On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in the UK and marking a significant development in the country’s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No. 1 Regulations, with others phased in through mid‑2026; some changes (most notably those affecting subject access requests) are already in force.
The DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018 (DPA 18), and the Privacy and Electronic Communications Regulations (PECR). It is designed to make the regime more practical by addressing compliance challenges and operational inefficiencies identified in recent years, and by updating obligations to reflect the current technological and business state of the art. The aim, as also stated by the Information Commissioner’s Office (ICO), is to “promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights”.
For UK‑facing organisations, the DUAA affects several key areas, including the lawful basis framework, rules for secondary processing, rights‑related obligations, the structure of automated decision‑making (ADM), and requirements for cookies and international data transfers. While some reforms simplify or streamline compliance, others introduce new duties, particularly in areas such as complaint handling and children’s online services. The changes are too extensive to address in full here, so we have selected three reforms that are especially relevant to the day‑to‑day privacy compliance activities of organisations.
Recognised Legitimate Interests: Lawful Processing Without a Balancing Test
One of the DUAA’s most significant innovations is the introduction of Recognised Legitimate Interests (RLIs) via Section 70 and Schedule 4 of the DUAA. Annex 1 of the amended UK GDPR now lists specific purposes for which organisations may rely on legitimate interests without conducting the usual balancing test under Article 6 para. 1 lit. f. These purposes are:
- national or public security,
- crime prevention or detection,
- emergency response, and
- safeguarding vulnerable individuals.
For RLIs, controllers only need to assess whether the processing is necessary for the stated purpose, with no requirement to carry out the balancing test against data subject rights. They must still demonstrate necessity, document the purpose, and maintain accountability under Article 5 para. 2.
The DUAA also clarifies the standard legitimate interest basis by giving explicit examples likely to meet the necessity requirement, including direct marketing, intra‑group administrative transfers, and network security operations, reducing uncertainty for routine business activities.
Automated Decision-Making: Codifying Safeguards and Clarifying Scope
Under the previous regime, significant decisions based solely on automated processing were generally limited to cases of contractual necessity, consent, or statutory authorisation. The DUAA replaces this framework, allowing such decisions under any lawful basis (except RLIs) provided statutory safeguards are applied. These safeguards, set out in Article 22C, require controllers to inform individuals about the decision, allow representations, offer human intervention, and enable individuals to contest the outcome.
Additional protections apply when processing special category data.
This reform broadens the legal scope for deploying solely automated processing (e.g. AI‑driven and other algorithmic decision‑making) while ensuring human oversight remains integral.
DSARs and the Reasonable Search Standard
Section 78 of the DUAA introduces Article 15 para.1A into the UK GDPR, confirming that controllers must perform only reasonable and proportionate searches when responding to a data subject access request (DSAR) (in line with long‑standing ICO guidance and UK case law). This change reduces the burden on organisations, particularly those managing large volumes of unstructured or legacy data such as email archives or messaging platforms.
The one-month response period now starts from the latest of:
- receiving the request,
- obtaining additional information reasonably needed to identify the data, or
- receiving a fee for manifestly unfounded or excessive requests.
Extensions of up to two months remain possible for complex or multiple requests, but must be justified and communicated within the initial timeframe.
Other Notable Changes
The DUAA also introduces several secondary but relevant reforms. A new annex on purpose limitation lists scenarios where reuse of personal data may be presumed compatible with the original purpose. Certain analytics and functional cookies may now be used without consent, reducing friction in website operations. The adequacy standard for international transfers shifts from “essential equivalence” to “not materially lower” protection, widening the conditions under which transfers may be justified.
In addition, the ICO gains expanded powers and new statutory duties, including developing codes of practice in areas such as AI and EdTech, and providing the public with direct online complaints mechanisms.
What Should Organisations Do Now?
While many of the DUAA’s provisions have yet to take effect, their direction is clear. The Act does not require change in every case, but it gives organisations the opportunity to adapt their compliance strategies and data governance practices to a more practical and flexible framework.
Now is the time to review whether your operations include activities that could be affected by these reforms, such as reliance on recognised legitimate interests, changes to DSAR handling, the use of solely automated decision‑making, adjustments to purpose limitation practices, or modifications to cookie compliance and international data transfers.
Misinterpretation of the new requirements or incorrect compliance steps can expose your organisation to legal, regulatory, and reputational risks. Engaging your DPO or privacy counsel early will help determine whether, and how, your processing activities should adapt to the new provisions and ensure that any changes are lawfully implemented and well‑documented.