After a seemingly endless round of parliamentary ping-pong, the Data (Use and Access) Act 2025 (DUAA) finally became law on 19 June 2025. Weighing in at 271 pages and 16 schedules, you would be forgiven for expecting something of a revolution in data protection and governance. However, the reality is a bit less exciting.

DUAA tweaks existing data protection and privacy laws, including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and Privacy and Electronic Communications Regulations 2003 (PECR). These changes are accompanied by a large serving of ‘watch this space’: smart data and digital verification schemes, and a national underground asset register. Most DUAA provisions will have no legal or practical effect without further regulations.

Measured updates to the UK GDPR

DUAA replaced the now defunct Data Protection and Digital Information Bill but left out its most controversial proposals. DUAA changes, most of which are not yet in effect, include the following.

Recognised legitimate interests

DUAA will introduce a new lawful basis for processing to the UK GDPR called ‘recognised legitimate interest’ (RLI). There is no balancing test required; it will not be necessary to balance RLI against the interests, rights and freedoms of the relevant data subjects.

The list of RLIs includes:

• Processing necessary for the purposes of national security, crime prevention and safeguarding vulnerable persons.
• Sharing data with a public authority where the authority (often the police) requests the data to carry out its public task.

We will explore this more in an upcoming blog.

Simplification of automated processing

Certain decisions based solely on automated processing of personal data will become a little easier if they do not involve special category data.

Codification

Some existing case law and administrative practices will become codified:

• Controllers need only make a ‘reasonable and proportionate search’ for personal data in response to a subject access request (this change is already in effect and backdated to 1 Jan 2024); and
• The time limit for responding to data subject requests will be extended where the controller reasonably asks the data subject to clarify their request.

Facilitating complaints

Controllers will need to ‘facilitate’ complaints from data subjects and respond to them within 30 days. In practice, this will probably mean creating complaint forms and processes and keeping a log of complaints and responses.

Updates to PECR (cookies and direct marketing)

The big headline is that fines under PECR will align with those under the UK GDPR – up to £17.5 million or 4% of global turnover. This is of some interest given the apparent greater willingness of the Information Commissioner’s Office (ICO) to issue fines under PECR than under the UK GDPR.

Other changes will include:

• Charities will benefit from the so-called soft opt-in for direct marketing to individuals who express an interest in the charity’s charitable purposes. Until now, charities could do direct email and SMS marketing only with explicit consent.
• A third category of ‘opt-out’ analytics cookies for websites and apps. This sounds more exciting than it is: it will apply to a narrow range of sites (‘information society services’) and only for a narrow purpose (to improve that information society service and not for other third-party uses). We predict this change will be of limited use.

Smart data and digital verification schemes

DUAA sets up a framework of rules under which the government can create smart data and digital verification (essentially private digital ID) by creating some regulations rather than passing a new act of Parliament. In other words, there is nothing to report on these topics until the government publishes a draft set of regulations. At the time of writing, there was little guidance on when we could expect to see these.

What should you do now?

One way of looking at this is that there is little you ought to do because of DUAA that you should not have been doing already. That said, there are some common-sense steps all controllers could take now:

• Data subject complaints: create a process, complete with a complaints form and a register of complaints and responses.
• SAR / DSAR processes: review and update subject access request (SAR/DSAR) procedures, data maps and records of processing activities (ROPAs). The key to responding on time to any SAR is recognising that you have received one, routing it correctly in the organisation and knowing where to look for the data once the request is in the right hands.
• DUAA training courses: There is nothing to get trained on quite yet. The UK GDPR and PECR have received only minor tweaks, and most organisations have no significant new obligations to prepare for. Bigger changes will probably only become clear once public consultations on smart data and digital verification schemes are complete, and the government publishes draft regulations.

How can we help?

Our experienced team of data and privacy lawyers can support you if you would like to learn more about navigating the UK GDPR, PECR and the DPA 2018 both now and after any coming changes under DUAA.