07977 169206 dionne@dssbh.co.uk

THE DATA USE AND ACCESS ACT 2025 (DUAA) – WHAT DOES IT MEAN FOR ORGANISATIONS?

by | Jun 17, 2026 | Latest News

Did you know that the data protection legislation has been updated? It has been very quietly sneaked in under the radar?

The UK’s data protection framework has undergone its most significant update since Brexit. The Data (Use and Access) Act 2025 (DUAA) amends the UK GDPR and the Data Protection Act 2018 rather than replacing them, with changes being introduced in stages throughout 2025 and 2026. (GOV.UK)

For business owners, the good news is that many of the changes are designed to reduce administrative burdens while maintaining data protection standards. However, there are also some new obligations that organisations need to address.

 

The Current Legal Framework

UK organisations must still comply with:

  • UK GDPR
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)

The Data (Use and Access) Act 2025 sits alongside these laws and introduces targeted reforms intended to make data protection more practical and proportionate for UK organisations.

 

1. New “Recognised Legitimate Interests”

One of the most significant changes is the introduction of a new lawful basis called Recognised Legitimate Interests.

Under the previous rules, organisations relying on legitimate interests had to carry out a balancing test to assess whether their interests outweighed the impact on individuals. The new legislation removes this requirement for certain specified activities.

Examples include:

  • Crime prevention and detection
  • Safeguarding vulnerable individuals
  • Public security and national security
  • Responding to emergencies
  • Certain requests from public authorities

Practical impact for businesses

Most SMEs are unlikely to rely heavily on these new recognised interests. However, organisations involved in safeguarding, security, fraud prevention or regulated activities may benefit from reduced compliance documentation.

Businesses should review their lawful bases for processing and update privacy notices where appropriate.

 

2. Greater Clarity Around Legitimate Interests

The Act also provides statutory examples of activities that may qualify as legitimate interests, including:

  • Direct marketing
  • Internal administrative data sharing within group companies
  • Network and cyber security activities

Practical impact

This provides greater certainty for businesses already relying on legitimate interests. However, the balancing test still applies unless the processing falls within the new recognised legitimate interests category.

Organisations should review existing Legitimate Interest Assessments (LIAs) and ensure documentation remains current.

 

3. Changes to Subject Access Requests (SARs)

Subject Access Requests remain an important individual right, but the Act clarifies that organisations only need to carry out reasonable and proportionate searches when responding.

This largely reflects existing ICO guidance but is now written directly into legislation.

Practical impact

Businesses should:

  • Review SAR procedures.
  • Document why searches are considered reasonable and proportionate.
  • Ensure staff understand the new approach.

This may significantly reduce the burden of extensive searches in large email archives and legacy systems.

 

4. New Complaints Handling Requirements

A new requirement has been introduced for organisations to operate a formal complaints process for data protection concerns. Businesses must:

  • Provide a means for individuals to submit complaints electronically.
  • Acknowledge complaints within specified timescales.
  • Inform complainants of the outcome.

Practical impact

This is one of the most important operational changes for SMEs.

Many businesses currently direct complaints straight to the ICO. Under the new regime, organisations must provide an internal route for complaints before matters escalate.

You may need to:

  • Update your privacy notice.
  • Create a data protection complaints procedure.
  • Train staff handling customer complaints.

 

5. Changes to Cookie Rules

The Act amends PECR by allowing certain low-risk cookies and similar technologies to be used without obtaining explicit consent. These include some analytics and functionality cookies.

Practical impact

Website operators may be able to simplify cookie banners and improve website analytics.

However, businesses should be cautious. Marketing and advertising cookies generally still require consent.

Importantly, PECR fines can now be aligned more closely with UK GDPR penalty levels, increasing the financial risk of non-compliance.

 

6. Automated Decision-Making and AI

The Act relaxes some restrictions on automated decision-making where appropriate safeguards are in place. Organisations can make greater use of automated systems and AI-driven processes, provided individuals retain protections such as the ability to challenge decisions and request human review.

Practical impact

Businesses using:

  • AI recruitment tools
  • Automated credit decisions
  • Customer profiling systems
  • AI-driven customer service tools

should review their governance arrangements and ensure meaningful human oversight remains available.

 

7. Children’s Data Protections

The Act introduces stronger protections where services are likely to be accessed by children. Organisations must consider the higher risks to children when designing online services and processing their personal data.

Practical impact

This is particularly relevant for:

  • Education providers
  • Online platforms
  • Sports clubs
  • Charities
  • Membership organisations

Privacy notices and consent mechanisms may need updating where children are involved.

International Data Transfers

The Act also provides greater clarity around international data transfers and public-interest processing. While the fundamental safeguards remain unchanged, the legislation seeks to simplify compliance and provide more certainty for organisations transferring data overseas.

 

What Should Business Owners Do Now?

Most businesses do not need to redesign their entire GDPR compliance framework. However, they should review existing policies and procedures during 2026.

Priority actions include:

  1. Review privacy notices.
  2. Update legitimate interest assessments.
  3. Create a formal data protection complaints procedure.
  4. Review cookie consent mechanisms.
  5. Assess any use of AI or automated decision-making.
  6. Update SAR procedures to reflect the “reasonable and proportionate” standard.
  7. Train staff on the new requirements. (Moore Barlow LLP)

Final Thoughts

The Data (Use and Access) Act 2025 represents an evolution rather than a revolution. The UK GDPR remains firmly in place, but the new legislation introduces greater flexibility, clearer rules and a more business-friendly approach in several areas.

For most business owners, the key message is simple: don’t assume your existing GDPR documentation remains fully up to date. A review of policies, privacy notices and internal procedures during 2026 will help ensure compliance while taking advantage of the practical simplifications the new law offers.

One point to note: the Data (Use and Access) Act 2025 is currently the most significant recent legislation affecting UK data protection. The main related legislation remains the UK GDPR, Data Protection Act 2018 and PECR, all of which have been amended by the Act rather than replaced. The ICO is continuing to publish guidance as the phased implementation progresses through 2026.

Details of all the relevant legislation can be found at:

On the Gov.uk website:

The UK’s data protection legislation

Data (Use and Access) Act fact sheets

Information Commissioner’s Office (ICO)