GDPR Update: What the Data (Use and Access) Act Means for Compliance Teams

By Phil Muncaster • 3 July 2025

An update to the UK’s version of the GDPR is long overdue. The previous Conservative government originally proposed it via the Data Protection and Digital Information (DPDI) Bill, which failed to make it through Parliament before a change in administration. Labour’s effort, the Data (Use and Access) Act (DUA Act), has finally received Royal Assent after a high-profile scrap between upper and lower chambers over AI and copyright.

The question is, how big a lift will it be for security and compliance teams to adapt to the new data protection regime the law ushers in?

Why Do We Need it?

As per previous attempts to improve and adapt the UK’s regulatory regime for data protection, the focus is on removing unnecessary red tape without imperilling cross-border data flows to the EU. To ensure the latter, the UK can’t diverge too far from the GDPR, or it may risk its adequacy status as a “third country”.

Given that the digital economy contributed £154bn in Gross Value Added (GVA) in 2023, accounting for about 6.5% of the total, the government knows that a radical departure from the GDPR is out of the question. It would also be perverse, given that regulator the Information Commissioner’s Office (ICO) was a key contributor to the original regulation.

The government claims the new law will provide a £10bn boost to the UK economy over the coming decade. It points to an expansion of “smart data” schemes like open banking, the cutting of bureaucracy for providers of public services, and a new trust mark for digital identity providers as helping achieve this.

What’s New?

However, from a data protection perspective, the biggest changes relate to:

Legitimate interests: The DUA Act introduces “recognised legitimate interests” as a new, lawful basis for processing personal data. This allows some organisations to process data without needing to conduct a traditional legitimate interests assessment (LIA). There’s also a list of processing activities (including direct marketing) that still require LIAs, which should provide more clarity for organisations.

Automated decision making (ADM): The law relaxes restrictions on ADM in cases where special category data is not involved, although safeguards still need to be applied.

Scientific research: The law broadens the definition to any research “reasonably described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. It means privately funded and commercial research will benefit from exemptions for processing of special category data.

International data transfers: The secretary of state will be able to approve third countries, and decide whether a destination country’s data protection standards are “not materially lower” than those in the UK rather than the existing “essentially equivalent” protections.

Special category data: The secretary of state will also have new powers to change what can be classed as special category data – which requires extra protection.

Data subject access requests (SARs): The law clarifies that data subjects are only entitled to information from a “reasonable and proportionate” search by the business. Organisations can now have up to three months in certain circumstances to respond to SARs. This is designed to reduce the administrative burden on firms.

Purpose limitation: The law clarifies what constitutes “further processing”.

Children’s data: The law introduces a new concept of “children’s higher protection matters”, which the ICO must evaluate when regulating companies’ responsibilities.

Privacy and Electronic Communications Regulations (PECR): New rules on cookies are designed to make compliance less onerous for businesses. There are exemptions from the requirement to seek consent for certain non-essential cookies (e.g., collecting statistical data to improve the appearance or performance of a website, adapting a website to a user’s preferences, or making improvements to services or a website). There’s also a long list of purposes for using cookies that are considered strictly necessary (e.g., security and fraud detection), where no opt-out choice is required.

ICO: The ICO will be replaced by the Information Commission, and the commissioner with a chair and exec/non-executive members. There are also new rules on complaints procedures.

Ropes & Gray data, privacy and cybersecurity counsel Edward Machin argues that some of the measures should help to ease red tape for many organisations.

“Although controversial, the relaxing of requirements around automated decision-making that involves non-sensitive personal data will go some way to easing the compliance burden for organisations that undertake this type of processing – particularly in the context of AI development and use,” he tells ISMS.online.

“And clarifying the concept of ‘further processing’ generally, and broadening the definition of ‘scientific research’ specifically, will – if not cut red tape as such – allow organisations to process personal data in a wider range of scenarios than is currently the case.”

Start with Cookies

Crucially, legal experts don’t believe that legislation will affect the UK’s adequacy status and, therefore, data flows with the EU.

“While extensive, the changes proposed by the [Act] do not go so far as to alter the underlying principles of the GDPR that the existing regime is based on,” says Sarah Pearce, partner with Hunton Andrews Kurth. “As such, the new legislation should not impact the UK’s adequacy decision when it is reviewed by the European Commission at the end of this year.”

So, what should compliance officers look at first? Ropes & Gray’s Machin advises looking at cookie and electronic marketing practices.

“Although the act expands the type of cookies and purposes that are considered to be “strictly necessary”, it also increases the maximum fines under PECR to align with the UK GDPR – i.e., the greater of £17.5 million or 4% of annual worldwide turnover,” he explains.

“All organisations will need to operationalise the new process for complaints by individuals, which must be first directed to the controller before being made to the ICO. This will require updates to privacy notices and internal processes to ensure that such complaints are handled appropriately.”

A more comprehensive mapping process will also be necessary to understand how the act’s provisions will impact current processes, Machin adds.

“In many cases this will not result in significant changes to existing UK GDPR compliance programmes,” he concludes.

“That said, the data sharing and digital verification schemes that the act empowers the secretary of state to introduce will involve a range of new and enhanced legal and technical requirements, and organisations that want – or are required – to partake in these schemes should monitor closely developments in this area.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

Can the UK Create a Multibillion-Pound AI Assurance Sector?

The government is going all-in on AI. Announced in January, its AI Opportunities Action Plan seeks to drive economic growth, improve the quality of...

Phil Muncaster

Cyber security 2 October 2025

Jaguar Land Rover’s Travails Highlight the Need for Cyber Resilience

Manufacturers have been the most popular target for global cyber-attacks over the past four years. The sector was also number one for ransomware in...

Phil Muncaster

Cyber security 25 September 2025

As Optus Is Sued, What Went Wrong and What Lessons Can We Learn?

The wheels of justice move slowly sometimes. So it is in Australia, where the privacy regulator has finally filed civil penalty proceedings against...

Phil Muncaster