Data (Use and Access) Act 2025 – what to expect

As of 19 June 2025, the Data (Use and Access) Act 2025 has become the latest development to update the UK data protection legislation, which consists of the Data Protection Act 2018, the UK GDPR and the Privacy and Electronic Communications Regulations (PECR) 2003.

The Data (Use and Access) Act 2025, also known as the DUAA, updates key aspects of the UK data protection legislation and incorporates some of the publicly available guidance to provide organisations with clarity on some of the more complex areas and to improve overall knowledge on compliance requirements.

So, what does the new UK data protection legislation look like? Below, we have set out some key changes your organisation will likely need to consider.

Recognised legitimate interests

The DUAA sets out a list of what would qualify as a ‘recognised legitimate interest’ to assist organisations in understanding when it may be appropriate to rely on legitimate interests as a lawful basis for processing. In contrast to the previous data protection regime, where organisations were required to carry out a legitimate interests assessment (LIA) for all purposes for processing that relied on legitimate interests as a lawful basis, the recognised legitimate interests do not require an organisation to undertake an LIA.

The recognised legitimate interests include:

• When controller one requests personal data from controller two to carry out a public interest task, the DUAA permits sharing.
• When the processing is necessary for national security, public safety, or defence.
• In response to emergencies under the Civil Contingencies Act 2004, such as threats to human welfare, the environment, or national security (e.g. war or terrorism).
• For detecting, investigating, preventing crime, or prosecuting offenders.
• To safeguard a child or vulnerable adult.

Completing LIAs can be challenging and time-consuming for organisations, so relying on one of the recognised legitimate interests (albeit they are narrow in scope) will make it less burdensome for organisations to comply with the accountability principle set out in Article 5 UK GDPR.

Soft opt-in for charities

The DUAA updates the Privacy and Electronic Communications Regulations (PECR) by enabling charities to send direct marketing to individuals who:

• Have expressed an interest in one or more of its charitable purposes.
• Where individuals have offered to provide support to further the charity’s purposes.

However, this can only be done on the basis that the nature of the direct marketing is to further the charity’s charitable purposes, and the individual has been given a simple means of refusing to have their contact details used for direct marketing.

Under the previous data protection regime, this exception to PECR (which is commonly referred to as the soft opt in) was only available to commercial organisations. However, the DUAA has widened the scope to allow charities to take advantage of the same rules where individual’s support their cause, e.g. via donations, or expressing an interest in the charity’s charitable purposes.

Reusing personal data 

The DUAA allows organisations to reuse personal data for a new purpose for processing that is compatible with the original purpose without having to complete a compatibility test. However, this can only apply on the basis that your organisation is certain that the new purpose for processing is compatible with the original purpose.

If your organisation is unsure whether the new purpose is compatible with the original purpose, it must complete a compatibility test before processing personal data for the new purpose.

Supervisory authority

The DUAA provides the Information Commission (previously known as the Information Commissioner’s Office under the previous regime) with new powers of enforcement in addition to those set out under the Data Protection Act 2018. This includes:

• Compelling a witness to attend an interview.
• Requesting technical reports to assist an investigation that the ICO has launched against an organisation.
• Issue fines of up to £17.5 million or 4% of the global annual turnover under PECR (which, under the previous data protection regime, only enabled the ICO to impose fines of up to £500,000).

Data rights requests

Two minor changes the DUAA makes in relation to the handling of data rights requests (for example, subject access requests) are concepts already adopted by most organisations. This is because these concepts have been taken from public guidance. For example, organisations are only required to:

• Carry out reasonable and proportionate searches when locating personal data.
• Respond to a data rights request within the applicable time period, which will depend on whether an organisation can comply with the request immediately, if it is required to obtain further information, or if it is required to clarify the scope of the request.

The DUAA has introduced a key change to how people can make complaints about their data rights. Now, before contacting the ICO, individuals must first complain directly to the organisation. Under the previous rules, people could go straight to the ICO if they were unhappy with how their data rights request was handled. That’s no longer the case — they must now give the organisation a chance to respond first.

Organisations must set up a complaints process to handle these issues and respond within 30 days. To make things easier, the ICO recommends offering an online complaint form to help individuals submit their concerns.

Processing personal data for scientific research purposes

The DUAA enables organisations to reuse individuals’ personal data without providing them with a copy of the relevant privacy notice. However, this only applies where providing a copy of the relevant privacy notice would be considered a disproportionate effort.

Automated decision-making

Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

• An online decision to award a loan.
• An aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

The DUAA opens up the lawful bases (for example, legitimate interests), on which an organisation may rely to make significant automated decisions about individuals. However, they must have proper safeguards in place and meet extra requirements if they are using special category data.

Website cookies

The DUAA will allow organisations to use some website cookies to collect an individual’s technical and usage data without having to obtain their consent, for example, to collect personal data for statistical purposes and to improve the overall functioning of the website.

In relation to cookies that are used for marketing purposes (for example, targeting cookies), organisations must still comply with the requirements set out in PECR and obtain consent from the website user via a cookie pop-up before using their technical and usage data for marketing purposes.

When are we required to comply with the provisions set out in the DUAA?

The ICO has advised that the DUAA will come into effect in phases. It has been added that organisations should follow the old data protection regime in the meantime, as it anticipates that the changes proposed by DUAA will come into effect within two, six, and 12 months after the DUAA came into effect (19 June 2025).

The ICO has recognised that the DUAA’s implementation phase can cause some concern around what an organisation is required to do at a certain time so it has reassured organisations that it will apply the law as it stands at the time an infringement has taken place, rather than the date the ICO has received a complaint.

For more information on the changes proposed by the Data (Use and Access) Act 2025, please contact Rhiannon Hastings, a data protection paralegal in the commercial team, by emailing: [email protected]