*Featured image link: The Data Use and Access Act 2025 (DUAA) – what does it mean for organisations?
The Data Use and Access Act (commonly referred to as the DUAA) which received Royal Assent on the 19th of June 2025 is the UK government’s latest legislative attempt to update and streamline the UK’s data protection framework following Brexit. The Act which amends key privacy laws including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR), maintains the core principles of the UK GDPR whilst seeking to reduce administrative burdens, support innovation, and clarify areas that have proven complex in practice.
A Measured Shift, not a Radical Departure
Thankfully for privacy pros and Data Controllers alike, the DUAA does not represent a wholesale replacement of the UK GDPR or the DPA 2018. Instead, it proposes targeted reforms aimed at increasing regulatory certainty and reducing perceived compliance friction—particularly for SMEs and scientific research organisations.
Key aspects of alignment with existing UK legislation include:
Core Principles Remain: The DUAA retains the fundamental principles of data protection—lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality.
Data Subject Rights Are Preserved: Individuals will still enjoy rights such as access, rectification, erasure, and objection. The Data (Use and Access) Act 2025 amends the Data Protection Act 2018 by inserting subsections (1A)–(1B) into Section 53[1] with regard to a request that is deemed by the Controller to be “manifestly unfounded or excessive”. It does not impact individuals’ right of access. Further amendments are yet to be applied but can be reviewed at www.legislation.gov.uk
Right to Complain: As part of the rolling out of the DUAA 2025 and its amendments to UK GDPR and DPA 2028[2], individuals will now have a statutory right to complain about how their personal data is processed. Under these new provisions, organisations are required to:
– Provide a mechanism (i.e. an online/digital form) through which individuals can submit complaints,
– Acknowledge receipt within 30 days, and
– Respond without undue delay after investigating the matter.
[1] https://www.legislation.gov.uk/ukpga/2018/12/section/53
[2] https://www.legislation.gov.uk/ukpga/2025/18/schedule/10?
The Information Commissioner’s Office (ICO) confirms these requirements on its website.[1]
In addition, the Information Commissioner will be given the power to decline to act on a complaint[2] if it is deemed “vexatious or excessive”. These provisions aim to ensure proportionality in complaint handling and protect organisations from undue burden while maintaining meaningful redress rights for individuals.
Cookies: All cookie-related amendments introduced by the DUAA 2025 are located within PECR, primarily via Schedule 12 (inserting a new Schedule A1 and updating Regulation 6)[3]. These updates allow low-risk cookies such as analytics, performance, security, and UI-preference cookies to be used without prior user consent, provided there is transparency and an opt-out.
International Transfers Framework Maintained: the DUAA 2025 relaxes the UK regime for international data transfers—shifting to a material harm/risk-based model and opening doors for new transfer mechanisms—while still preserving core protections. It sharpens compliance strategy for international transfers under UK law.
ICO Reform, Not Removal: The DUAA abolishes the current Information Commissioner’s Office and replaces it with a new Information Commission, mirroring models like Ofcom, with a board of non‑executive directors, a Chair, and a CEO—Paul Arnold has already been appointed to this role .The existing post of Information Commissioner changes to a Chair, while day-to-day operational control shifts to the CEO .
Modernisation and Innovation-Friendly
It simplifies legitimate interest assessments in certain scenarios (e.g. for national security or public interest purposes).
It supports automated decision-making by clarifying when and how individuals are protected, aiming to strike a balance between innovation and accountability.
It enhances the use of personal data for scientific research, aligning with the UK’s ambitions to become a global leader in AI and life sciences.
A Cautious Evolution
For UK-based data controllers and processors, the DUAA offers greater flexibility with modest divergence from the EU GDPR in the ongoing evolution of the post Brexit landscape. Organisations operating across the UK and EU will need to assess whether the changes introduce dual-compliance challenges, though the UK government has signalled an intent to maintain EU adequacy.
As privacy professionals, our role is to interpret and apply the DUAA in a way that both complies with the law and supports responsible innovation. While the Act introduces changes being phased over the coming year, its spirit remains aligned with the existing UK data protection regime. With proper governance and a risk-based approach, organisations can embrace the DUAA as an evolution rather than a revolution in UK data protection law.
[1] https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/ Data Protection Complaints
[2] https://www.gov.uk/government/publications/data-use-and-access-act-2025-factsheets/data-use-and-access-act-factsheet-ico#:~:text=Section%2094%20of%20the%20DUAA%20amends%20sections%20135%20and%20136%20of%20the%20DPA%202018%20and%20omits%20Article%2057(4)%20of%20the%20UK%20GDPR.
[3] https://www.legislation.gov.uk/ukpga/2025/18/schedule/12