What the New Data (Use and Access) Act 2025 Means for Your Organisation: Key Changes and How to Prepare

What the New Data (Use and Access) Act 2025 Means for Your Organisation: Key Changes and How to Prepare

The Data (Use and Access) Act 2025 (DUAA) has officially come into force, marking a significant milestone in the evolution of UK data protection law. As of August 21, 2025, the Information Commissioner’s Office (ICO) has initiated public consultations on the amendments introduced by this act. This development is crucial for organisations that handle personal data, as it introduces new compliance requirements and opportunities.

Background and Significance of the DUAA

The DUAA 2025 is designed to modernize data protection practices in the UK, ensuring they align with the rapid technological advancements and the growing importance of data in the public interest. This act aims to provide organisations with more confidence in using personal information while safeguarding individuals’ rights.

Key Changes Introduced by the DUAA

  1. Recognised Legitimate Interest: One of the most notable changes is the introduction of a new lawful basis for data processing called ‘recognised legitimate interest’. This basis is distinct from the traditional legitimate interests basis, offering organisations a clearer framework for processing personal data in ways that benefit the public interest.

  2. Formal Process for Handling Data Protection Complaints: The DUAA mandates that all organisations establish a formal process for handling data protection complaints. This requirement is intended to ensure that organisations have robust procedures in place to address and resolve complaints efficiently, thereby enhancing trust and transparency.

Practical Steps for Compliance

To comply with the DUAA 2025, organisations should consider the following steps:

  • Update Privacy Notices: Ensure that your privacy notices reflect the new lawful basis and any changes in data processing activities.
  • Review Data Processing Activities: Conduct a thorough review of your current data processing activities to ensure they align with the new requirements.
  • Establish or Refine Complaints Procedures: Develop or enhance your complaints handling procedures to meet the new standards set by the DUAA.

Engage with the ICO’s Consultations

The ICO’s ongoing consultations provide a valuable opportunity for organisations to engage with the regulatory process. Participating in these consultations or staying informed about the final guidance can help your organisation remain compliant and proactive in adapting to new data protection standards.

Conclusion

The Data (Use and Access) Act 2025 represents a pivotal change in the landscape of data protection in the UK. By understanding and implementing the key changes introduced by this act, organisations can not only ensure compliance but also build greater trust with their stakeholders.