Data Use and Access Act 2025 (DUAA)

What happened

• Data Protection complaints. Data controllers and processors are now required to provide a mechanism for data subjects to raise a complaint about how their personal data is being processed. The ICO suggests that a standard electronic form is provided, and individuals are signposted to this resource, with a response expected within 30 days. 
• Reportable data breaches falling under the remit of PeCR now need to be reported within 72 hours of the entity being aware of the breach. Previously, this was 24 hours.
• Cookies usage – cookies used for statistical purposes about how online services are being used, aiming to improve those services, can be categorised as ‘essential’ and loaded onto an individual’s device as long as: 
  • Users are provided with clear and comprehensive information about usage and storage, and
  • They enhance the functionality of the online service or, 
  • They enable the way the website appears, functions or adapts to the user preferences. 
• Statistical purposes – clearer definitions around personal data being used for statistical purposes, which results in aggregated data from which no personal data can be determined.
• Recognised Legitimate Interests – DUAA includes a new lawful basis of processing focused on safeguarding vulnerable individuals, responding to emergencies, national security and assisting other bodies delivering public interest tests sanctioned by law. 
• Data Subject Rights
  • Where additional verification is required around a data subject’s identity, scope of response or additional information, the response period of one calendar month can be paused. 
  • Searches need to be “reasonable and appropriate”. 
  • Introduces “legal professional privilege” under the law enforcement regime
• Automated Decision Making – Where tools are used that have legal effect,  
  • Provide information to data subjects about the processing 
  • Data subjects can approach organisations about the processing and query outcomes
  • Include human interventions in making decisions
• International Data Transfers
  • Assess that the data protection standards of the destination territory aren’t “materially lower” than those of the UK. 
  • DUAA removes the 4-year review period but requires “ongoing” monitoring. 
  • Apply data protection test if alternative transfer mechanisms, such as SCCs, are used. 
• Previously, safeguards were detailed in different texts, such as UK GDPR, recitals in EU GDPR and DPA 2018. These have now been consolidated into DUAA. 
• The Information Commissioner’s Office (ICO) becomes the Information Commission (IC) under a new corporate structure to increase transparency. The current Information Commissioner becomes the Chairperson, and a new CEO/board are being recruited. The IC will also possess mandatory powers to issue investigation interviews and technical reports at the cost of the investigated party 

Why it matters

• This is in addition to the fundamental rights afforded to data subjects under  UK GDPR. For example, the rights of erasure, access, and rectification remain unchanged, and we cannot oblige data subjects to complete forms to exercise these rights.
• The Act will bring some welcome alignment between two key pieces of privacy regulation. Controllers and processors should still be aware of the potential harm to individuals arising from breaches that fall under the PeCR, and act promptly to assess potential harm and determine appropriate responses.
• This isn’t ‘carte blanche’ for all analytics cookies, as the focus is around scientific and public service provision. Think carefully about how cookies are designated in your Cookie Management Platform (CMP), especially as the ICO are currently assessing website compliance with PeCR
• A key element here is ‘aggregated’ data. Care should be taken that where this aggregated data is stored, it cannot be ‘unpicked’ to reveal the original identities of the data subjects
• Not the sweeping change that many were hoping for, but there are key categories where carrying out an Legitimate Interest Assessment (LIA) is no longer necessary. Broadly speaking, commercial interests aren’t covered and may still require an LIA.
• Pausing the clock on data subject requests is welcome, particularly for complex SAR responses, whilst wording intended to provide clarity may leave assumptions open to scrutiny. Potentially a double-edged sword. Ensure that you have developed and documented a defensible position regarding these assumptions
• With automated decision making, legal effect is the focus here. With the advancement of AI tools and machine learning, automated decision outcomes can be challenged by individuals and reviewed by a human
• Some streamlining of the decision-making process for where and when personal data can travel across borders, assessment of destination legal frameworks and the ability of data protection authorities to take action. Transfer Risk Assessments remain an important tool in planning international data transfers.
• By bringing together key elements of the data protection framework, the DUAA makes it easier to ensure a consistent approach to regulatory compliance across complex organisations.
• Changes to the ICO will be a watching brief at this stage. The IC is being formed to ensure data is a central component of economic development in the UK, but will this change the pragmatic approach under the current stewardship?

Next steps

Following the publication of the final act, exact dates for introduction are still awaiting secondary legislation. However, there are a few areas that can be actioned now: 

1. Introduce a complaints handling process and policy 
2. Update SAR process documentation 
3. Review the recruitment process by HR partners to ensure activities take into account new automated decision-making requirements. 
4. Audit current international data transfer mechanisms and apply the new framework.

In conclusion, while the DUAA has brought in some interesting and detailed changes, the broad scope of data protection hasn’t seen a seismic shift. However, it will be interesting to see the EU’s commentary on the Equivalency Agreement, which is expected to be announced in December 2025. Presumably, the delayed publication of the DUAA was due in part to discussions with EU partners, rather than solely because of the AI components.