The UK Data Use and Access Act 2025 (DUAA) passed through both parliamentary houses and received Royal Assent on June 19, 2025. The bill is an important milestone for data protection legislation in the UK.
In this post, we’ll explain what you should know about the DUAA and its implications for businesses, enforcement timelines and what organizations need to do to comply.
Background to the Data Use and Access Act (DUAA)
Following Brexit, the UK government proposed changes to current legislation to benefit the country’s businesses while simultaneously maintaining adequacy with the EU.
Several versions of the new legislation were presented to parliament between 2021 and 2024 – including the Data Protection and Digital Information Bill (DPDI), which failed to pass in time before the 2024 general election.
The Data Use and Access Act was introduced to parliament in October 2024 and is the latest update to UK data protection legislation, amending the UK GDPR, UK Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR).
Key changes introduced in the DUAA
Key changes introduced in the DUAA include:
- Revised provisions for the use of personal data in scientific and commercial scientific research, including the reuse of personal data without issuing a privacy notice.
- Enabled a broader range of ‘lawful bases’ for the processing of personal data for significant automated decision-making, although special category is excluded from these changes
- A permitted set of website cookies that can be set without consent
- A new lawful basis of “recognized legitimate interests” where organizations are not required to conduct a ‘balancing test’ to determine whether personal data use is permitted. This includes national security; responding to an emergency; detecting, investigating or preventing crime; and safeguarding.
The DUAA also amends rules regarding data protection impact assessments, subject access requests and cross-border data transfers.
The current Information Commissioner’s Office (ICO) will become the Information Commission (IC) and will have new powers impacting how the IC conducts its investigations, as well as aligning PECR fines with the UK GDPR – under which the ICO can issue fines of up to £17.5m or 4% of annual global turnover for serious breaches.
There are potential implications for organizations working with and providing services to EU businesses and its citizens. Earlier this year, the EU extended its 2021 adequacy decision with the UK to December 2025, to allow the DUAA to pass into law before assessing the new legal framework.
What businesses need to know
The DUAA has now been signed into law, with some sections of the new legislation in force immediately. These include clauses enabling powers to create secondary legislation, which is required to implement a majority of the changes introduced in the DUAA.
New provisions amending the UK GDPR and PECR are expected within six months, by December 2025. Remaining provisions are expected to be introduced within a year.
To prepare for DUAA enforcement, organizations should:
- Review and update privacy notices in line with the new legislation, including changes to declarations of lawful bases for personal data processing and SARs processes.
- Review cookie banners and marketing to ensure compliance with the new cookie exemptions and new PECR rules, when they are introduced.
- Verify that automated-decision making is aligned with the DUAA and ensure adequate safeguards are in place.
- Keep up to date with secondary legislation to ensure compliance with the DUAA as the full extent of new provisions become enforceable.
While the DUAA aims to create a more flexible and innovation-friendly framework, it also introduces a new level of complexity for privacy and data protection compliance. This is compounded by the lack of clarity around the secondary legislation that will shape how the Act will be enforced.
Organizations should treat this as a critical moment to reassess their data governance practices and ensure they remain compliant – not only to meet their legal obligations, but also to maintain trust with customers, partners and regulators.
To find out how Ground Labs can support DUAA compliance, arrange a complimentary data risk assessment or book a call with one of our experts today.