Following a lengthy legislative journey in the Parliament, the UK’s Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, bringing the most substantial updates to UK data protection law since Brexit.
We previously wrote a blog post when The Data (Use and Access) Bill was introduced in October 2024.
In this blog post, we will explore the key provisions of this new law and consider what it means in practice for organisations that handle personal data.
What is changing?
DUA introduces various amendments to the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
Key changes include:
1. Lawful basis for processing: introduction of ‘recognised legitimate interests’
Under the UK GDPR, all organisations processing personal data must rely on a valid lawful basis in doing so, such as consent or legitimate interests.
DUAA introduces a new distinct lawful basis for processing personal data – recognised legitimate interest.
DUAA sets out a list of recognised legitimate interests:
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- national security, public security and defence
- emergencies
- detecting, investigating or preventing crime
- safeguarding of vulnerable individuals
Unlike the ‘legitimate interest’ lawful basis, no legitimate interest assessment is required when relying on a ‘recognised legitimate interest.’
2. Expanded ‘standard’ legitimate interest lawful basis
DUAA does not just introduce a new lawful basis, it also clarifies and supports the continued use of the existing ‘legitimate interest’ lawful basis under Article 6(1)(f) of the UK GDPR.
DUAA provides a non-exhaustive list of example activities that are likely to qualify as legitimate interests, such as:
- processing for direct marketing
- intra-group transfers of personal data for internal administrative purposes
- processing for network and information security
The above examples are designed to provide businesses with greater clarity and confidence when choosing legitimate interest as their lawful basis for their processing activities.
3. Compatible purposes of processing
Under the UK GDPR, the purpose limitation principle requires that personal data collected for one purpose must not be used for a new unrelated purpose, unless the following scenarios arise:
- the new purpose is compatible with the original purpose
- data subject gives consent for the new purpose
- processing is in public interest
DUAA updates the purpose limitation principle under UK GDPR by introducing statutory rules for determining whether new uses of personal data are compatible with the original purpose. This largely aligns with existing ICO’s guidance.
In addition, organisations must, when assessing whether a new purpose is compatible, consider factors like the context of collection, the relationship between the original and new purposes and any safeguards in place.
Currently, the UK GDPR lists purposes which should be automatically considered compatible:
- archiving purposes in the public interest
- scientific or historical research purposes
- statistical purposes
If the new purpose is not one of the above, it could still be compatible with the original purpose, but a compatibility assessment would have to be undertaken to determine the compatibility.
DUAA now expands the list of the compatible purposes, including:
- protecting public security
- responding to an emergency
- safeguarding vulnerable individuals
- tax collection
- complying with legal obligations
This means that controllers do not have to conduct a compatibility assessment or obtain fresh consent when processing personal data for these newly added purposes.
4. Changes to automated decision making (ADM)
One of the key developments under DUAA is the easing of restrictions on decisions based solely on ADM – a significant shift for organisations using AI systems.
Currently, Article 22(1) of the UK GDPR gives data subjects the right not to be subject to a decision based solely on automated processing, which produces legal or similarly significant effects for the data subject, unless one of the following applies:
- the data subject has explicitly consented
- the decision is necessary for entering into, or performing of, a contract with the data subject
- the decision is required or authorised by law
DUAA relaxes this general restriction on decisions based solely on ADM. This means that, subject to the exceptions below, organisations may use ADM that produces legal or similarly significant effects for the data subject when processing personal data under any of the lawful bases set out in Article 6 of the UK GDPR.
The 2 important exceptions are:
1. The prohibition to take decisions based solely on ADM (unless one of the above conditions is met) continues to apply where special category personal data is processed.
2. Taking decisions based solely on ADM is also prohibited where the processing relies on the new ‘recognised legitimate interest’ lawful basis introduced under DUAA.
Requirement to have safeguards in place
DUAA introduces statutory safeguards that must be implemented when relying on decisions based solely on ADM. These include measures designed to ensure transparency about how decisions are made and mechanisms that allow individuals to contest or seek human review of those decisions.
These changes aim to balance innovation (particularly in AI and machine learning) with the need to maintain individual rights and protections.
5. Changes to the data subject right of access and complaints process
DUAA makes important changes to the data subject access rights under Article 15 of the UK GDPR.
Under Article 15(1) UK GDPR, individuals have the right to know whether their personal data is being processed and if so, access that data and supplementary details, such as the purposes of processing or the recipients of that data.
DUAA modifies this right, introducing a ‘reasonable and proportionate search’ threshold. This means that data subjects will only be entitled to receive the above information to the extent that the controller is able to provide it based on a reasonable and proportionate search.
This approach aligns with ICO’s existing guidance and DUAA now strengthens organisations’ ability to refuse or limit excessive requests. Although this may ease administrative burdens, it could raise concerns about the completeness of the information provided and potentially dilute transparency.
New requirement: direct complaints to controllers
In a further change, DUAA introduces a new requirement for data subjects to first raise complaints directly with the data controller before approaching the ICO.
Data controllers will now be required to:
- implement a formal complaints mechanism
- provide accessible means for submitting complaints
- acknowledge receipt of the complaint within 30 days
- update privacy notices to reflect this change, including clear instructions on how individuals can exercise their right
For data controllers, this change represents both a compliance obligation and an opportunity to build trust by improving complaint-handling procedure. We will publish a separate blog post on this new requirement.
6. Increased fines under PECR
DUAA brings a significant shift in the UK’s data enforcement landscape by aligning the fining regime under PECR with that of the UK GDPR.
Previously, breaches of PECR (such as unlawful direct marketing) have been subject to substantially lower fines that those under the UK GDPR. This distinction has now been removed.
Under the new law, the maximum fines for PECR breaches are:
- up to £17.5 million, or
- up to 4% of an organisation’s annual global turnover, whichever is greater
These expanded fining powers are likely to increase the regulatory scrutiny on PECR compliance.
7. From Commissioner to Commission
Last but not least, one of the significant structural reforms introduced by DUAA is the replacement of the Information Commissioner with a new statutory regulator – the Information Commission.
Previously, the UK’s data protection regime was overseen by the ICO led by the Information Commissioner. All formal guidance, decisions and enforcement actions were issued in the name of the Commissioner.
DUAA now replaces this individual with a corporate body. The Commission retains the ICO’s existing powers but gains enhanced authority, for example:
- the power to require documents from controllers and processors that are ‘reasonably required’ to carry out its functions (amending section 142 of the DPA 2018)
- the ability to interview controllers or processors as part of its investigations or regulatory duties
We are not quite there yet
Now is the time to start preparing for upcoming changes. However, it's crucial to understand that no action should be taken based on these changes until they are officially in force. For the time being, existing rules, such as those relating to legitimate interests, purpose limitation, or automated decision-making, remain unchanged.
The provisions of DUAA will come into force gradually between June 2025 and June 2026 mostly via secondary legislation, with key milestones to note:
June 2025: The first set of changes, including the new ‘reasonable and proportionate search’ threshold for subject access requests, is already in force.
August 2025: The new powers of the Information Commissioner to, among others, require documents will take effect.
By June 2026: All remaining provisions are expected to be in force. Organisations should plan for staged compliance updates over this period.
In the meantime, the ICO is preparing a guidance to reflect the new law. We will provide further updates as that guidance is published.
If you are seeking advice on the implications of this new law for your business or data protection law more generally, please do not hesitate to contact our data protection specialists Neil Williamson and Colin Lambertus who will be happy to assist.
