The Data Use and Access Act 2025 (DUAA): Essentials for businesses

By Peter Kouwenberg

Partner – Head of Commercial

10 September 2025

Insights News

The recent passing of the DUAA will result in further amendments to the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) over the coming months. Together, that legislation governs how organisations may process personal data and, particularly, the sending of direct marketing and electronic communications.

Fundamentals

This article is not a comprehensive summary of the DUAA but key takeaways include:

• Relaxation of some of the rules surrounding automated decision making, allowing such decisions to be made in a wider range of situations (providing that certain safeguards are implemented by the organisation).

• Clarification that an organisation’s response to subject access requests (SARs) need only be “reasonable and proportionate” and a new right for the organisation to pause the response clock where it requires additional information from the requester.

• A requirement that organisations make it easy for individuals to make complaints, including the provision of an electronic complaint form.

• Additional considerations for organisations whose online services may be of interest to children, in order to best protect those children.

• A new “recognised legitimate interests” limb of the “legitimate interests” lawful basis (whereby no balancing test is required) relating to specific scenarios such as emergencies and the safeguarding of vulnerable individuals.

• Tweaks to the rules around (i) inter-group company transfers and (ii) international transfers of personal data, although in both cases these changes may not be particularly impactful.

• Amendments to bring more of PECR in line with the GDPR, including the raising of the maximum financial penalty (currently £500,000) to the higher of £17.5 million or 4% of the organisation’s annual global turnover.

• Extension of the purposes for which cookies may be used without opt-in consent of the individual.

• Extension of the “soft opt-in” exception under PECR to allow charities to rely upon this, subject to certain conditions.

Big picture

Whilst the DUAA demonstrates that the UK’s stance on data protection does not need to exactly mirror that of the European Union, in truth the forthcoming changes are far from seismic. Indeed, the EU is currently evaluating its own data protection legislation with a view to simplifying this in the context of ensuring small businesses remain competitive.

The UK is also unlikely to stray too far from the EU’s data protection line as it is keen to protect its status as an “adequate” country (post-Brexit) for the purpose of the free flow of personal data from other EU members to the UK. The European Commission recently extended its adequacy decision in respect of the UK to 27 December 2025, which is another positive step for UK businesses.

Ultimately, businesses need to keep a careful eye on the evolution of data protection law, including how the DUAA is applied. This is best achieved by reviewing guidance released by the Information Commissioner’s Office (reformed and renamed as the Information Commission) from time to time and, most importantly, by way of specific guidance from legal advisors.

If you have any questions or would like to discuss the points raised in this article further, please contact us here to speak to a member of our Corporate & Commercial team.

Disclaimer: General Information Provided Only
Please note that the contents of this article are intended solely for general information purposes and should not be considered as legal advice. We cannot be held responsible for any loss resulting from actions or inactions taken based on this article.