What the UK’s New Data (Use and Access) Act 2025 Means for Data Protection Officers: Key Changes, Compliance Challenges, and the Future of UK-EU Data Flows

Aug 4, 2025

Overview of the DUAA

The UK’s Data (Use and Access) Act 2025 (DUAA), which received Royal Assent in June 2025, marks a pivotal update to the UK’s data protection framework since the UK GDPR. The DUAA aims to balance privacy, innovation, and regulatory pragmatism, supporting economic growth while maintaining the UK’s adequacy status with the EU. The European Commission is already working on new adequacy decisions to ensure the continued free flow of personal data between the UK and the European Economic Area.

Major Changes for DPOs

Data Protection Officers (DPOs) will face several practical changes under the DUAA. These include clarified rules for research, new conditions for automated decision-making, updated legitimate interests, and revised consent requirements for cookies and electronic marketing. These changes necessitate a thorough understanding and adaptation by DPOs to ensure compliance.

ICO’s New Powers

The Information Commissioner’s Office (ICO) has been granted expanded enforcement capabilities under the DUAA. This includes the authority to issue significant fines under the Privacy and Electronic Communications Regulations (PECR), enhancing the ICO’s ability to enforce compliance and protect data privacy.

Implications for UK-EU Data Transfers

The DUAA significantly impacts cross-border data flows, particularly concerning the EU’s draft adequacy decision and the upcoming expiration of the current adequacy agreement in December 2025. Organizations must stay informed about these developments to ensure seamless data transfers between the UK and EU.

Compliance Roadmap

Organizations and DPOs should prepare for the phased implementation of the DUAA over the next 12 months. Practical advice includes staying updated with new ICO guidance and adjusting compliance strategies accordingly to meet the new requirements.

Risks and Opportunities

While the DUAA streamlines regulations, it is crucial to maintain robust privacy protections. DPOs must navigate the balance between regulatory efficiency and privacy to leverage opportunities while mitigating risks.