The Data Use and Access Act 2025: A Practical Guide for UK Companies

The Data Use and Access Act 2025 introduces new rules for how businesses handle, share, and protect data. It’s essential reading for UK companies, legal teams, and anyone responsible for compliance or data management.

What is the Data Use and Access Act 2025?

The Data Use and Access Act 2025 (commonly known as the DUAA) is a landmark piece of legislation that received Royal Assent in the UK on 19th June 2025. This Act introduces a broad range of changes affecting data protection, privacy, and digital innovation. 

While it does not replace the existing UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018, it updates and simplifies certain rules, encourages responsible data sharing, supports innovation, and enhances law enforcement’s ability to tackle crime.

For UK companies, understanding the key changes introduced by the DUAA is essential to staying compliant and leveraging new opportunities responsibly.

Key Provisions of the Data Use and Access Act 2025

The Act covers several important areas that affect how companies collect, use, and share data. Understanding these key provisions is crucial for staying compliant and making informed decisions. Let’s explain them in more detail:

1. Automated Decision-Making (ADM)
   The Act broadens the circumstances under which organisations can make decisions about individuals based solely on automated processing decisions that carry legal or similarly significant consequences. However, safeguards remain vital. Companies must inform individuals about these decisions, offer ways to challenge them, and provide access to human intervention where needed.
   
   

2. Subject Access Requests (SARs)
   The DUAA clarifies how organisations should respond to individuals requesting access to their personal data. It introduces a “stop the clock” rule, allowing companies to pause the response timeframe while they gather additional information from the requester. Importantly, responses should be proportionate and focus on relevant data, helping companies manage SARs more efficiently.
   
   

3. Children’s Data Protection
   New requirements oblige certain online services, particularly those likely to be accessed by children, to embed protective measures in their design. This promotes safer online experiences for minors, which companies offering digital services must now carefully consider.
   
   

4. Scientific and Commercial Research
   The Act explicitly recognises commercial research within the scope of scientific research, allowing broader consent frameworks while emphasising clear safeguards to protect personal data used in research activities.
   
   

5. Recognised Legitimate Interests
   The DUAA introduces an additional lawful basis for processing personal data related to crime prevention, safeguarding, emergency responses, and other specified legitimate interests. This gives businesses a clearer legal footing to use data responsibly in these critical areas.
   
   

6. International Data Transfers
   The Act simplifies and clarifies the rules for transferring personal data abroad, a significant update that aims to reduce complexity while ensuring data protection standards are upheld.
   
   

7. Handling Complaints
   Organisations must now provide accessible complaint mechanisms, such as online forms and inform individuals about the outcomes of their complaints concerning data use. This increases transparency and accountability.
   
   

8. Storage and Access Technologies
   Under certain low-risk conditions, the Act allows companies to use cookies and similar technologies without needing explicit consent, easing compliance burdens for some routine operations.
   
   

9. Changes Affecting Law Enforcement and Intelligence Processing
   The DUAA amends parts of the Data Protection Act 2018 regulating data use by law enforcement and intelligence services, ensuring consistency with changes in the UK GDPR and streamlining processes to support national security efforts.

What the Data Use and Access Act 2025 Means for Your Business: Practical Insights

The Act brings practical changes that can affect daily operations, decision-making, and data management. Knowing what it means for your business helps you stay compliant and use data more effectively.

Encouraging Innovation and Growth

One of the Act’s core aims is to support innovation without compromising data protection. For example, the Act clarifies when and how personal data can be used for scientific research, including commercial projects. It also introduces the possibility of obtaining broad consent for related research activities, making it easier to carry out valuable studies that benefit businesses.

Moreover, businesses can now reuse personal data for research purposes without always having to send individual privacy notices, provided that individuals’ rights are safeguarded through alternative transparency measures, such as clear information published on your website.

Automated decision-making is another area where the DUAA expands possibilities, allowing more lawful bases (including legitimate interests) for decisions made by algorithms, while ensuring people have rights to challenge and seek human review when necessary.

Finally, the Act eases the use of cookies by allowing certain types of cookies that serve essential purposes (like website analytics) to be used without explicit consent, simplifying compliance for website operators.

Simplifying Compliance and Operations

The DUAA streamlines several practical aspects of data protection compliance. For instance, it introduces a new “recognised legitimate interests” lawful basis for processing data in areas such as crime prevention and public safety, removing the burden on businesses to conduct complex balancing tests in these contexts.

It also shifts responsibility onto data recipients like the police when organisations share personal information for public task purposes, reducing the risk and uncertainty for companies when responding to legitimate information requests.

In addition, the Act allows companies to assume that certain reuses of data are compatible with their original collection purpose, particularly for archiving in the public interest, which cuts down administrative overhead.

Charities benefit from a new “soft opt-in” rule that permits them to send marketing emails to supporters unless those individuals object, helping these organisations engage with their communities more effectively.

When it comes to subject access requests, the Act clarifies that organisations only need to carry out searches that are reasonable and proportionate, helping reduce the administrative burden of fulfilling data access requests.

New Obligations to Note

While much of the DUAA creates opportunities, there are also important new requirements to prepare for. If your business operates online services likely to be accessed by children, the Act explicitly requires you to design your data practices with children’s needs in mind. This aligns with existing standards like the Age Appropriate Design Code, but highlights that businesses must actively consider child protection in their service design.

Additionally, the Act places clearer obligations on organisations to facilitate and manage complaints related to data use. Companies must provide accessible complaint channels, such as electronic forms and are expected to acknowledge complaints within 30 days and resolve them without unnecessary delay. This change promotes transparency and helps build trust with individuals concerned about how their data is handled.

Practical Checklist: Preparing Your Business for the Data Use and Access Act 2025

The changes brought by the DUAA will be phased in gradually over the next 12 months. To get ahead, businesses should take the steps we list below. 

1. Review Privacy Policies and Notices

• Update privacy notices to include clear information on scientific research uses, including broad consent options.

• Ensure transparency by publishing relevant information on your website when privacy notices are not sent individually.
  
  

2. Assess Automated Decision-Making (ADM) Practices

• Identify any current or planned ADM processes with legal or significant effects on individuals.

• Confirm safeguards are in place, explain ADM decisions, provide means for individuals to challenge outcomes, and ensure access to human review.

• Review lawful bases for ADM, including legitimate interests, ensuring special category data is handled appropriately.

3. Prepare for Subject Access Requests (SARs)

• Implement procedures to conduct reasonable and proportionate searches when responding to SARs.

• Update internal timelines and processes to accommodate the “stop the clock” rule, pausing response time when awaiting additional information from requesters.

4. Evaluate Data Use in Online Services for Children

• Audit online services likely used by children and assess data protection measures in line with the Act’s explicit requirements.

• Align practices with the Age Appropriate Design Code to ensure children’s rights and needs are addressed.
  
  

5. Update Complaint Handling Procedures

• Establish or enhance accessible complaint channels, such as electronic forms, for data protection concerns.

• Set processes to acknowledge complaints within 30 days and resolve them promptly.

• Train staff on complaint management and escalation procedures.

6. Review Use of Cookies and Tracking Technologies

• Identify low-risk cookies (for example, those used for analytics or functionality) that may no longer require explicit consent.

• Update cookie banners and consent mechanisms accordingly.

7. Understand and Apply New Lawful Bases for Processing

• Familiarise yourself with the new “recognised legitimate interests” basis for specific processing activities, such as crime prevention and public safety.

• Assess your data sharing practices with law enforcement and other public bodies to ensure alignment with the Act.

8. Prepare for International Data Transfers

• Review existing cross-border data transfer mechanisms.

• Stay updated on revised rules and tests for transferring personal data outside the UK.

9. Monitor Implementation Timeline and Guidance

• Track commencement regulations and phased implementation dates.

• Regularly consult the Information Commissioner’s Office (ICO) website for updated regulatory guidance.

By taking these steps early, companies can not only ensure compliance but also capitalise on the efficiencies and innovations the Act encourages.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.