfer country will not be ‘materially lower’ than the standard under UK law.

This represents a relaxation of the current data transfer rules.

Other Changes

DUA also introduces a range of other changes such as: establishing a regulatory framework for digital identification verification; introducing ‘smart data’ schemes to allow sharing of data between individuals and organisations and updated rules around personal data used in scientific research.

When Will the Changes Take Place?

Clarifications around organisations needing to carry out ‘reasonable and proportionate’ searches in response to subject requests are already in force.

Several sections of DUA will come into force on 20 August 2025. These sections largely relate to:

  • the Information Commissioner’s abilities and objectives
  • the Government’s ability to introduce “smart data schemes’’
  • technical provisions
 

There aren’t any confirmed dates for future changes coming into force. The UK Government has advised they are taking a ‘staged’ approach to introducing the changes – with all changes expected to be in force 12 months after Royal Assent was granted (19 June 2026).

What You Can Do Now?

  • Develop a process for handling complaints
  • Prepare complaint forms and decide how users will access them (e.g., via your website)
  • Charities: Explore how you could benefit from the soft opt-in exemption
  • Evaluate how your organisation might benefit from the relaxed rules around automated decision-making

How We Can Help

Our dedicated team will continue to provide updates on DUA and are happy to help with any questions you have about data protection compliance.

Get in touch
Eileen Barr

Eileen Barr

Senior Associate
Read full bio
Back to Insights

Share

Related Insights

View all insights
the validity of a Notice to Leave under the Private Housing (Tenancies) (Scotland) Act 2016

Introduction to McAnally v Boyle and Scottish Housing Law

by
Hands typing on a laptop with padlock icons representing UK data protection and security under the Data Use and Access Act 2025

Getting Ready for Data Protection Complaints: What Organisations Need to Know

by
Brown autumn leaves symbolising change and planning for the future

Seasons of Change: Preparing for Autumn & Beyond

by
Two small model houses beside stacked coins representing property taxes in Scotland

LBTT & ADS Explained: Property Tax Costs When Buying in Scotland

by
Five new trainee solicitors standing together at TC Young Solicitors in Scotland

TC Young Welcomes Five New Trainee Solicitors to Glasgow and Edinburgh Offices

by
automatic disqualification charity trustee

Rules for automatic disqualification as a charity trustee in force from 31 August 2025!

by