If you’re steering your organization through the choppy waters of data protection, you’ve likely heard the buzz about the UK’s latest legislative voyage: the Data (Use and Access) Act 2025 (DUAA). Enacted on June 19, 2025, this Act isn’t a full overhaul of the UK’s data regime but a targeted upgrade designed to foster innovation, streamline processes, and bolster economic growth all while keeping individual rights firmly anchored.
What Is the Data (Use and Access) Act 2025?
The DUAA amends existing laws like the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR), rather than replacing them. Born from the long-debated Data Protection and Digital Information Bill, it received Royal Assent just last month and aims to modernize the UK’s data framework. The government touts it as a way to reduce bureaucratic burdens, encourage data-driven innovation (think AI and research), and improve public services, without diluting core protections.
Implementation won’t happen overnight—changes are phased in from June 2025 to June 2026, giving organizations time to adjust. The Information Commissioner’s Office (ICO) plays a starring role, with updated guidance expected soon to help navigate these waters.
Key Provisions: What’s Changing?
The DUAA introduces reforms across several areas, making data use more flexible while adding safeguards. Here’s a roundup of the highlights:
- Research and Innovation Boosts: Scientific research (including commercial) gets clearer definitions and allows “broad consent” for areas of study, subject to ethical standards. Privacy notices can be skipped in disproportionate cases if published online. Safeguards like data minimization remain, with powers for the Secretary of State to add more.
- Legitimate Interests and Processing Grounds: New “recognized legitimate interests” (e.g., national security, crime prevention) skip the balancing test. Further processing for compatible purposes is easier, and public task disclosures to authorities are streamlined.
- Automated Decision-Making (ADM): More permissive framework allows ADM under legitimate interests (with safeguards like human intervention), but not for special category data. Law enforcement gets an “active human review” exemption to avoid tipping off suspects.
- Data Subject Rights: Subject access requests (SARs) now require only “reasonable and proportionate” searches, with a “stop the clock” for clarifications. New duties include electronic complaint forms and 30-day acknowledgments.
- International Transfers: A “not materially lower” protection test replaces stricter adequacy reviews, easing flows to third countries. No more four-year reviews for adequacy decisions.
- Children’s Data: Online services must design with children’s protection in mind, aligning with the Age Appropriate Design Code.
- PECR Updates (Cookies and Marketing): Non-essential cookies for stats or site improvements can be set without consent if users are informed and can opt out. Charities get a “soft opt-in” for electronic marketing to supporters. “Calls” and “communications” definitions expand to cover failed attempts.
These changes aim to cut red tape e.g., no more logging justifications for law enforcement data access—while promoting sectors like edtech and AI through new ICO codes of practice.
Enforcement: The ICO’s New Superpowers and Stormy Penalties
Enforcement is where the DUAA really sharpens its sword, aligning regimes across UK GDPR, DPA 2018, and PECR for consistency and bite. The ICO emerges stronger, with a revamped structure, new investigative powers (e.g., compelling interviews and data access), and duties for greater transparency and accountability. Expect more proactive regulation, including codes on AI and edtech.
Penalties are ramping up, especially under PECR: Fines now align with GDPR levels—up to 4% of global annual turnover or £17.5 million (whichever is higher) for breaches like unsolicited marketing or cookie violations. This “dramatic increase” from previous PECR caps (£500,000) means nuisance calls or non-compliant cookies could sink your budget. Breach reporting tightens too—telecom providers must notify the ICO within 72 hours, mirroring GDPR.
Sectoral codes of conduct (approved by the ICO) can now demonstrate PECR compliance, offering a lifeline for industries like marketing. But beware: Expanded definitions mean even undelivered spam could trigger enforcement.
Implications for Businesses: Smooth Sailing or Rough Seas?
For compliance captains, the DUAA is a mixed bag. On the plus side, it eases burdens think fewer consent hurdles for cookies, broader research uses, and simplified SARs—potentially saving time and costs. Global firms benefit from easier data transfers, and innovators get a green light for AI and analytics.
But risks lurk: Higher PECR fines demand airtight cookie consent banners and marketing opt-outs. Children’s data duties could trip up online platforms, and ADM safeguards must be watertight to avoid challenges. Non-compliance could invite ICO audits, especially as the regulator gains teeth. Multinationals juggling EU GDPR and UK rules should note divergences, like the new legitimate interests.
Compliance Tips: Chart Your Course
To avoid enforcement icebergs, here’s your Captain Compliance checklist:
- Audit and Update: Review cookie policies, consent mechanisms, and ADM processes against new exceptions and safeguards. Test for children’s access if applicable.
- Train Your Crew: Educate teams on broad consent, legitimate interests, and complaint handling—aim for electronic forms and quick acknowledgments.
- Monitor Transfers: Use the “not materially lower” test for international flows, but document assessments.
- Prepare for PECR: Align marketing with soft opt-ins (for charities) and expanded definitions; brace for higher fines by logging opt-outs rigorously.
- Stay Informed: Subscribe to ICO updates—guidance on PECR drops Winter 2025/26—and consider sectoral codes for compliance proof.
- Risk Assessments: Conduct DPIAs for new uses like research or ADM to preempt issues.
- Sign up for Captain Compliance: Use a software provider you can count on to deliver compliance and Captain Compliance is that solution.
Set Sail with Confidence
The DUAA signals the UK’s ambition to lead in data innovation while enforcing robust protections— a balanced approach that could give your organization a competitive edge if navigated wisely. Enforcement is tougher, but with preparation, you’ll weather any storm. Keep an eye on phased rollouts and ICO guidance; as always, compliance isn’t just about avoiding fines it’s about building trust and using software to automate the privacy requirements.
