The Data Use and Access (DUA) Act was granted royal assent on the 19th of June 2025. Since then, provisions such as the need for Subject Access Requests to be reasonable and proportionate as well as the secretary of state’s power to make secondary legislation have come in force.
Furthermore, the Information Commissioner’s Office’s (ICO) powers to serve notices as well as require documents are expected to come into force on the 19th of August 2025. Moreover, any other changes as will discussed in this the article will come into force within a period of six to twelve months.
This article aims to provide a thorough overview of the changes introduced by the DUA Act, how it differs from the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations (“PECR”) and any impacts on your organisation.
- Automated Decision Making
Previously, under the UK GDPR, solely automated decision-making for personal or special category[1] data was prohibited with certain exceptions. However now under the DUA Act, once in force Section 80 would permit automated decision-making for nearly all lawful bases unless special category data is involved, in which case the restrictions placed under the UK GDPR would continue to apply.
This change would likely be welcomed by most organisations relying on automated decision-making which has a significant legal or similar effect on individuals such as in recruitment.
However, organisations would still need certain safeguards in place, similar to the ones under the UK GDPR, these are the right to human intervention, the ability to challenge the decision, transparency about the logic and criteria used and so on.
The ICO is currently reviewing its guidance on Automated Decision Making and Profiling and will be publishing a final guidance in winter of 2025, or early in 2026.
- Data Subject Rights
The DUA Act provides that data subjects can directly complain to the organisation acting as a controller of their data if they believe that their data has been used unlawfully. The organisation in turn must streamline this complaints procedure for the data subjects by providing an electronic complaints form, acknowledge the receipt of the complaint within 30 days and respond to it without undue delay. The data subjects also must be kept updated throughout the process.
In terms of when the 30-day clock starts and pauses, the DUA Act has provided some clarification. Particularly, this period begins from when the organisation receives:
- the request,
- additional information reasonably required to process the request such as documents for identity verification, or
- a fee if the request is manifestly unfounded or excessive.
Finally, the DUA Act also confirms that an organisation, when dealing with data subject access request, must only conduct reasonable and proportionate searches for the relevant information.
These do not present major changes to how the operations of an organisation as these were previously covered as recitals or ICO guidance. To note, however, is that before these provisions of the Act come in force, organisations should have a mechanism in place which allows data subjects to electronically file their complaint which could then be identified and processed by the relevant individuals within the organisation. This electronic form could be made available as part of the privacy notice (as a hyperlink).
- International data transfers
One of the most important changes introduced by the DUA Act relates to international data transfers. Originally, under the UK GDPR a country or an international organisation would have to demonstrate that their data protection regulations and practices are equal to the UK. However, now the new test is that the standards of protection must not be “materially lower” than the UK. This, therefore, lowers the benchmark.
In terms of an organisation’s operations, this change should make the processing of personal data belonging to UK residents in countries or organisations outside the EEA much easier. At the same time, given that the UK’s adequacy decision is already set to expire on the 27th of December 2025, these changes may mean that EU commission may heavily scrutinise the UK’s adequacy. However, the UK government is confident that this will not be the case.
The ICO will be publishing an ‘International Transfers’ guidance in winter 2025, or early in 2026.
- Information Commission
The DUA Act through replaces the ICO with the IC, that is, the Information Commission. This would restructure the ICO as a corporate body such that it would be led by a chair, chief executive and other non-executive and executive members with shared decision-making responsibilities. This change would align the ICO with other domestic regulators, thereby enhancing overall diversity and resilience in the decision-making process.
This change in practice will likely not affect an organisation’s operations. The current Information Commissioner, John Edwards will become the first Chair of the IC till end of his appointment in January 2027. Therefore, the IC’s approach to enforcement would likely remain the same.
- Legitimate Interests
The DUA Act streamlines the process of relying on the ‘legitimate interest’ lawful basis under the UK GDPR. It does so by primarily introducing a new lawful basis- recognised legitimate interests- which applies when processing is necessary for a range of purposes listed in a new annex. These include safeguarding vulnerable individuals, national security and so on.
Additionally, the Act gives legal footing to certain activities of organisations which could fall under the ‘standard legitimate interests’ lawful basis. These include processing for direct-marketing, intra-group transfers of personal data and network and information systems security.
These changes may not be as helpful for organisations as the application of the new lawful basis is quite narrow. A crucial point about is that a balancing test (Legitimate Interests Assessment) will not be required, however the processing must be necessary. On the other hand, with regards to the ‘standard legitimate interests’ lawful basis, these examples were previously present as recitals.
The ICO will be publishing a guidance on the new lawful basis in winter of 2025, or early in 2026
- Purpose Limitation
The DUA Act introduces two sets of rules when it comes to further processing of personal data. For data which was originally processed under the lawful basis of consent, new processing would be considered compatible with the original purpose in certain circumstances. This includes getting fresh consent, processing required to comply with data protection principles, public interest reasons under Article 23(1) of the UK GDPR. The Act also provides a list of reasons which may be considered compatible. However, when relying on any condition other than getting new consent, the controller[2] would have to show that it was unreasonable to get fresh consent.
When data was originally processed under lawful basis other than consent, in addition to the above conditions, processing for research, archiving or statistical processing will also be considered compatible.
This is relevant for organisations as if the above-mentioned conditions apply then a compatibility test will not be required. However, further processing must comply with the fairness and transparency principles under Article 5 of the UK GDPR and have the appropriate safeguards in place (as under Article 89(1) of the UK GDPR. The compatibility test under Article 6(4) of the UK GDPR continues to apply for commercial and non-exempted secondary uses.
- PECR updates
The DUA Act introduces amendments to the PEC Regulations, the most important of which is that penalties have been increased to a maximum of £17.5 million or 4% of annual turnover (whichever is higher). Previously the fines were capped at £500,000. Additionally, the Act allows certain types of cookies to be set without user consent. These exemptions include cookies set for statistical analysis and to improve website functionality. Finally, PECR will also be updated to allow charities to use the ‘soft opt-in’ exemption for direct marketing. This exemption allows charities to send marketing emails without explicit consent, if the recipient showed interest/support for the charity’s cause and is offered the chance to opt-out at sign up and each following communication.
Once in force these changes will require organisations to update their policies as they may benefit from reduced reliance on cookie banners and greater flexibility in terms of direct marketing. However, organisations must ensure continued transparency to remain compliant as any breach could now lead significantly higher level of penalties.
How can IGS help?
At IGS, we are a team of legally trained consultants who are subject matter experts in everything data protection. Our consultants can help your organisation adapt where necessary to the DUA Act.
The legislative process of passing the DUA Bill into an Act as well as a final copy of the Act can be found here.
[1] For a detailed explanation on personal and special category please refer to our article published in April 2025.
[2] For a detailed explanation on controllers and processors please refer to our article published in January 2025
