Data (Use and Access) Act 2025 receives Royal Assent: limited change?
A new law that has been expected in the world of data protection has finally arrived and had some time to ‘settle in’ as the Data (Use and Access) Act 2025 (‘DUA Act’) received Royal Assent on 19 June 2025. The DUA Act amends many key aspects of UK data protection law (comprising primarily of the UK General Data Protection Regulations (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR)).
In this article, Yaseen Altaf, Data Protection Solicitor at Forbes Solicitors, will explore many of the key changes (most of which are yet to come into force as at the date of writing), their impact on organisations, and how organisations can prepare for the changes.
Published: August 14th, 2025
5 min read
High level summary
Most changes are not yet in force
The changes do not overhaul current data protection law but largely relax current data protection requirements for organisations
The DUA Act codifies many aspects of ICO guidance
A new complaints process is introduced
ICO powers have increased
Currently not expected to affect current adequacy decisions on international personal data transfers from the EU to the UK (although advice should be sought)
Background in brief
A new data protection legislation has been expected for a while since the UK withdrew fully from the EU. The previous Conservative Government proposed the Data Protection and Digital Information Bill, but this did not survive following the dissolution of Parliament. The DUA Act is essentially the current Labour Government’s version of this new law.
What are some of the key changes?
Increased ICO Powers
CHANGE |
DESCRIPTION |
IMPACT |
Increased ICO powers | The DUA Act increases the powers of the ICO (the UK’s data protection regulator) to:
| Negative and sizeable. This is perhaps the most significant change brought by the DUA Act. Organisations face even greater potential enforcement action following these changes. |
Greater Compliance Burden
CHANGE |
DESCRIPTION |
IMPACT |
Complaints | The DUA Act has introduced the requirement for a complaints process that needs to be followed by controllers (those who decide how and why personal data is used). This is to allow for individuals to make complaints if they think the controller is not compliant with data protection law. This involves having in place an electronic complaints form, the acknowledgment of complaints within 30 days, and advising the complainant of the outcome without undue delay. | Negative as extra compliance burden for controllers. Organisations would need to ensure they draft and put in place an electronic complaints form and follow the process for complaints which should ideally include having a policy for dealing with complaints. |
Protection of children’s personal data | For organisations that provide an online service that is likely to be used by children, special concern needs to be given to children’s ‘higher protection matters’. This provision amends the UK GDPR to codify the recognition that children merit specific protection and ‘baked’ into data protection practices. | Negative but limited as the provision essentially just turns ICO’s current Age Appropriate Design Code into more formal law. Additionally, Recital 38 of the UK GDPR already recognises children as meriting specific protection. This provision will be particularly relevant for those organisations in the Education sector. |
New powers to expand special category data | Secretary of State has authority under the DUA Act to add to, or modify, the scope of personal data regarded as ‘special category’ (essentially meaning sensitive types of personal data). | Negative and with the potential for greater burden on organisations if more categories are added to the list of ‘special category’ data as these are afforded greater protection and require more legal steps to be used. |
Compliance Easing
CHANGE |
DESCRIPTION |
IMPACT |
Data subject access requests (DSARs) | The DUA Act codifies (i.e. turns into legislation) current ICO guidance. For example, the current requirement to conduct reasonable and proportionate searches for personal data (which is now in force), and the benefit for an organisation to pause ‘the clock’ when responding to a DSAR whilst it seeks clarification on the scope of a DSAR. | Positive but limited as organisations already benefitted from these via ICO guidance, however these provisions benefit organisations further as they will now have the legal right to rely on them when responding to DSARs. |
Recognised legitimate interests | The lawful basis of legitimate interest when processing personal data will now include recognised processing activities that means a legitimate interest assessment (an assessment to consider the impact on individuals when relying on ‘legitimate interest’) will not need to be completed such as when using personal data for:
| Positive as it reduces the compliance burden in identifying lawful bases for using personal data. Particularly for educational institutions when providing personal data for the safeguarding of children. |
Cookie exemptions | Allowing for certain types of cookies to be set without consent beyond only necessary cookies as is the current law. These include some of the following where the cookies (or similar) are only for:
| Positive as it reduces the compliance burden of obtaining user consent for specific uses of cookies. |
Soft opt-in allowed for charities | Allows charities to send electronic marketing (e.g. SMS and email) to supporters, offerors of support, or those expressing interest in the charity, without the need for their initial consent to receiving such communications as long as they are given the option to opt out. | Positive as it allows for ease of compliance for charities compared to the ordinary strict rules on gaining consent set out in PECR. |
Automated decision making (ADM) | Removes the restriction of using solely ADM that uses personal data. The DUA Act allows for ADMs in more situations, using more lawful bases, provided that safeguards are in place such as:
ADMs that use special categories of personal data remain restricted and consent from the individual or meeting the public interest test is required. | Positive as it allows more bases for using ADMs so long as safeguards are in place. |
International data transfers | The test for adequacy regulations (essentially findings that a country or international organisation has adequate levels of legal safeguards in line with UK law, allowing for personal data transfers from the UK to that destination without additional safeguards) will be where the destination’s data protection standards are ‘not materially lower’ than the UK’s compared to the current ‘essentially equivalent’ standard. | Positive if it allows for the free flow of personal data to an increased number of countries. Time will tell how the UK will implement the new standard. |
PECR personal data breach | Current requirements are for personal data breaches under PECR (distinct from ‘regular’ UK GDPR breaches) to be notified to the ICO within ‘24 hours of becoming aware of the essential facts of the breach’. The DUA Act changes this to no later than 72 hours thereby aligning with the requirement for ‘regular’ breaches. | Positive as it allows more time for any delays and investigations after an organisation becomes aware of a breach and creates a more streamlined procedure for internal data breach policies as it aligns more with ‘regular’ personal data breach procedure. |
Provisions in force
Most provisions are not yet in force. Further Commencement Regulations are needed to be passed for the various provisions to come into force.
Impact on EU to UK personal data flows
The European Commission has assessed the impact of the DUA Act on personal data transfers from the EU to UK and has concluded that adequacy decisions (EU decisions that allow for the free flow of personal data from the EU to certain countries without additional safeguards needed) can remain. Although input from other EU bodies are currently being sought, this is promising news for organisations concerned about how the DUA Act might affect their practices of sending personal data from the EU to the UK.
Final thoughts
The DUA Act is mainly expected to bring about ease of compliance via the relaxing of a number of data protection requirements and clarity via the codification of ICO guidance. Organisations should review their data protection practices to ensure compliance with current law and guidance and prepare for the provisions in the DUA Act that are yet to come into force.
Organisations in the Education sector should additionally ensure they review their policies and procedures on safeguarding and their coverage of using and sharing children’s personal data to comply with data protection law. Providers of online services, such as those in EdTech, should particularly note the provision on the use of children’s data.
Action plan
Organisations can prepare for the coming into force of the DUA Act by carrying out the following:
Review all policies and procedures to ensure compliance with UK data protection law and ICO guidance, particularly DSAR procedures
Draft complaint forms and internal procedures for dealing with data protection complaints
Review all contracts to account for the new changes with particular regard to the complaints requirement
Have in place policies and procedures in the event of an investigation by the ICO
Ensure purposes and lawful bases are clear for different types of personal data processing, particularly special categories of personal data
Consider the new exemptions for cookies and how they relate to the organisation’s cookie consent management systems
Monitor and seek advice on how the DUA Act may affect the organisation’s international transfers of personal data
To find out how Forbes can support your organisation with these actions, please get in touch.
