Skip to main content

Media Centre

Unlocking personal data: What the UK’s new data access act means for businesses

Thomas Taylor | Commercial & Digital Solicitor | Leeds

In a digital economy increasingly driven by data, access to information can be the fuel for innovation, improved services and smarter decision-making. Recognising this, the UK’s Data (Use and Access) Act 2025 (‘DUA Act’) was passed and received Royal Assent on 19th June 2025. We highlight below what the DUA Act means for data protection compliance.

The DUA Act marks a refinement of the UK’s data protection landscape rather than an overhaul. For most businesses, day-to-day compliance will remain largely the same, with only some minor changes.

However, if you are involved in research, public services, technology or digital platforms, you may now find it easier to make use of personal data - particularly where automation, international transfers or data sharing with public bodies is involved. At the same time, new responsibilities around transparency, complaint handling and children’s data signal a continued focus on protecting individual rights.

Key reforms and features of the DUA Act

  1. Lawfulness of processing

The DUA Act introduces a new lawful basis of personal data processing under the UK GDPR called ‘recognised legitimate interests.’ This applies to certain specific activities, such as protecting public security and safeguarding vulnerable individuals.

In these cases, the processing will be automatically considered lawful - organisations won’t need to carry out the usual balancing test of weighing their interests against individuals’ rights, which is normally required when relying on ‘legitimate interests.’

In addition, the DUA Act makes an important clarification to the existing ‘legitimate interests’ lawful basis. It confirms that personal data can be processed for direct marketing purposes on this lawful basis, as long as it is carried out lawfully and with appropriate safeguards.

While this reference to direct marketing was always in the non-binding ‘recitals’ to the UK GDPR, it is now in the main body of this new legislation. This change should give businesses greater confidence in using legitimate interests for marketing, as it has always offered more flexibility than relying on consent.

The DUA Act also makes it easier to share personal data with public authorities like the police. This is because under the new rules, it is the public authority requesting the data, not the organisation providing it, that is responsible for justifying why the information is needed.

  1. Automated decision-making

Organisations no longer need special legal permission to use personal data in automated systems that make significant decisions about people (like approving loans or screening job applications) unless the automated systems handle ‘special category’ data.

Special category data includes sensitive information on someone’s health, ethnicity, religion, politics, sexual orientation, genetics or biometrics. This relaxation should accelerate responsible use of automation, provided robust safeguards remain in place.

  1. Scientific research

The DUA Act helps clarify how personal data can be used for scientific research. It introduces a clear legal definition of what counts as ‘scientific research’ and makes it easier for organisations to understand the rules. For example:

  • People can give one-time permission for their data to be used in future studies within a general field, instead of having to sign off on every individual project.
  • If it would be too difficult to contact everyone whose personal data is involved in a scientific study directly, organisations can explain how they’re using personal data by publishing a notice online, as long as they protect people’s rights in other ways.
  • It has now been made explicit that businesses (not just universities or public bodies) can also reuse personal data for scientific research purposes.

  1. Cookies

Cookies that are used purely for statistics or to improve site functionality can now be set without asking for consent each time.

  1. International data transfers

The DUA Act tidies up certain rules on sending personal data outside the UK:

  • It clarifies how the UK Government makes ‘adequacy decisions’; that is, the formal rulings that a particular country, territory or international organisation provides an acceptable level of data protection such that personal data can be transferred there on a relatively friction-less basis.
  • It simplifies the use of alternative transfer mechanisms, such as international data transfer agreements (IDTAs) or binding corporate rules (BCRs), which organisations must rely on when transferring data to countries without an adequacy decision. The new wording aims to clarify what steps organisations must take and what legal tests they need to apply to ensure that exported personal data remains protected.

  1. Subject access requests (‘SARs’)

When responding to an SAR, organisations are only required to carry out reasonable and proportionate searches for the requested personal data, rather than exhaustive or overly burdensome investigations. This was previously in the guidance issued by the Information Commissioner’s Office (ICO), but now has a formal, statutory footing.

  1. Assumptions of compatibility

Some secondary uses of personal data, such as archiving in the public interest or conducting further research, are now automatically considered compatible with the original reason the data was collected. This means organisations no longer need to carry out a separate compatibility assessment in these cases.

  1. ‘Soft opt in’ for charities

The ‘soft opt in’ is an important way for businesses to send marketing emails to individuals who have previously purchased products from them, without having to obtain prior consent (which would otherwise be the case in respect of email marketing to consumers).

Charities are now allowed to send marketing emails to individuals who have previously supported or expressed interest in their work without needing explicit consent, provided those individuals are given a clear opportunity to opt out.

  1. ICO reforms

The ICO will be replaced with a restructured Information Commission, governed by a board and CEO, reflecting a more corporate governance model.

The DUA Act also strengthens the ICO’s enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR), bringing them into line with its existing powers under the UK GDPR and the Data Protection Act 2018. Most notably:

  • The ICO no longer needs to prove that a breach caused substantial damage or distress before taking action.
  • It can now issue fines of up to £17.5 million for serious failures to comply with PECR.
  • It has been given enhanced tools, such as the ability to issue assessment notices instead of conducting security audits, compel witnesses and commission technical reports during investigations.

These changes are intended to make enforcement under PECR more effective and consistent with the wider data protection framework.

New requirements for organisations

While the DUA Act reduces some obligations, it also introduces new requirements:

  • Children and online services: If you provide an online service that is likely to be accessed by children, you must take their needs into account when you decide how you process their data. This codifies existing expectations under the ICO’s Age Appropriate Design Code.
  • Data protection complaints: Organisations must now:
    • Provide accessible complaints mechanisms, such as electronic forms;
    • Acknowledge complaints within 30 days; and
    • Respond without undue delay.

ICO guidance for organisations on these new requirements has not yet been published, so in the interim, organisations should take a pragmatic approach based on the DUA Act and existing best practices. This may include reviewing current complaints procedures and ensuring staff are trained to handle complaints in line with new statutory duties.

What can we do to help?

Organisations would be well advised to review how these changes interact with their existing data practices - not just to ensure compliance, but to take advantage of the greater flexibility and clarity the DUA Act is intended to provide.

For further advice on how your business can ensure compliance with the DUA Act, please contact either James Sarjantson on 0113 201 0401 – ku.oc1780360003.fcl@1780360003nostn1780360003ajras1780360003j1780360003 or Thomas Taylor on 0113 204 0407 – ku.oc1780360003.fcl@1780360003rolya1780360003tt1780360003.

*Important information about our articles*

Get in touch

Please complete the form below. Fields marked with a * star are required.

Related Posts

Related Service Areas

Written by Thomas Taylor

Author

  • Contact our offices

  • Make an enquiry