On 19 June 2025, the UK Parliament granted Royal Assent to the Data (Use and Access) Act 2025 (DUAA)—a significant amendment to the UK GDPR, Data Protection Act 2018, and PECR. Here’s what organisations and their clients should know, and how to prepare.

1. An Amendment, Not an Overhaul

The DUAA enhances—but does not replace—the existing framework, including UK GDPR, DPA 2018, and PECR. Its updates:

Clarify lawful bases for processing

Modify cookie consent requirements

Streamline subject access requests

Expand and enhance ICO regulatory powers

2. New Lawful Basis: "Recognised Legitimate Interests"

The Act introduces a new lawful basis under Article 6(1)(ea) UK GDPR, categorising certain purposes—such as direct marketing, security/fraud prevention, intragroup data sharing, and protecting vulnerable individuals—as ‘recognised’. For these uses, the balance test is no longer mandatory.

3. Boosting Innovation with Flexibility

The DUAA modernises several data-use areas:

Scientific research: Explicitly allows broad consent and secondary use of personal data without repeated notices.

Automated decision-making: Permits ADM on non-sensitive data without explicit consent, provided transparency, the right to human review, and challenge mechanisms are in place.

Cookie use: Permits certain low-risk cookies (e.g., analytics, functional cookies) without explicit consent—provided users are informed and can opt out.

4. Stronger Regulator & New Enforcement Tools

The Act reforms the ICO—renaming it the Information Commission—and extends its powers to demand witness testimony, compel reports, and issue fines up to £17.5 million or 4% of global turnover for PECR violations.
It also introduces a mandatory complaints procedure, requiring controllers to acknowledge complaints within 30 days and address them promptly.

5. International Transfers & EU Adequacy

The adequacy requirement for international transfers shifts from “essentially equivalent” to “not materially lower” than UK standards. The EU’s adequacy decision for the UK is up for renewal by 27 December 2025.

6. Phased Roll-out: What’s Coming

Provisions will come into force in stages over the next 2–12 months, requiring secondary legislation. The ICO is expected to release guidance throughout the autumn and winter—particularly regarding legitimate interests, cookie use, children’s protections, and smart data frameworks.

In Summary

The Data (Use and Access) Act 2025 introduces targeted reforms that ease certain compliance burdens, encourage innovation, and bolster enforcement—all while preserving individual data rights. Businesses should take proactive steps now to update policies, processes, and infrastructure.

If you'd like assistance with policy drafting, cookie strategies, DSAR workflows, or ICO liaison, we would love to hear from you - please get in touch.