The UK's data protection regime has evolved since Brexit. The most significant change being implemented at present is the Data Use and Access Bill, which became law as the Data Use and Access Act (DUAA) in June 2025. A few provisions are already in force, but the rest will be fully implemented by June 2026.
The Data Use and Access Act (DUAA) is designed to make it easier, safer, and more productive to use data across the UK, helping drive innovation and public benefit while preserving individual rights.
The Data (Use and Access) Act 2025 (DUAA) is a UK law that modernises how data is used, shared, and protected. It updates existing legislation — like the UK GDPR and Data Protection Act 2018 — to make data rules more flexible and better suited to the digital age.
The Act aims to boost innovation, economic growth, and the efficiency of public services by enabling responsible data sharing while maintaining strong privacy safeguards. It introduces clearer rules for lawful data use, supports "smart data" and digital identity systems, streamlines international transfers, and reforms the data regulator into a new Information Commission.
What the DUAA is notThe DUAA does not replace the UK GDPR or the Data Protection Act 2018. Still, it introduces targeted reforms in both pieces of legislation, which, according to the Information Commissioner's Office (ICO), aims "to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights." |
The Data Use and Access Act has brought about some changes to existing legislation. Here are the most notable changes:
DUAA eases restrictions on automated decision-making (ADM) provided: (a) there is transparency, (b) meaningful human intervention is possible, and (c) data subjects can challenge outcomes. These safeguards enable a data subject to challenge the decision. Moreover, special category data remains excluded from this type of processing.
The DUAA changes and clarifies the rules relating to the purpose limitation principle, allowing data collected for one purpose to be reused for another, as long as both purposes are deemed compatible.
There are new exceptions to the prohibition on storing information or accessing information stored in the terminal equipment of a subscriber or user without their consent. The exceptions are applicable when:
However, data subjects still need to be informed about the cookies and have the option to opt out.
Data subjects now have a statutory right to complain directly to data controllers. Organisations must:
Public authorities can request personal data to perform their duties. The responsibility for ensuring their request is lawful lies with the requesting authority, not the data controller.
The DUAA introduces a risk-based data protection test for international transfers that can be applied by the Secretary of State. This means that the requirements don't have to be identical to the current adequacy decision. Still, the new standard requires that protections in the receiving country are not materially lower than those in the UK.
The DUAA clarifies that direct marketing, intra-group transmissions of personal data for internal administrative purposes and ensuring the security of network and information systems all fall under legitimate interest for processing data.
There is a new lawful basis for processing data distinct from the traditional "legitimate interest" which applies to:
Thanks to recent case law, organisations now only need to conduct reasonable and proportionate searches when responding to SARs, which eases the burden on businesses. However, data controllers have the responsibility to make it easier for data subjects to submit complaints about their data use (for example, by providing an accessible "electronic complaints form").
There are higher fines to align them with the UK GDPR. This means that breaches of e-privacy rules (including cookie and e-marketing breaches) can attract a maximum penalty of £17.5 million or 4% of the company's worldwide turnover.
The Data (Use and Access) Act 2025 is a major update to the UK's data protection and sharing laws. It aims to make it easier for organisations to use and share data responsibly, supporting innovation, economic growth, and more efficient public services. By modernising existing laws rather than replacing them, it strikes a balance between unlocking the value of data and protecting individual privacy in a rapidly changing digital landscape.
Updates the UK’s data protection framework (UK GDPR and Data Protection Act 2018) to fit the digital economy and new technologies better.
Enables more effective and lawful data sharing. For example, in healthcare and infrastructure, the government expects to add around £10 billion to the economy over 10 years.
Creates a legal basis for "smart-data" schemes (like open banking) and for trusted digital verification services.
Introduces clearer lawful grounds for using data (like "recognised legitimate interests") and streamlines international data transfers.
Reforms the Information Commissioner’s Office into a new Information Commission with updated powers.
Seeks to encourage data use while maintaining safeguards, though some critics warn privacy protections could be weakened if not implemented carefully.
Organisations need to have their finger on the pulse. To stay compliant and ahead of the curve, organisations should:
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the library and training package that relate to the Data Use and Access Act include:
If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection