Today, we’re exploring a piece of legislation that might sound technical at first glance but has the potential to reshape how organisations and individuals handle data: the Data Use and Access Act 2025 (DUAA).
Now, data law isn’t always the most exciting topic, but this Act is different. It introduces significant changes in how data can be accessed, shared, and safeguarded, with wide-reaching implications for businesses, public bodies, and everyday citizens alike.
Over the course of this post, we’ll break down what the DUAA is, why it matters, and what it could mean for the future of data management. Think of it less as dry regulation, and more as the rulebook for a new data-driven era.
What Is DUAA?
First things first: what is DUAA? In simple terms, it’s a brand‑new Act of Parliament that tweaks, updates, and modernises existing data laws like the UK GDPR, the Data Protection Act 2018, and PECR, but it doesn’t replace them. It’s a way to help organisations innovate, grow, and use personal data more flexibly, while still protecting people’s rights1.
It received Royal Assent on 19 June 2025, and the roll‑out is happening in stages from June 2025 to June 20262.
Why Your Organisation Should Care
So, why should you care? Because DUAA opens doors. It gives you more freedom to tread new ground – whether that’s through research, smarter cookie usage, or automated decisions, without dropping safeguards. And it brings a fresh structure to the ICO itself1.
Top Highlights for Organisations
Scientific Research Made Easier
Now includes commercial research, not just academic. You can obtain broad consent for research that evolves over time, rather than locking in specific purposes upfront3.
Smarter Privacy Notices
For scientific research, if giving privacy notices is a huge hassle, you can skip it, as long as you explain what you’re doing online—saving effort while keeping transparency13.
Automated Decision‑Making Gets Flexible
You can now use legitimate interests as a basis for making automated decisions if you have safeguards. Just remember: This doesn’t apply to special category data like health or ethnicity31.
Cookies Without Consent—In Some Cases
Basic analytics, accessibility tools, or service improvements no longer require cookie consent but users still need to be informed45.
Unified Enforcement & Higher Fines for PECR
PECR enforcement now aligns with GDPR, meaning fines for breaches can be as steep as £17.5 million or 4% of global turnover4.
Recognised Legitimate Interests
New legal basis for public-interest scenarios (like crime prevention or public health) that don’t require a balancing test3.
Reasonable & Proportionate Subject Access Requests (SARs)
You’re only required to make reasonable searches, not exhaustive ones. And you can pause the response “clock” while verifying identity or scope36.
Children’s Data Gets Extra Attention
You must explicitly consider the unique needs of children when processing their data – a requirement you’re likely already meeting if you follow the Children’s Code3.
A New ICO Structure
The “Information Commissioner” becomes the Information Commission, complete with a board and CEO, bringing more transparency and accountability3.
ICO Consultations & Guidance on the Way
The ICO is actively consulting on guidance for ‘recognised legitimate interests’ and data protection complaints procedures—keep an eye out and consider responding7.
Watchouts & What You Should Do Now
Right, a few things to keep on your radar:
- Some campaigners have raised concerns that DUAA grants the Secretary of State powers to amend rules with limited oversight—what they call ‘Henry VIII powers.’ They argue this could risk political misuse of personal data theguardian.com8.
- Businesses worry about data access schemes—like being required to share proprietary data for innovation (think AI), which may be costly and risky thetimes.co.uk9.
So here’s what you can do today:
- Familiarise yourself with the changes and identify which apply to your operations.
- If you serve children, ensure your “child-first” designs are up to scratch.
- Start building a robust data protection complaints process.
- Watch for new ICO guidance and respond to their consultations.
Wrap-Up & Take-Home Message
DUAA is a big step toward smarter, more flexible, and innovation-friendly data law in the UK. The key? Embrace the opportunities but stay grounded in accountability and rights.
- https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/ [↩] [↩] [↩] [↩]
- https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/uk-organisations-stand-to-benefit-from-new-data-protection-laws/ [↩]
- https://www.bridewell.com/insights/blogs/detail/understanding-the-data-use-and-access-act-2025/ [↩] [↩] [↩] [↩] [↩] [↩] [↩]
- https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/uk-organisations-stand-to-benefit-from-new-data-protection-laws/ [↩] [↩]
- https://www.morganlewis.com/blogs/sourcingatmorganlewis/2025/08/the-data-use-and-access-act-2025-a-strategic-update-to-uk-data-privacy-regulations/ [↩]
- https://www.clydeco.com/en/insights/2025/07/the-data-use-and-access-act-2025/ [↩]
- https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/08/ico-launches-consultations-for-data-use-and-access-act-2025-amendments/ [↩]
- https://www.theguardian.com/world/2025/apr/01/data-privacy-campaigners-warn-of-henry-viii-powers/ [↩]
- https://www.thetimes.co.uk/article/data-use-and-access-bill-could-create-unintended-risks-for-businesses-tzrxn3xbv/ [↩]