The Data (Use and Access) Act 2025

19 November 2025

By Victoria Robertson and Imelda Kavanagh

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and introduces targeted reforms to the UK’s data protection framework to make it simpler for organisations to use personal data responsibly.

Some provisions came into force earlier this year, although most of DUAA's provisions are to be implemented into 2026. The Information Commissioner's Office (ICO) has begun issuing guidance and codes of practice in relation to DUAA, with further guidance expected by mid-next year.

Despite the phased implementation of DUAA, organisations should already be taking steps to support compliance with DUAA's new requirements. This article provides an overview of some of the key changes and practical guidance for organisations preparing for compliance.

1. Recognised Legitimate Interests

What are the changes?

DUAA introduces a seventh lawful basis for processing personal data: "recognised legitimate interests" (this is separate to the existing "legitimate interests" basis under Article 6(1)(f) that many organisations already use). Before DUAA, if an organisation relied on legitimate interests, it had to carry out a balancing test weighing the interests of the organisation against the individual's rights and freedoms. Organisations must still show that processing is necessary, but no longer need to complete this balancing test.

When can you use it?

Processing will only be recognised as a recognised legitimate interest if it meets a condition in Annex 1. These categories include:

Responding to requests from public bodies carrying out public interest tasks.
Processing for national security, public security, or defence.
Responding to emergencies under the Civil Contingencies Act 2004.
Preventing, investigating or prosecuting crime.
Safeguarding vulnerable individuals.

What steps should be taken and by when?

Organisations should assess whether any of their processing activities fall within the Annex 1 conditions and document why the processing is necessary and which Annex 1 condition applies. Where recognised legitimate interests can be applied to data processing, organisations should update privacy notices and procedures to reflect this, including for handling objections as individuals can object to such processing.

These provisions of DUAA (Schedule 4 inserting Annex 1) are not yet in force as of November 2025. Organisations must monitor commencement regulations and ICO guidance to determine when and how to apply this new lawful basis to their processing activities.

2. New statutory examples of "Legitimate Interests"

What are the changes?

DUAA introduces a new Article 6(11) to the UK GDPR (being the UK's post-Brexit retained version of the EU GDPR) which provides examples of processing that may qualify as legitimate interests under the existing Article 6(1)(f) UK GDPR. Before DUAA, the UK GDPR contained no statutory examples of what might constitute legitimate interests with organisations needing to rely on ICO guidance to understand what types of processing could qualify. New Article 6(11) will provide three statutory examples of processing that may be necessary for legitimate interests:

Direct marketing – for example where an organisation emails existing customers about a new product or service;
Intra-group data sharing - transmission of personal data within a group where it is necessary for internal administrative purposes. For example, a company shares employee HR data with its UK parent company for payroll administration; and
Network and information security – processing necessary for ensuring security of network and information systems. For example, an organisation monitoring network traffic and user access logs to detect and prevent cyber-attacks.

It is important for organisations to note that these are examples and are not automatic approvals. Where organisations intend to rely on Article 6(1)(f) for processing activities they still need to demonstrate full compliance with their obligations under relevant data protection legislation.

In the case of direct marketing, rules under the Privacy and Electronic Communications Regulations (PECR) remain unchanged and in force, therefore requiring organisations to continue complying with PECR's separate and additional consent requirements. PECR penalties now align with UK GDPR levels (up to £17.5 million or 4% of global turnover for breaches) making PECR compliance more critical than ever.

What steps should be taken?

Legitimate interest assessments remain mandatory and existing assessments will need to be updated to reference the new statutory examples in Article 6(11) and reviewed periodically. Organisations should also review and update any existing policies and privacy notices to reference legitimate interests for these activities where applicable, with clear explanations and objection mechanisms. Organisations should monitor commencement regulations relating to new article 6(11) and new ICO guidance should be monitored for when and how the statutory examples should be applied in practice.

3. Changing purpose – new compatibility rules

What are the changes?

DUAA inserts a new Article 8A into the UK GDPR which sets out when organisations can process personal data for a new purpose different from the purpose for which the data was originally collected

Article 8A makes clear that even if a new use is "compatible" with the original purpose, organisations still need a lawful basis for that new use. When assessing compatibility, organisations must consider specific factors: the link between the original and new purpose, the context of processing and the relationship with the individual, the nature of the data (especially sensitive data), the consequences for individuals, and what safeguards are in place.

DUAA creates "safe harbours" where further processing is automatically treated as compatible. These include where specific consent for the new purpose is provided and the new purpose is specified, explicit and legitimate, processing for scientific or historical research, archiving in the public interest, or statistics (with appropriate safeguards), ensuring compliance with data protection principles, and processing necessary for specific public interest objectives and authorised by law.

If the data was originally collected based on consent, it may only be used for a new purpose if fresh consent is obtained for that new purpose, or if getting new consent isn't reasonably possible and the reuse falls within certain public interest categories set out in Annex 2 of DUAA.

What steps should be taken and by when?

Organisations should review their current data practices to identify any secondary uses of personal data and assess them against the new Article 8A factors and map any areas where expanded compatibility rules could apply, and documenting the safeguards in place such as encryption, pseudonymisation, access controls. Article 8A has not yet been implemented and so organisations should keep a watch for commencement regulations and any related ICO guidance before implementing a new compatibility framework.

4. Automated Decision-Making (ADM)

What are the changes?

One of the most substantial changes introduced by DUAA is the relaxation of previous restrictions under UK GDPR on solely automated decisions that have legal or similarly significant effects, introducing a new framework with appropriate safeguards rather than blanket provisions.

Previously, solely automated decisions producing legal or similarly significant effects were generally prohibited unless they were necessary for a contract, authorised by law, or based on an individual’s explicit consent. In the absence of these conditions, individuals had the right not to be subject to such automated processing, including profiling.

The rules around ADM will instead focus on "solely automated" decisions (those with no meaningful human involvement) that have "significant" effects (meaning legal or similarly significant effects on individuals). Organisations will have more flexibility on which lawful basis to use (other than recognised legitimate interests which is not available for use for ADM) provided safeguards are in place. These safeguards include providing clear information to the individual about the decision, allowing individuals to make representations about the decision, human intervention in the decision making process, and allowing the decision to be contested.

Despite these changes, DUAA retains the previous prohibition on the use of special category data (such as health, race, or biometric data) in solely automated significant decision making. In such cases, organisations must still rely either on explicit consent, or the decision being required by law and there being a substantial public interest where appropriate safeguards are in place.

Whilst DUAA does not provide detail on what is considered explicit consent for this purpose, it is expected that future ICO guidance will provide clarity on this and ADM generally.

DUAA clarifies that a decision is based solely on automated processing if there is no “meaningful human intervention", meaning that any human review must be substantive and informed. This is particularly relevant for AI driven decision systems and it will be essential that the AI can be challenged or overridden. DUAA provides powers to the Secretary of State to make further regulations in relation to meaningful human intervention, which will be vital as automated systems evolve. ICO guidance is expected to provide further assistance to organisations on this matter when it becomes available.

What steps should be taken and by when?

Organisations need to audit their existing ADM processes to identify any decisions that are solely automated and significant, and assess whether appropriate safeguards are in place, including ensuring human review processes are built into the decision-making process, as well as explanation mechanisms and challenge procedures. Where special category data is involved, organisations must confirm they have explicit consent or a legal basis in the public interest, along with appropriate protections. Organisations should ensure they are not using recognised legitimate interests as the basis for these decisions and monitor commencement regulations and ICO guidance to ensure all future ADM aligns with the new rules when they come into force.

5. Data Subject Access Requests (DSAR)

What are the changes?

DUAA introduces welcome practical changes to DSAR handling codifying existing ICO guidance by confirming that organisations are only required to conduct reasonable and proportionate searches in response to a DSAR. The one month time frame for responding to requests still stands but this timeframe may be extended by up to two further months (making a total of three months) where necessary due to the complexity of the request or the volume of requests received from the data subject. This aligns with the ICO's existing guidance and means organisations are not expected to undertake overly burdensome searches, particularly where requests are complex or involve large datasets.

DUAA also introduces a new "stop the clock" mechanism that will enable organisations to pause the response time frame where further information is reasonably required to identify the scope for complex or multiple requests. In these circumstances, organisations must inform the individual of the delay and provide reasons for the pause.

What steps should be taken and by when?

Whilst the full provisions relating to DSAR are yet to come into force, the requirement for organisations to conduct a reasonable and proportionate search is already in force.

To prepare for DUAA's changes, organisations should update their DSAR handling procedures, ensuring internal policies recognise that only reasonable and proportionate searches are required. Staff must be trained to be able to identify when an extension to the one-month response period is necessary and understand when the response extensions or clock can be paused. Clear communication with the data subject will be essential in these cases, and accurate tracking of timelines and justifications should be maintained to ensure compliance. Further ICO guidance is expected to assist organisations with new DSAR handling under the new framework.

6. Complaint handling

What are the changes?

DUAA introduces a new two-tier complaints system. Currently, data subjects can complain directly to the ICO without first approaching the organisation. Under the new system, data subjects will generally need to demonstrate they have first complained to the organisation before escalating to the ICO, creating a mandatory first-tier resolution process.

DUAA requires organisations to facilitate complaints, provide accessible complaint forms, acknowledge complaints within 30 days, take appropriate steps to respond without undue delay, including making enquiries into the subject matter, and provide progress updates to the data subject.

7. Other key changes

Consent to Processing for Scientific Research

DUAA introduces a new framework for "broad consent" in scientific addressing the practical challenge that researchers often cannot fully identify specific research purposes at the time of data collection. Previously, the UK GDPR required consent to be "specific" to a particular purpose, creating uncertainty about whether consent for "an area of research" would be valid. Under the new framework (not yet in force), individuals can consent to their data being used for "an area of scientific research" rather than a fully specified purpose, provided four conditions are met: (1) it was not possible to fully identify the purposes when consent was sought; (2) the consent process aligns with recognised ethical standards for that research area; (3) data subjects can consent to only part of the research where feasible; and (4) standard consent requirements (freely given, informed, unambiguous) are met.

Cookies and tracking

Currently, PECR requires consent for storing or accessing information on user devices, including most cookies. DUAA will relax these rules by allowing certain types of tracking without user consent.

Cookies used exclusively for statistical purposes, including analytics, site optimisation, and website functionality, will be exempt from the consent requirement once the regulations are made, provided that users are clearly informed of their use and provided an easy opt-out mechanism. The exemptions also extend to cookies used for service enhancement, security measures, and emergency assistance.

Organisations should review their cookie policies and practices to ensure they clearly inform users about the use of cookies exempted from consent. They must also implement easy-to-use opt-out mechanisms for users. Although not yet in force, organisations should prepare to update cookie banners, privacy notices, and internal processes to maintain compliance and minimise risk.

International data transfers

The Act creates a new UK-specific framework for international data transfers, allowing transfers where the destination country's data protection is "not materially lower" than the UK's standards. This is a lower standard than the EU's "essentially equivalent" requirement. This divergence from EU standards may impact the UK's adequacy status for receiving EU personal data. Organisations can transfer data if: the destination has government approval; appropriate safeguards exist and they reasonably assess the protection test is met; or a specific exemption applies. These provisions are not yet in force.

Next steps

DUAA represents a significant evolution in the UK's data protection framework, introducing practical reforms designed to reduce regulatory burden while maintaining essential protections for individuals. DUAA's key changes - including recognised legitimate interests, clearer compatibility rules for changing purposes, relaxed restrictions on automated decision-making, streamlined DSAR handling requiring only reasonable and proportionate searches, and new complaint handling procedures - all signal a more business-friendly approach without fundamentally compromising individual rights.

As DUAA's provisions come into force over the coming months, organisations should prioritise updating their data protection policies and procedures to leverage the new flexibilities while ensuring continued compliance. Key immediate steps include the following:

Conducting compliance gap analyses against the new requirements;
Updating privacy notices and internal procedures;
Training staff on the changes; and
Monitoring commencement regulations and ICO guidance releases.

Businesses with EU operations should monitor developments concerning the UK’s adequacy status and prepare contingency plans for potential additional transfer requirements if the EU determines that UK standards have diverged too significantly from EU GDPR.

While DUAA introduces welcome flexibility for organisations, successful implementation will require careful planning, ongoing monitoring of regulatory developments, and a commitment to maintaining high standards of data protection. Organisations that proactively prepare for these changes will be best positioned to leverage the new opportunities while ensuring robust compliance with the evolving regulatory landscape.

Victoria Robertson

Partner

Manchester