Skip to content
Get in touch Support Hub Investors
Book a demo Free trial
Back to blog

What is the Data Use and Access Act and Why is it Important?

6 minute read

Information Security GDPR
data use and access act
Last updated: October 21, 2025

The UK's data protection regime has evolved since Brexit. The most significant change being implemented at present is the Data Use and Access Bill, which became law as the Data Use and Access Act (DUAA) in June 2025. A few provisions are already in force, but the rest will be fully implemented by June 2026.

Key takeaways

  • The DUAA became law in June 2025, with full implementation due by June 2026.
  • It does not replace the UK GDPR or Data Protection Act 2018 but amends and modernises both.
  • The aim of the DUAA is to encourage innovation and reduce burdens on organisations while maintaining strong rights protection.

See our Data Protection Training Package

Understanding the Data Use and Access Act 2025

The Data Use and Access Act (DUAA) is designed to make it easier, safer, and more productive to use data across the UK, helping drive innovation and public benefit while preserving individual rights.

What is the DUAA?

The Data (Use and Access) Act 2025 (DUAA) is a UK law that modernises how data is used, shared, and protected. It updates existing legislation — like the UK GDPR and Data Protection Act 2018 — to make data rules more flexible and better suited to the digital age.

The Act aims to boost innovation, economic growth, and the efficiency of public services by enabling responsible data sharing while maintaining strong privacy safeguards. It introduces clearer rules for lawful data use, supports "smart data" and digital identity systems, streamlines international transfers, and reforms the data regulator into a new Information Commission.

What the DUAA is not

The DUAA does not replace the UK GDPR or the Data Protection Act 2018. Still, it introduces targeted reforms in both pieces of legislation, which, according to the Information Commissioner's Office (ICO), aims "to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights."

What are the key changes introduced by the DUAA?

The Data Use and Access Act has brought about some changes to existing legislation. Here are the most notable changes:

Automated decision-making

DUAA eases restrictions on automated decision-making (ADM) provided: (a) there is transparency, (b) meaningful human intervention is possible, and (c) data subjects can challenge outcomes. These safeguards enable a data subject to challenge the decision. Moreover, special category data remains excluded from this type of processing.

Compatibility

The DUAA changes and clarifies the rules relating to the purpose limitation principle, allowing data collected for one purpose to be reused for another, as long as both purposes are deemed compatible.

Cookie rules

There are new exceptions to the prohibition on storing information or accessing information stored in the terminal equipment of a subscriber or user without their consent. The exceptions are applicable when:

  • Collecting statistical data to improve service quality
  • Using cookies for the functional display of the website on user devices
  • Locating users in an emergency

However, data subjects still need to be informed about the cookies and have the option to opt out.

Data protection complaints

Data subjects now have a statutory right to complain directly to data controllers. Organisations must:

  • Provide an electronic complaints form
  • Acknowledge complaints within 30 days
  • Respond without undue delay

Disclosures for public tasks

Public authorities can request personal data to perform their duties. The responsibility for ensuring their request is lawful lies with the requesting authority, not the data controller.

International data transfers

The DUAA introduces a risk-based data protection test for international transfers that can be applied by the Secretary of State. This means that the requirements don't have to be identical to the current adequacy decision. Still, the new standard requires that protections in the receiving country are not materially lower than those in the UK.

Legitimate interest

The DUAA clarifies that direct marketing, intra-group transmissions of personal data for internal administrative purposes and ensuring the security of network and information systems all fall under legitimate interest for processing data.

Recognised legitimate interests

There is a new lawful basis for processing data distinct from the traditional "legitimate interest" which applies to:

  • Disclosure of personal data to a controller who requires it to carry out a public interest task, or exercise official authority.
  • Use of personal data for safeguarding national security, protecting public security and defence-related purposes.
  • Processing personal data for detecting, investigating, or preventing crime or safeguarding vulnerable people.

Subject Access Requests (SARs)

Thanks to recent case law, organisations now only need to conduct reasonable and proportionate searches when responding to SARs, which eases the burden on businesses. However, data controllers have the responsibility to make it easier for data subjects to submit complaints about their data use (for example, by providing an accessible "electronic complaints form").

PECR fines

There are higher fines to align them with the UK GDPR. This means that breaches of e-privacy rules (including cookie and e-marketing breaches) can attract a maximum penalty of £17.5 million or 4% of the company's worldwide turnover.

Why is the DUAA important?

The Data (Use and Access) Act 2025 is a major update to the UK's data protection and sharing laws. It aims to make it easier for organisations to use and share data responsibly, supporting innovation, economic growth, and more efficient public services. By modernising existing laws rather than replacing them, it strikes a balance between unlocking the value of data and protecting individual privacy in a rapidly changing digital landscape.

1. Modernises UK data laws

Updates the UK’s data protection framework (UK GDPR and Data Protection Act 2018) to fit the digital economy and new technologies better.

2. Boosts innovation and public services

Enables more effective and lawful data sharing. For example, in healthcare and infrastructure, the government expects to add around £10 billion to the economy over 10 years.

3. Supports smart data and digital identity

Creates a legal basis for "smart-data" schemes (like open banking) and for trusted digital verification services.

4. Simplifies rules and reduces red tape

Introduces clearer lawful grounds for using data (like "recognised legitimate interests") and streamlines international data transfers.

5. Strengthens regulation

Reforms the Information Commissioner’s Office into a new Information Commission with updated powers.

6. Balances innovation with privacy

Seeks to encourage data use while maintaining safeguards, though some critics warn privacy protections could be weakened if not implemented carefully.

What should organisations do now?

Organisations need to have their finger on the pulse. To stay compliant and ahead of the curve, organisations should:

  • Track implementation dates for DUAA provisions
  • Monitor the ICO website for guidance and tools
  • Update internal policies to reflect DUAA requirements
  • Prepare an online complaints form for data subjects
  • Train staff on their responsibilities under the DUAA
  • Plan for a DPIA (Data Protection Impact Assessment) once all changes are operational

Want to learn more about Information Security?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the library and training package that relate to the Data Use and Access Act include:

If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.

Explore our collection

Written by: Bunmi Adefuye

As the General Counsel at Skillcast, Bunmi has nearly 20 years of legal experience in both private practice and in-house roles. Her in-house experience includes serving as the Legal Advice Manager for a prominent trade association that collaborates closely with the Government to shape and implement legislation and policies. Bunmi has also served as the sole company solicitor for Snappy Snaps Franchises Limited. Her areas of expertise include commercial law, procurement, data protection, and employment law.

Bunmi Adefuye

Related articles

data-protection-act-2018-|-act-2018-and-principles-|-skillcast
Information Security Risk Management

Data Protection Act 2018 | Act 2018 and Principles |...

16 minute read

Compliance can be tricky, so we put together this guide to break down the Data Protection Act (2018), its seven principles and what it means for you.

Read the article
how-general-elections-impact-the-financial-services-sector-|-skillcast
FCA Compliance Product News & Events

How General Elections Impact the Financial Services Sector...

3 minute read

Discover how General Elections affect the UK financial services sector and learn how it may impact your business with Skillcast.

Read the article
data-security-when-travelling-|-skillcast
Information Security

Data Security when Travelling | Skillcast

3 minute read

Many keep working when travelling on public transport, but what are the risks? We have some tips to keep your data secure even while you are on the move.

Read the article
Visit the blog