What the UK’s New Data (Use and Access) Act 2025 Means for Businesses and Data Subjects: Key Changes and Practical Implications

Overview of the DUAA

The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent in June 2025, represents a pivotal update to the UK’s data protection framework, marking the most significant change since the UK GDPR. The DUAA is designed to balance privacy, innovation, and regulatory pragmatism, aiming to foster economic growth while ensuring the UK retains its adequacy status with the EU.

Major Changes Introduced

Clarification on the Use of Personal Data for Research

The DUAA provides clearer guidelines on how personal data can be used for research purposes, ensuring that such activities are conducted within a framework that respects individual privacy rights.

Eased Restrictions on Automated Decision-Making

The Act relaxes certain restrictions on automated decision-making processes, allowing businesses more flexibility in utilizing AI technologies while still safeguarding data subjects’ rights.

New Rules for Cookies and Electronic Marketing

Significant changes have been made to the rules governing cookies and electronic marketing. Notably, the Act specifies scenarios where consent is not required, simplifying compliance for businesses.

Updated Legitimate Interests for Processing

The DUAA updates the list of recognized legitimate interests for data processing, providing businesses with more clarity and flexibility in their operations.

New Conditions for Secondary Processing and Data Subject Access Requests

The Act introduces new conditions for secondary processing of data and streamlines the process for data subject access requests, enhancing transparency and efficiency.

Expanded Powers for the ICO

The Information Commissioner’s Office (ICO) has been granted expanded powers, including the ability to impose increased fines under the Privacy and Electronic Communications Regulations (PECR).

Phased Implementation

The provisions of the DUAA will be rolled out over the next 12 months. Organizations must prepare for ongoing compliance updates, ensuring they remain aligned with the new regulations as they come into effect.

Practical Advice for Organizations

Organizations should take proactive steps to align with the DUAA by:

• Reviewing and updating data processing activities.
• Revising privacy notices to reflect new legal requirements.
• Monitoring guidance from the ICO as it is released to stay informed about compliance obligations.

Implications for International Data Transfers

The European Commission’s move to adopt new adequacy decisions is crucial for maintaining the free flow of personal data between the UK and the European Economic Area (EEA), ensuring that businesses can continue their operations without disruption.

Conclusion

The DUAA 2025 is a landmark piece of legislation that will shape the future of data protection in the UK. By understanding and preparing for these changes, businesses can not only ensure compliance but also leverage new opportunities for innovation and growth.

---

Other Links on the Web

• Data (Use and Access) Act 2025: A New Chapter in the UK’s Data Protection Framework
• 51 Useful Data Protection Resources: Blogs, Videos, Guides, Infographics, Tools & More
• DWF Data Protection Insights - July 2025
• Blog Ideas
• Data Protection News Update - 28 July 2025