skip to main content
Connect
Contact me
Visit us
0191 211 7777

Data (Use and Access) Act 2025 – what do I need to do?

6th Nov 2025 | Data Protection | Data Protection Audit for Businesses | Data Protection Round-up
Man using laptop with various tech infographics super imposed over the top

Earlier this year, we produced an article explaining some of the more notable changes that the Data (Use and Access) Act (the DUAA) 2025 proposes to make to the existing data protection regime.

But what do these changes mean from a more practical perspective? Here are some tasks your organisation may need to consider to ensure compliance with the DUAA.

Legitimate interest assessments (LIAs)

What’s changing?

The DUAA sets out a list of what would qualify as a ‘recognised legitimate interest’. This means that any purposes for processing that fall within this scope do not need to be documented in a legitimate interest assessment (LIA).

Under the existing data protection regime, any purposes for processing that rely on legitimate interest as a lawful basis must be documented in an LIA to demonstrate that an organisation has assessed whether its interests, or a third party’s interests, outweigh the interests of the data subjects affected by the processing.

Once this change is in force, any purposes for processing that qualify as a recognised legitimate interest do not need to be captured in an LIA. However, any purposes for processing that fall outside this scope will still need to be documented.

If your organisation relies on legitimate interest as a lawful basis for processing, it must:

  1. put an LIA in place for all purposes for processing that rely on legitimate interest as a lawful basis (if it hasn’t already); and

  2. review the LIA once the change proposed by the DUAA in relation to recognised legitimate interests is in force to determine whether any purposes for processing documented in the LIA can be removed.

When will this change happen?

This change under the DUAA is not in force, so organisations cannot update their LIAs at the moment. A date for this change has not been set. However, we anticipate that it will be in force between January and June 2026.

Record of Processing Activities (ROPA)

What’s changing?

Organisations that have over 250 members of staff and/or process special category data must put a ROPA in place to document how it collects and processes personal data.

Whilst a ROPA is not mandatory for all organisations, we strongly recommend implementing this to ensure your organisation’s policies and procedures (for example, its privacy policies) are accurate.

With the DUAA in mind, if your organisation has a ROPA in place, it may need to update it to ensure that:

  • it addresses any purposes for processing that qualify as a recognised legitimate interest and therefore does not require an LIA; and

  • it captures any automated decision-making the organisation decides to carry out  considering the changes proposed by the DUAA.

When will this change happen?

Whilst the changes bullet pointed above are not in force, we recommend diarising 19 June 2026 (a year since the DUAA received royal assent) to review the ROPA to ensure it is compliant with the DUAA.

Complaints procedure

What’s changing?

The DUAA no longer allows data subjects to submit a complaint to the ICO (which will be known as the Information Commission from April 2026) immediately after receiving a response to their data protection rights request (for example, a subject access request).

Instead, the data subject must submit a complaint to the organisation first to provide it with an opportunity to review the handling of the request.

If, following the organisation’s response to the complaint, the data subject remains unsatisfied, the data subject can then submit a complaint to the ICO.

Organisations will be required to implement a complaints procedure to ensure it can handle complaints of this nature. The ICO has produced a brief guide on how to approach a complaint.

To ensure complaints are dealt with appropriately, organisations must consider the statutory timescale for dealing with a complaint (i.e. acknowledging receipt within 30 days of receiving it) and the subsequent process (for example, appointing another individual within the organisation to deal with the complaint).

We recommend putting a policy in place to set out a step-by-step process that explains to data subjects how their complaints will be dealt with, as well as acting as a useful tool to ensure a consistent approach is taken when dealing with complaints.

When will this change happen?

Whilst this change is not in force, we recommend putting a plan in place to ensure your organisation is prepared to deal with complaints once it is in force.

A date for this change has not been set. However, we anticipate that it will be in force between January and June 2026.

Cookie policies and pop-ups

What’s changing?

If your organisation operates a website and it wants to utilise the third exception proposed by the DUAA to the collection of technical and usage data using website cookies, you may need to amend your organisation’s cookie policy.

This is to ensure that it explains to website users that it will only enable website users to set  preferences for the use of functionality and targeting cookies.

The DUAA amends the Privacy and Electronic Communications Regulations 2003 by allowing organisations to use cookies to collect a website user’s technical and usage data:

  1. where a user has given their consent;  
  2. the storage or access is strictly necessary to deliver a requested service (strictly necessary cookies); or
  3. collecting statistical information about how an organisation’s online services are used (analytical or performance cookies). 

Under the existing data protection regime, only the first and second exceptions above are available. The third exception (which is new under the DUAA) will be available in addition to the first and second exceptions.

If your organisation wants to take advantage of the third exception, in addition to amending its cookie policy, it will also need to amend its cookie pop-up.

When will this change happen?

This change under the DUAA is not in force so organisations cannot update their cookie policies and cookie pop-ups at the moment. Again, a date for this change has not been set. However, we anticipate that it will be in force between January and June 2026.

Need further support?

For more information on the changes proposed by the Data (Use and Access) Act 2025, or if you require any assistance in dealing with the above, please contact Rhiannon Hastings, a data protection paralegal in the commercial team, by emailing [email protected].

Share this story...