The Data (Use and Access) Act 2025 (“DUAA”) represents the most significant reshaping of the UK’s data protection regime since the introduction of the UK GDPR. Coming into force in phases between June 2025 and June 2026, the DUAA updates the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (PECR), aiming to reduce the burden on organisations.
Data subject access requests
The DUAA formally introduces a “reasonable and proportionate” search requirement for DSARs which confirms that controllers no longer need to conduct exhaustive searches across all archives; instead, they must search intelligently and justify what was included or excluded. Updated ICO guidance confirms that the former “high expectation” wording has been removed, and organisations can consider the volume of information when assessing proportionality. The DUAA also supports “stop‑the‑clock” pauses while awaiting clarification from requesters.
What this means for organisations:
Review DSAR processes, build a clear proportionality framework, document decisions, and train staff to apply the new standard consistently.
Automated decision‑making
The DUAA expands the scope for using automated decision‑making (ADM), including legitimate interests for significant decisions using ADM, provided appropriate safeguards are applied. These include transparency, a right to make representations, and meaningful human oversight. Special category data remains subject to stricter limits, i.e. the requirement to have explicit consent in order to use ADM to make significant decisions using special category data.
What this means for organisations:
Reassess ADM tools, update transparency notices, strengthen governance controls, and ensure human review mechanisms remain robust.
Recognised legitimate interests
The DUAA introduces statutory “recognised legitimate interests,” giving organisations greater certainty when relying on legitimate interests for specific processing activities. These include fraud prevention, cybersecurity, safeguarding, emergency response and various public‑interest‑aligned activities. No balancing test is required when relying on these recognised legitimate interests.
What this means for organisations:
Update Legitimate Interests Assessments, privacy notices, and internal records to reflect the new statutory purposes.
Cookies and PECR
PECR is amended to allow certain analytics and functionality cookies to be set without consent, increasing the rights organisations to use cookies. However, the cost of breaching the new rules has risen significantly, as PECR fines will now align with UK GDPR levels.
What this means for organisations:
Review cookie banners, governance processes and records. Amend to include the expanded consent exemptions while ensuring accountability documentation is up to date.
International transfers
The DUAA slightly relaxes the standard for determining whether a third country offers adequate data protection, providing UK organisations a more flexible mechanism for international data transfers by allowing data transfers to countries where the standard of protection is “not materially lower” than that in the UK. This should mean easier transfers to emerging markets in practice.
What this means for organisations:
Continue conducting transfer impact assessments and monitor government announcements closely.
New statutory right to complain
From 19 June 2026, individuals should raise data protection complaints directly with the organisation before going to the ICO. All data controllers must therefore establish an internal process that:
- enables individuals to raise complaints through accessible channels;
- acknowledges complaints within 30 days;
- investigates without undue delay; and
- communicates outcomes promptly.
Complaints can be raised via any method, including informal channels, and need not use legal terminology.
What this means for organisations:
Implement or upgrade complaints workflows, update privacy notices and DSAR templates, train staff to recognise complaints, and maintain clear internal records.
Information Commission reform:
The DUAA transforms the ICO into the “Information Commission,” introducing a statutory objective focused on ensuring appropriate data protection, promoting trust, and supporting innovation and competition. Children’s protection becomes an explicit regulatory consideration.
What this means for organisations:
Expect a more transparent, strategically directed regulator with evolving enforcement priorities.
What should organisations do now?
With commencement dates running into mid‑2026, now is the time to prepare. Immediate priorities are:
- Refresh DSAR processes, including proportionality assessments and stop‑the‑clock steps.
- Update ADM governance, transparency notices, and human review procedures.
- Review cookie practices and accountability documentation in light of new exemptions.
- Build and publicise a compliant complaints‑handling process ahead of 19 June 2026.
- Train staff across business functions to identify and escalate data protection issues.
Conclusion
The DUAA marks a deliberate shift toward a more flexible, business-friendly data protection regime, but one that still imposes important new responsibilities. Organisations that prepare early will not only ensure compliance but also benefit from greater operational clarity and improved user trust. We await the IC’s comprehensive guidance on all of the above areas.