Understanding the Data (Use and Access) Act 2025 

Fundamentally, the Act addresses some pertinent compliance challenges including: enabling the wider use of automated decision-making (ADM); providing more flexibility in the rules around scientific research; and simplifying how organisations respond appropriately to Data Subject Access Requests (DSARs). 

Similarly, the Act introduces (as well as strengthens) governance and accountability requirements around certain processes like: mandatory electronic complaint handling (where practicable); and implementing enhanced mechanisms for children’s data protection. 

Looking ahead, the Act has laid a foundation for organisations to embrace and navigate more comfortably around the challenges of digital ID systems, smart data-sharing schemes (e.g. data portability tools) and cross-border or international data transfer  

Scientific Research 

A new definition of scientific research has been introduced into the UK GDPR by broadening the scope to include publicly funded, commercial and private-sector research. Consent has also been amended to be interpreted broadly in the context of scientific research, recognising that the precise purposes for collection of personal data may not always be clear or fully defined at the outset. Additionally, the distinction between statistical purposes and scientific research, as previously outlined in ICO guidance and GDPR recitals, has now been formalised in UK law. The reuse of personal data for statistical purposes is permitted, provided certain appropriate safeguards (such as pseudonymisation and data minimisation) are applied. These provisions are now legally binding rules, offering a level of clarity and certainty in the processing of personal data for research and statistical purposes. 

Data Protection for Children 

Protections for children’s data are strengthened by the Act as it introduces stricter responsibilities for “online services” that are likely to be accessed by young users – this means things such as online shopping platforms, apps, social media platforms, streaming services, educational apps and online games.  

There are increased responsibilities to assess and mitigate risks to children’s privacy, ensuring that their services are designed with child safety as a priority. Crucially, the Act reinforces the legal obligation to comply with the Age-Appropriate Design Code (AADC), embedding its principles more firmly into law. Services must consider the best interests of the child in all aspects of data processing, apply high privacy settings by default, and provide clear, accessible information about how children’s data will be used.  

Lawful Bases and Recognised Legitimate Interests (RLIs) 

The Act has introduced some minor changes to the lawful bases for processing, specifically relating to public interest tasks and legitimate interests. It confirms that when relying on the public interest basis, the basis of the task must be laid down by law, thus eliminating ambiguity over shared responsibilities.  

It introduces a defined list of Recognised Legitimate Interests (RLIs), such as fraud prevention, emergency response, and safeguarding, which organisations can rely on without conducting a traditional balancing test. However, they must still demonstrate that the data processing is necessary for the stated purpose. As with legitimate interests, public authorities cannot rely on RLIs when carrying out official functions or powers, maintaining a stricter standard of accountability. 

Purpose Limitation & Annex 2 

DUAA has been amended by reviewing when further use of personal data is considered compatible with its original purpose. Thus, where personal data was originally collected with consent, further use is permitted if it aligns with what the individual would reasonably expect, even if not strictly limited to the original purpose. For non-consented personal data, further use is only allowed where it is compatible and does not override the rights & freedoms of the individual (a compatibility assessment would usually be required to determine the compatibility value). The Act now introduces a pathway (Annex 2 conditions), under which compatibility assessment is no longer required; alleviating the administrative challenges of organisations whilst still ensuring appropriate safeguards are implemented. 

Data Subject Rights 

As provided in ICO guidance for handling data subject access request (DSAR), the one-month response legal timeframe starts with the latest of: receipt of a request; satisfactory identification & verification; and any applicable fee. Controllers may pause the clock while waiting for verification, thus promoting fairness in managing ambiguous requests. Additionally, searches need only be “reasonable and proportionate”, helping organisations to avoid disproportionate burdens. Furthermore, difficulties such as large data volumes or poor data governance / structure are not valid grounds for withholding information. The Act has now enshrined into law these key elements of the ICO’s guidance on DSARs (including related GDPR recitals). These principles, which were previously best practice, are now binding requirements that must be considered in the processing of DSARs. Simultaneously, DUAA also reinforces the right to data portability paving the way for enhanced usability and digital innovation.    

Complaint Procedures 

DUAA introduced a new legal right for individuals to complain directly to data controllers, which helps to demonstrate an organisations accountability & transparency under the data protection law.  
Data controllers are now legally mandated to provide simple, accessible and clear mechanisms for individuals to raise complaints about the handling of their personal data. Organisations must update their privacy notices to inform individuals of their right to complain and how to do so. Controllers should also review and update their internal complaint-handling procedures where necessary to provide prompt and fair responses. Relevant staff should be made aware and trained in the new requirements on data handling practices to ensure adequate support for complainants.  

Automated Decision-Making (ADM) 

Automated decision-making (ADM) is still permissible but is subject to enhanced safeguards, particularly when it involves special category data. DUAA introduces stricter rules for ADM where such sensitive data is processed without human involvement, buttressing the need for protecting individuals’ rights & freedoms. Typically, organisations must inform individuals when ADM is being implemented, the reasoning or logic behind it and any potential consequences – individuals have the right to obtain meaningful human intervention and express their views, as well as contest decisions made solely by automated means. Where ADM involves special category data, explicit consent or substantial public interest must be in place. These include risk assessments and robust governance processes, ensuring that organisations must not allow fully automated systems to make impactful decisions about people, without appropriate oversight and safeguards especially in high-risk contexts. 

International Data Transfers 

DUAA provides a new UK data protection test for international data transfers which replaces the “not undermined” threshold with a new “not materially lower” test. Essentially, under the updated regime, organisations must ensure that the data protection regulation of the destination country is not materially lower than the standard of protection afforded under UK data protection law. This gives more flexibility whilst maintaining appropriate safeguards. Consequently, Transfer Risk Assessments (TRAs) must be updated accordingly due to the new threshold; (the applicable legal frameworks and the rule of law in recipient countries are also considered under the context of materiality). Policies, contractual clauses and any technical & organisational measures should also be reviewed and updated in line with the adjusted standard in any assessments. 

In other words: instead of asking whether the recipient country’s data protection regulation undermines UK data protection (this is the stricter test under UK GDPR), the new test is whether its protections are not materially lower – allowing for minor differences as long as the overall level of protection is not significantly reduced. 

Privacy and Electronics Communication Regulation (PECR) Changes 

The Act expands exceptions to cookie consent, for example, analytics cookies used to improve service delivery may now be exempt where privacy risks are low – for information society service (ISS) providers, new rules allow specified low-risk cookies without consent, especially for security or service improvement. The “soft opt-in” rule was previously limited to commercial marketing but has now been extended to not-for-profit organisations and charities, enabling them to send marketing messages to existing supporters under certain conditions. Quite importantly, DUAA has increased the maximum PECR fines from £500,000 to the same levels as under UK GDPR: up to £17.5million or 4% of global turnover. This clearly underscores the regulatory outlook and expectations that electronic communications and direct marketing practices must meet modern privacy standards.  

Information Commissioner’s Office (ICO) Enforcement Powers 

Under DUAA, the powers of the ICO have been expanded to enhance regulatory oversight and accountability. As such ICO can now compel organisations to provide documents and attend interviews during investigations, significantly strengthening its ability to uncover non-compliance. The ICO has also been empowered to commission third-party audits, allowing it to assess an organisations data protection practices independently. The DUAA also extends the timeframe for ICO to issue monetary penalty notices (MPNs), from six (6) months to up to two (2) years, giving the ICO greater flexibility to conduct thorough investigations, particularly cross-border cases which have been a challenge. 

Following the DUAA, organisations must update their data protection practices to ensure compliance with the amended UK GDPR and PECR. Key actions include revising privacy notices to reflect changes such as new lawful bases and expanded data subject rights, including the legal right to complain directly to data controllers. DSAR procedures should be reviewed for clarity, accessibility and compliance with new timelines and expectations. Records of Processing Activities (RoPA) must be updated, particularly to align with Annex 1 and 2 lawful bases and new conditions for compatible further use. Cookie notices should be revised in light of expanded expectations and new rules for information society service (ISS) providers. Organisations must reassess lawful bases for all processing activities, ensuring conformity with DUAA annexes. Finally, relevant staff of organisations should receive updated training to implement these changes effectively and maintain accountability under the new framework.