On 19 June 2025, the UK Parliament enacted the Data (Use and Access) Act 2025 (DUAA), marking the most significant UK data protection reform since the UK General Data Protection Regulation (UK GDPR). Rather than overhauling the current regime, DUAA introduces targeted amendments to the UK GDPR, the Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), aiming to support responsible data use while preserving core privacy protections.
Key Legal and Operational Changes
For legal and compliance functions, the DUAA presents both operational opportunities and legal considerations requiring timely attention.
- New Lawful Basis – “Recognised Legitimate Interests”: DUAA establishes a new lawful basis for processing data without requiring a balancing test in specific contexts, including crime prevention, safeguarding, and emergency response. While this reduces administrative burden, clear documentation and internal governance remain essential for continued compliance with UK data privacy requirements.
- Expanded Definition of Scientific Research: The definition of scientific research now expressly includes commercial and non-commercial research. Broader consent and governance options are also permitted, supporting research-driven innovation under appropriate safeguards.
- Amended Cookie Rules: DUAA relaxes the consent requirement for certain nonintrusive cookies, such as those used for basic analytics or service improvement, provided there is transparency and a clear opt-out mechanism. This may reduce compliance complexity for organisations using low-risk tracking technologies.
- DSAR Handling Reforms: Organisations are now only required to undertake “reasonable and proportionate” efforts when responding to Data Subject Access Requests (DSARs) rather than having to respond “without undue delay.” Additionally, they may pause the one-month response timeframe in limited circumstances, e.g., verifying identity or clarifying scope, aligning regulatory expectations with operational realities.
- International Transfers – New Data Protection Test: DUAA replaces the “essentially equivalent” test with a new data protection test requiring that third-country protections are “not materially lower” than UK GDPR standards. This test applies when (1) the UK government determines a third country’s adequacy or (2) businesses assess transfer risks using appropriate safeguards.
The revised threshold introduces more flexibility, encouraging a contextual and holistic view of third-country regimes. The Secretary of State must consider cultural and legal differences, which may lead to faster adequacy decisions and simpler risk assessments.
Existing transfer mechanisms remain valid if entered into before the new regime takes effect and otherwise comply with current UK GDPR rules. However, new arrangements post-DUAA must apply the updated test.
- ICO Reform and Enhanced Powers: The Information Commissioner’s Office (ICO) has been restructured into the Information Commission, a statutory corporate body with broader governance and enforcement tools. These include binding assessment notices, interview notices, and strengthened investigatory powers under PECR and the UK GDPR.
- Mandatory Complaint Procedures: Organisations must now implement a formal internal complaint-handling mechanism for individuals exercising their data rights. Acknowledgement must be issued within 30 days, with a clear path to resolution or escalation. This codifies expectations around procedural fairness and accountability.
Practical Steps for Legal and Compliance Teams
Legal and compliance teams should act now to:
- Review and update lawful basis policies to ensure internal records, policies, and privacy notices reflect the new “recognised legitimate interests” basis, particularly in relation to crime prevention or safeguarding functions.
- Reassess all tracking technologies in use, distinguish between those that may qualify for DUAA exemptions and those still requiring consent, and prepare to update cookie notices and user interfaces following ICO guidance.
- Modify internal DSAR handling procedures to incorporate the new proportionality standard and clarify when clock pauses on the one-month response timeframe are permissible.
- Review international data transfers and assess whether any new transfer tools will need to meet the revised data protection test and monitor adequacy decisions and ensure readiness to pivot where necessary.
- Design or revise data subject complaint-handling mechanisms to comply with the DUAA’s new requirement for timely and structured response.
Conclusion
The DUAA reflects the UK government’s effort to modernise data regulation while remaining aligned with global data protection principles. It offers organisations greater flexibility in certain areas but introduces new nuances that demand close legal scrutiny.
In-house counsel should view this as an opportunity to reassess data governance frameworks, proactively engage with regulatory consultations, and prepare for the next wave of ICO guidance and enforcement.