The UK’s new Data Use and Access Bill (DUAA) received Royal Assent on 19 June 2025, marking a refresh to the country’s data protection and digital economy legislation. Designed to promote innovation, boost trust in data-driven systems, and simplify compliance, the Act introduces wide-ranging reforms across both public and private sectors.
For businesses, the changes may ease certain administrative burdens in areas such as Data Subject Access Requests (DSARs) and cookies, while raising the bar in other areas, including transparency, marketing consent, and enforcement. This blog explains what’s changing and offers practical steps to help organisations prepare.
Where DUAA Sits: It Amends, Not Replaces
The Act does not replace the UK GDPR or the Data Protection Act 2018; instead, it amends and supplements both. It also updates key provisions of the Privacy and Electronic Communications Regulations (PECR), especially around cookie consent and electronic marketing.
Taken together, these reforms aim to create a more “business-friendly and innovation-ready data regime” while preserving the core principles of data protection for individuals. But the interplay between these frameworks means organisations will need to navigate the new landscape carefully.
Key Changes Businesses Need to Know
Recognised Legitimate Interests
The Act introduces a new concept: “recognised legitimate interests”. These are specific purposes for which organisations can process personal data without needing to conduct a complete legitimate interest assessment (LIA). Examples here include preventing crime, safeguarding national security, maintaining public safety, responding to emergencies, protecting vulnerable individuals, and disclosing information to a person carrying out a public-interest task.
Separately from that, the Act also sets out examples of ordinary legitimate interests that will still require the standard three-part test: purpose, necessity, and a balancing test with recorded reasoning, which includes activities such as direct marketing, intra-group administration, and network or information security.
The bottom line here is that while this reduces the paperwork for some types of data use, it doesn’t remove the requirement to respect data subjects’ rights. It’s still essential to ensure processing is necessary and proportionate.
International Data Transfers
The threshold for international data transfers has been lowered. Rather than requiring “essentially equivalent” protection to UK GDPR, organisations must now ensure that protection is “not materially lower.”
This offers businesses more flexibility in global data flows, particularly when working with partners in countries not covered by UK adequacy regulations. Still, it also puts more responsibility on the data exporter to assess protections.
Exporters must adopt a reasonable and proportionate approach, taking into account the nature of the data, the destination, and the associated risks. If local laws fall short, you’ll need to implement additional safeguards, such as encryption, access controls, and robust contract terms, to ensure the data remains protected to a standard that’s still acceptable under UK law.
It’s also worth noting that the EU has temporarily extended the UK’s adequacy status until 27 December 2025, allowing data to continue flowing from the EU to the UK while the European Commission completes its review. Businesses receiving EU data should monitor developments and consider contractual fallbacks to avoid disruption.
Data Subject Access Requests (DSARs)
The new legislation introduces a more business-friendly standard for DSARs, requiring searches to be “reasonable and proportionate.” This is a welcome change for organisations that previously struggled with time-consuming or excessive requests. It allows businesses to focus efforts on responding meaningfully, rather than chasing down every possible data source.
A new stop-the-clock provision has also been introduced. If you need to clarify the request, verify the requester’s identity, or request a fee (in cases of manifestly unfounded or excessive requests), the one-month response deadline can be paused until you receive the necessary information, providing some breathing room to manage complex or ambiguous requests effectively.
However, the core obligations remain. Businesses must still respond without undue delay and provide clear, accessible information to data subjects, and unjustified delays will still carry compliance risks.
Cookies & Marketing (PECR)
Certain types of cookies, such as those used for service improvement or audience measurement, may no longer require consent, provided they’re clearly explained and users are given appropriate information and control.
At the same time, enforcement around electronic marketing is being tightened. Fines for PECR breaches have been brought in line with the UK GDPR, with penalties of up to £17.5 million or 4% of global turnover. This highlights the need for businesses to review their consent practices, update cookie banners and privacy notices, and ensure robust internal documentation for marketing activities.
Automated Decision-Making & AI
The Act introduces more flexibility for organisations using AI and automated decision-making (ADM), replacing Article 22 of UK GDPR with a new set of provisions: Articles 22A to 22D. These changes enable a broader application of ADM, particularly in cases where the decisions made do not have significant legal or similarly substantial effects on individuals.
However, ADM that does produce significant effects, especially when involving special category data, remains tightly regulated. In these cases, organisations must still ensure there is meaningful human oversight, clear transparency, and appropriate safeguards in place. ADM based on special category data will generally require either explicit consent or must meet specific conditions set out in the legislation.
Smart Data & Digital IDs
The Act paves the way for sector-specific “Smart Data Schemes” that enable consumers and small businesses to securely and portably share their data. It also establishes a statutory Digital Verification Services (DVS) trust framework to support the use of verified digital identities across the economy.
These provisions are broadly enabling at this stage, with further details to be provided via secondary legislation.
Regulator Reform
The ICO will become the Information Commission, with expanded investigatory and enforcement powers. These include compelling witness testimony, mandating technical audits, and issuing higher penalties for non-compliance.
Some of these new powers came into effect two months after Royal Assent, while others will be phased in over time through secondary legislation. Organisations should anticipate a more assertive regulatory environment and prepare accordingly, ensuring governance, documentation, and internal processes are audit-ready.
What’s at Stake for Businesses
While some reforms simplify compliance, for example, by reducing DSAR burdens or clarifying the use of legitimate interest, others bring increased regulatory scrutiny and heavier penalties. This mixed picture means businesses should not treat the Act as a relaxation of rules. Instead, it’s an opportunity to modernise data governance, reduce risk, and build trust with customers, partners, and regulators.
Timeline & Phased Rollout
The Act became law in June 2025, but not all provisions took effect immediately. The government has confirmed a staged commencement, with changes rolling out over approximately 2, 6, and 12-month phases. The Commencement No. 1 Regulations came into force on 20 August 2025, covering specific technical and regulatory provisions.
Most of the significant updates to Part 5 of the Act, including changes to UK GDPR, the Data Protection Act 2018, and PECR, are expected to come into effect around the six-month mark. Further updates will follow through secondary legislation and regulator guidance.
Organisations should stay alert to new commencement regulations, monitor ICO communications, and plan their compliance activity in line with upcoming deadlines.
Your 8-Point Action Plan
Check your legal bases
- Map where the new recognised legitimate interests apply and update your privacy notices and RoPAs so they reflect reality.
Reassess your global data flows
- Review transfer mechanisms against the new “not materially lower” threshold. Document your transfer risk assessments and keep a fallback ready for EU data.
Simplify DSAR handling
- Train staff to apply the “reasonable and proportionate” test, and build in the new stop-the-clock process for identity checks or clarifications.
Tidy up cookies and marketing
- Refresh cookie banners for low-risk exemptions, revisit consent processes, and note that PECR fines now align with UK GDPR levels. Charities: check if the soft opt-in now works for you.
Audit your ADM and AI use
- Identify which systems count as significant automated decision-making. Implement meaningful human oversight, obtain explicit consent where necessary, and establish documented safeguards.
Get Smart Data-ready
- Look at how sector-specific schemes (like Open Banking) might translate to your industry, and whether digital verification services could become part of your onboarding or customer processes.
Strengthen governance now
- With the new Information Commission gaining powers to compel interviews, audits, and GDPR-level fines for PECR, this is the moment to tighten policies, evidence, and training.
Stay tuned
- Watch for commencement regulations and ICO guidance as staged rollouts land over the next 2, 6, and 12 months. Prioritise changes that come into force first.
Bottom Line
The Data Use and Access Act 2025 is a turning point for UK data governance. It strikes a balance between simplification and accountability, offering forward-thinking businesses the opportunity to embrace innovation without compromising trust. Early preparation will not only reduce risk but also help you seize the opportunities that smarter, clearer data use can bring.
