UK Data Use and Access Act 2025: What Organisations Need to Know

The UK Data Use and Access Act (DUAA) 2025 has officially received Royal Assent, bringing in significant reforms that affect how personal data is managed, accessed, and governed across the country. In this article, we explain how the new rules will shape ongoing compliance and the key implications for businesses.

The DUAA builds on existing frameworks like the UK GDPR and PECR, with a focus on reducing compliance burdens while retaining high standards of privacy and accountability. For organisations, it marks a notable shift in data protection legislation and demands close attention.

What the Act Changes

The Act aims to modernise the UK’s data protection landscape by:

• Introducing more flexible lawful grounds for data processing
• Simplifying the requirement for record keeping and risk assessments
• Adjusting rules for international data transfers
• Giving the Information Commissioner’s Office (ICO) a broader enforcement remit
• Supporting more responsible innovation and data sharing, particularly in the public sector

These changes are intended to streamline compliance for businesses and public bodies while preserving public trust in data usage.

The changes introduced by the Act will come into force on 1 January 2026, giving organisations time to review and update their data governance policies, compliance documentation, and risk management strategies.

Key Areas of Impact of DUAA

1. Data Processing Justifications
The Act expands on what constitutes a lawful basis for data processing, particularly around legitimate interests. Organisations may now rely more confidently on their own interests for processing data, provided they balance this with the rights of individuals.

2. Risk Assessments and Record Keeping
The need for Data Protection Impact Assessments (DPIAs) has been revised. Organisations will still need to identify and mitigate high-risk processing activities, but the documentation requirements are lighter for low-risk activities.

3. Cookies and Direct Marketing
Updates to PECR under the Act mean that cookies used for certain analytics purposes may no longer require consent. However, marketing practices will still need to meet established fairness and transparency standards.

4. Data Subject Rights and Transparency
The Act tightens the rules around how individuals are informed of their rights. While organisations gain more flexibility, they are expected to be clearer and more accessible in how they communicate with data subjects.

5. Public Sector Data Sharing
One of the Act’s core aims is to unlock greater value from data held by public bodies. It enables more coordinated data sharing within government, especially for service improvement and research, under clearly defined safeguards.

Impact on GDPR 

The DUAA does not replace UK GDPR, but it does amend and build upon it. Businesses still need to meet GDPR’s core requirements around lawful processing, individual rights, and accountability. However, the new Act introduces additional duties that refine how compliance must be demonstrated.

This includes clearer responsibilities when using personal data for public interest purposes, new checks on the use of automated decision-making, and an emphasis on active risk management. Businesses that previously considered themselves compliant with GDPR should revisit their frameworks in light of the new Act.

What This Means for Your Organisation

While the legislation is framed as business-friendly, it does not eliminate the need for robust data governance. Organisations should take the opportunity to:

• Reassess their lawful bases for processing personal data
• Review cookie policies in light of the revised PECR provisions
• Update privacy notices and consent mechanisms to align with new transparency standards
• Ensure third-party contracts and international transfer mechanisms meet revised criteria

How AJC Can Help

At AJC, we help organisations make sense of regulatory change and embed compliance into everyday operations. Our team provides:

• Tailored audits of your current data governance practices
• Practical guidance on updating policies, notices, and records
• Support with international data transfer assessments
• Staff training on the latest requirements under the DUAA Act

As the UK’s data protection framework evolves, we’re here to help you stay compliant, confident, and in control.

If you require advice or support on data protection and information governance, please do not hesitate to get in touch. Our team is here to help you navigate these complex regulations and ensure your compliance.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

References

https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/

https://www.legislation.gov.uk/ukpga/2025/18/enacted

https://bills.parliament.uk/bills/3825

image accreditation: Mark Stuckey (2022) on Unsplash.com. Last accessed on 25th June 2025. Available here.