Enacted today, the Data (Use and Access) Bill – now the Data (Use and Access) Act 2025 or ‘DUAA’ – marks a significant moment in the evolution of UK data protection legislation.
The Act builds on previous legislative efforts – most notably 2022’s shelved DPDI (Data Protection and Digital Information) Bill – and brings together key reforms under one cohesive framework.
While its principal focus is to reform the UK GDPR (General Data Protection Regulation and DPA (Data Protection Act) 2018, and the PECR (Privacy and Electronic Communications Regulations), the DUAA is far more than a privacy update.
It also supports broader data-related policy ambitions, such as facilitating the use of smart data, creating robust digital identity infrastructure and updating the legal treatment of data access, management and automation across the public and private sectors.
Structure and scope of the DUAA
The Act is split into seven substantive parts:
- Part 1 extends the concept of “smart data” beyond financial services, enabling customers and businesses to access and share their data across various sectors, thereby promoting innovation and consumer choice.
- Part 2 establishes a digital verification trust framework, along with a register of providers, a trust mark and data-sharing mechanisms to regulate digital ID systems.
- Part 3 gives legal footing to the National Underground Asset Register, ensuring safer and more coordinated management of subterranean infrastructure.
- Part 4 transitions birth and death registrations from paper to a secure, electronic registry managed by designated officials.
- Part 5 enacts pivotal reforms to the UK’s data protection regime, focusing on the UK GDPR and PECR.
- Part 6 transforms the ICO (Information Commissioner’s Office) into a newly empowered Information Commission with an expanded regulatory and enforcement remit.
- Part 7 brings in additional measures for data access and usage across critical areas such as health and social care, smart meters, online safety and public service delivery.
Below, we focus on Part 5, which sets out changes to the UK GDPR and PECR.
Key modifications to the UK GDPR, the Data Protection Act 2018 and PECR
The DUAA modifies several key provisions of the existing UK data protection framework, particularly in areas where businesses and public-sector organisations interact with data subjects. These are outlined below.
Recognised legitimate interests
The Act introduces a list of “recognised legitimate interests” under Article 6(1)(f) of the UK GDPR, including national security, public safety, emergency response, crime prevention and safeguarding vulnerable individuals.
Importantly, organisations relying on these recognised interests listed in Annex 1 will have lighter obligations in regard to conducting a balancing test against individual rights.
Secondary processing and research
The DUAA includes definitions and establishes that data processing for purposes other than the original intent – such as scientific, historical or statistical research – is presumed compatible with initial consent under certain conditions. This change allows further processing, and is particularly beneficial for the academic and health sectors.
DSARs (data subject access requests)
The DUAA formalises the practices and guidance already in use for DSARs. It does not include the ability for controllers to refuse to respond to DSARs because they are considered to be vexatious (a provision from the DPDI Bill), but does include certain provisions relating to applicable time periods and the scope of searches carried out in response to DSARs.
Controllers are given clearer authority to extend the time allocated to a DSAR while verifying the data subject’s identity or gathering additional context. The Act also clarifies that responses should be based on a reasonable and proportionate search, offering welcome relief to data controllers handling complex or voluminous requests.
Article 12 defines the “applicable time period” as one month from the “relevant time”, which is the latest of:
- The date the controller receives the request;
- The date further identification information is received; or
- The date a fee (if applicable) is paid.
Controllers may extend the response time by two further months for complex or multiple requests, provided they notify the data subject within the initial month and explain the reasons for the delay.
The Bill also clarifies that responses should be based on a reasonable and proportionate search, offering more flexibility to data controllers handling complex or voluminous requests.
Legal professional privilege exemption
Additionally, the Act clarifies that controllers are not required to provide information in respect of which a claim to legal professional privilege (or, in Scotland, confidentiality of communications) could be maintained in legal proceedings, or information in respect of which a duty of confidentiality is owed by a professional legal adviser to their client.
This ensures that communications between legal advisers and their clients remain protected, in line with long-standing principles of confidentiality and privilege in legal practice.
Information to be provided to data subjects
Under Article 13, paragraph 4 is amended and a new paragraph 5 is added. Paragraph 5 states that the obligation to inform does not apply if the data will be processed for scientific or historical research, archiving in the public interest, or statistical purposes – provided it is in accordance with Article 84B – and if providing the information is impossible or would involve disproportionate effort.
ADM (automated decision-making)
The DUAA replaces Article 22 of the UK GDPR with Articles 22A–22D, which allow more flexibility for automated processing, particularly where special category data is not involved. The Act requires transparency and safeguards for significant decisions made solely by algorithms, including human intervention, the right to contest outcomes, and meaningful explanation to data subjects.
Cookies and ePrivacy
Reforms to the PECR include exemptions for certain low-risk cookies, such as those used for site performance or analytics, thereby reducing the compliance burden on website operators. However, user transparency and opt-out options remain mandatory.
The DUAA also enhances PECR fines bringing its monetary penalties into line with the UK GDPR – fines of up to 4% of global annual turnover or £17.5 million, whichever is greater.
Reform of the Information Commissioner’s Office and the right to complain
One of the more institutional changes brought by the DUAA is the replacement of the ICO (Information Commissioner’s Office) with a new regulatory authority known as the Information Commission.
Reforming the ICO aims to modernise the governance structure of the UK’s data protection regulator by establishing a more formal board-led model – similar to the approach taken by regulators such as the FCA (Financial Conduct Authority) or the CMA (Competition and Markets Authority).
The new Commission will retain the core investigatory and enforcement powers of the ICO, but with a strengthened remit in areas like ePrivacy enforcement, age-appropriate design and prompt data breach response.
Additionally, the DUAA introduces a clearer right for data subjects to complain directly to data controllers. While data subjects have always had a general right to raise concerns with organisations, the DUAA formalises this process and places new obligations on controllers to respond promptly and transparently.
Controllers must now acknowledge receipt of a complaint within 30 days, and they are required to respond without undue delay, informing the complainant of the outcome and any action taken. In complex cases, controllers must also keep the complainant informed of progress. Moreover, the Secretary of State is empowered to require controllers to report complaint volumes to the Information Commission, ensuring transparency and regulatory oversight.
International data transfers
A new data protection test replaces the former EU-style adequacy framework. Under the DUAA, transfers are allowed if the receiving country or organisation provides protection not materially lower than UK standards. This potentially diverges from the EU’s stricter standards, although care has been taken to minimise conflict with the EU-UK adequacy decision.
Our assessment of the changes
From a compliance and strategic perspective, the DUAA’s amendments represent a relatively pragmatic evolution of UK data law. Many of the more radical or controversial proposals from the previous government’s DPDI Bills have been dropped, including provisions that could have undermined core GDPR principles.
As a result, the Act is not expected to jeopardise the EU’s adequacy decision regarding the UK – a crucial factor for any organisation transferring personal data between the EU and the UK.
We also consider the impact on current practices of organisations to be relatively minimal. Organisation that have a good level of compliance will need to review their documentation and practices to ensure they align with the amendments introduced by the DUAA.
What should businesses know?
For most organisations, especially those operating across the UK and EU, the message is one of continuity with caution. The core principles of the UK GDPR remain intact, including the need to appoint DPOs, maintain ROPAs (records of processing activities) and uphold individual rights.
However, data controllers and processors should review their DSAR procedures, ADM policies, cookie compliance frameworks and international data transfer mechanisms in light of these reforms. Specific attention should be paid to:
- How DSAR responses are managed and documented;
- The use of ADM in internal decision-making (especially HR or finance);
- Whether cookie banners and consents align with the new exemptions;
- The basis for overseas transfers, particularly to non-EEA countries.
Conclusion
The DUAA is a measured update to the UK’s data protection framework. It trims bureaucracy in some areas, grants helpful clarifications in others and introduces modest modernisation – particularly around automation, smart data and digital identity.
Organisations should be ready to update their documentation as many changes in Part 5 are expected to come into force immediately following Royal Assent. Some parts of the Act will require secondary legislation for full implementation.
Early compliance assessments and policy adjustments will, in any case, help ensure a smooth transition.
The post The Data (Use and Access) Act and How it Affects the UK GDPR and DPA 2018, and PECR appeared first on IT Governance Blog.
