{"id":356226,"date":"2025-08-19T08:23:10","date_gmt":"2025-08-19T08:23:10","guid":{"rendered":"https:\/\/www.europesays.com\/de\/356226\/"},"modified":"2025-08-19T08:23:10","modified_gmt":"2025-08-19T08:23:10","slug":"uk-data-use-and-access-act-2025-the-key-changes","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/de\/356226\/","title":{"rendered":"UK Data (Use and Access) Act 2025: The Key Changes"},"content":{"rendered":"<p>On 19 June 2025, the <a href=\"https:\/\/www.legislation.gov.uk\/ukpga\/2025\/18\/enacted\" target=\"_blank\" rel=\"noopener nofollow\">Data (Use and Access) Act 2025 (DUAA)<\/a> received <a href=\"https:\/\/bills.parliament.uk\/bills\/3825\/stages\" target=\"_blank\" rel=\"noopener nofollow\">Royal Assent<\/a>, becoming law in the UK and marking a significant development in the country\u2019s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No.\u202f1 Regulations, with others phased in through mid\u20112026; some changes (most notably those affecting subject access requests) are already in force.<\/p>\n<p>The DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018 (DPA 18), and the Privacy and Electronic Communications Regulations (PECR). It is designed to make the regime more practical by addressing compliance challenges and operational inefficiencies identified in recent years, and by updating obligations to reflect the current technological and business state of the art. The aim, as also <a href=\"https:\/\/ico.org.uk\/about-the-ico\/what-we-do\/legislation-we-cover\/data-use-and-access-act-2025\/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations\/\" target=\"_blank\" rel=\"noopener nofollow\">stated by the Information Commissioner\u2019s Office (ICO)<\/a>, is to \u201cpromote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights\u201d.<\/p>\n<p>For UK\u2011facing organisations, the <a href=\"https:\/\/ico.org.uk\/about-the-ico\/what-we-do\/legislation-we-cover\/data-use-and-access-act-2025\/the-data-use-and-access-act-2025-duaa-summary-of-the-changes\/\" target=\"_blank\" rel=\"noopener nofollow\">DUAA affects several key areas<\/a>, including the lawful basis framework, rules for secondary processing, rights\u2011related obligations, the structure of automated decision\u2011making (ADM), and requirements for cookies and international data transfers. While some reforms simplify or streamline compliance, others introduce new duties, particularly in areas such as complaint handling and children\u2019s online services. The changes are too extensive to address in full here, so we have selected three reforms that are especially relevant to the day\u2011to\u2011day privacy compliance activities of organisations.<\/p>\n<p>Recognised Legitimate Interests: Lawful Processing Without a Balancing Test<\/p>\n<p>One of the DUAA\u2019s most significant innovations is the introduction of <strong>Recognised Legitimate Interests<\/strong> (RLIs) via <strong>Section 70 and Schedule 4<\/strong> of the DUAA. <strong>Annex 1<\/strong> of the amended UK GDPR now lists specific purposes for which organisations may rely on legitimate interests without conducting the usual balancing test under Article 6 para. 1 lit. f. These purposes are:<\/p>\n<ul>\n<li>national or public security,<\/li>\n<li>crime prevention or detection,<\/li>\n<li>emergency response, and<\/li>\n<li>safeguarding vulnerable individuals.<\/li>\n<\/ul>\n<p>For RLIs, controllers only need to assess whether the processing is necessary for the stated purpose, with no requirement to carry out the balancing test against data subject rights. They must still demonstrate necessity, document the purpose, and maintain accountability under Article\u202f5 para. 2.<\/p>\n<p>The DUAA also clarifies the standard legitimate interest basis by giving explicit examples likely to meet the necessity requirement, including direct marketing, intra\u2011group administrative transfers, and network security operations, reducing uncertainty for routine business activities.<\/p>\n<p>Automated Decision-Making: Codifying Safeguards and Clarifying Scope<\/p>\n<p>Under the previous regime, significant decisions based solely on automated processing were generally limited to cases of contractual necessity, consent, or statutory authorisation. The DUAA replaces this framework, allowing such decisions under any lawful basis (except RLIs) provided statutory safeguards are applied. These safeguards, set out in Article\u202f22C, require controllers to inform individuals about the decision, allow representations, offer human intervention, and enable individuals to contest the outcome.<\/p>\n<p>Additional protections apply when processing special category data.<\/p>\n<p>This reform broadens the legal scope for deploying solely automated processing (e.g. AI\u2011driven and other algorithmic decision\u2011making) while ensuring human oversight remains integral.<\/p>\n<p>DSARs and the Reasonable Search Standard<\/p>\n<p>Section\u202f78 of the DUAA introduces Article\u202f15 para.1A into the UK GDPR, confirming that controllers must perform only reasonable and proportionate searches when responding to a data subject access request (DSAR) (in line with long\u2011standing ICO guidance and UK case law). This change reduces the burden on organisations, particularly those managing large volumes of unstructured or legacy data such as email archives or messaging platforms.<\/p>\n<p>The one-month response period now starts from the <strong>latest<\/strong> of:<\/p>\n<ul>\n<li>receiving the request,<\/li>\n<li>obtaining additional information reasonably needed to identify the data, or<\/li>\n<li>receiving a fee for manifestly unfounded or excessive requests.<\/li>\n<\/ul>\n<p>Extensions of up to two months remain possible for complex or multiple requests, but must be justified and communicated within the initial timeframe.<\/p>\n<p>Other Notable Changes<\/p>\n<p>The DUAA also introduces several secondary but relevant reforms. A new annex on purpose limitation lists scenarios where reuse of personal data may be presumed compatible with the original purpose. Certain analytics and functional cookies may now be used without consent, reducing friction in website operations. The adequacy standard for international transfers shifts from \u201cessential equivalence\u201d to \u201cnot materially lower\u201d protection, widening the conditions under which transfers may be justified.<\/p>\n<p>In addition, the ICO gains expanded powers and new statutory duties, including developing codes of practice in areas such as AI and EdTech, and providing the public with direct online complaints mechanisms.<\/p>\n<p>What Should Organisations Do Now?<\/p>\n<p>While many of the DUAA\u2019s provisions have yet to take effect, their direction is clear. The Act does not require change in every case, but it gives organisations the opportunity to adapt their compliance strategies and data governance practices to a more practical and flexible framework.<\/p>\n<p>Now is the time to <a href=\"https:\/\/ico.org.uk\/about-the-ico\/what-we-do\/legislation-we-cover\/data-use-and-access-act-2025\/the-data-use-and-access-act-2025-duaa-summary-of-the-changes\/\" target=\"_blank\" rel=\"noopener nofollow\">review<\/a> whether your operations include activities that could be affected by these reforms, such as reliance on recognised legitimate interests, changes to DSAR handling, the use of solely automated decision\u2011making, adjustments to purpose limitation practices, or modifications to cookie compliance and international data transfers.<\/p>\n<p>Misinterpretation of the new requirements or incorrect compliance steps can expose your organisation to legal, regulatory, and reputational risks. Engaging your DPO or privacy counsel early will help determine whether, and how, your processing activities should adapt to the new provisions and ensure that any changes are lawfully implemented and well\u2011documented.<\/p>\n","protected":false},"excerpt":{"rendered":"On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in&hellip;\n","protected":false},"author":2,"featured_media":356227,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3976],"tags":[331,332,98414,98415,96735,13,96738,14,15,96739,12,3992,98416,98417,3993,3994,3995,3996,3997],"class_list":{"0":"post-356226","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-vereinigtes-koenigreich","8":"tag-aktuelle-nachrichten","9":"tag-aktuelle-news","10":"tag-data-protection","11":"tag-duaa","12":"tag-english-posts","13":"tag-headlines","14":"tag-mb-firstprivacyenglisch","15":"tag-nachrichten","16":"tag-news","17":"tag-pb-international","18":"tag-schlagzeilen","19":"tag-uk","20":"tag-uk-data-act","21":"tag-uk-data-use-and-access-act","22":"tag-united-kingdom","23":"tag-united-kingdom-of-great-britain-and-northern-ireland","24":"tag-vereinigtes-koenigreich","25":"tag-vereinigtes-koenigreich-grossbritannien-und-nordirland","26":"tag-vereinigtes-koenigreich-von-grossbritannien-und-nordirland"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@de\/115054471033464020","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/posts\/356226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/comments?post=356226"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/posts\/356226\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/media\/356227"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/media?parent=356226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/categories?post=356226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/de\/wp-json\/wp\/v2\/tags?post=356226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}