The Data (Use and Access) Bill was first introduced in October 2024 to replace its failed predecessor, the Data Protection and Digital Information (DPDI) Bill. 

On June 19th, 2025, this bill became an Act of Parliament. Now known as the Data (Use and Access) Act (DUAA), this Act is one of the most significant changes to the UK data protection law since the GDPR. 

In this article, we examine the key provisions in the Act that will impact the UK GDPR, DPA and PECR legislation. 

Does the DUAA Impact Any Data Protection Laws? 

Yes – the Data (Use and Access) Act (2025) makes changes to the following UK data protection laws:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018 (DPA 2018)
• The Privacy and Electronic Communications Regulations 2003 (PECR 2003)  

The DUAA does not replace any laws; it only amends and introduces new provisions. 

What Changes Has the DUA Act Made to the UK GDPR & DPA 2018?

The Data (Use and Access) Act has made changes in the following areas:

• Automated Decision-Making
• Data Subject Access Requests
• Children’s Data Protection Obligations
• Scientific Research
• Legitimate Interests
• International Data Transfers
• New Complaints Procedure
• Reforms to the ICO

1. Automated Decision-Making (ADM)

Prior to the DUAA, Article 22 of the UK GDPR restricted automated decision-making unless it was done with the individual’s consent, permitted by UK law, or necessary for a contract between an individual and a business.

The DUAA replaces this Article with Articles 22A-22D, which allow for greater flexibility in using ADM, provided that the necessary safeguards are in place. These include:

• Providing the individual whose personal data was used for ADM with complete transparency about the decision
• Offering human intervention if requested by the individual
• Enabling the individual to contest the decision
• Allowing the individual to make representations 

Restrictions are only in place when using special category data (e.g., race, health, or biometric data), reinstating what was required pre-DUAA. Organisations can only use this data for ADM if they have consent, or where necessary for substantial public interest. 

2. Data Subject Requests (DSARs)

The DUAA now provides further transparency of a business’s obligations when handling DSARs (also known as SARs). 

Previously, businesses had one month to respond to a subject access request as soon as it was received. The DUAA introduces a “stop the clock” provision, which allows organisations to pause the response time until they have enough information from the individual to clarify the request. 

Once they have the relevant information, the one-month response time continues. 

Previously, the law did not explicitly state that responding to DSARs had to be “reasonable and proportionate” (i.e., not requiring undue effort to complete the search). The DUAA clarifies what constitutes disproportionate effort, offering more flexibility to DPOs managing complex or voluminous requests. 

3. Controller Obligations –  Children’s Data Protection 

Section 81 of the DUAA introduces an explicit duty of care for providers of online services accessed by children. These controllers must take into account the “children’s higher protection matters” (Article 25(1B)) when designing services for children. 

When choosing the appropriate technical and organisational measures, controllers must consider:

• How best can they support and protect children using their services
• How children may be less aware of the risks and consequences of personal data processing
• How children have unique needs at different ages and stages of development

4. Scientific Research

The DUAA introduces the concept of ‘broad consent’, previously outlined in the UK GDPR recitals, into the main text of the legislation. 

This measure allows researchers to rely on broad consent, whereby individuals consent to their information being used for an “area of scientific research” rather than a more specific purpose. Gaining broad consent is contingent upon meeting the ethical standards relevant to the area of research. 

5. Legitimate Interests

There is now a list of recognised legitimate interests under Article 6(1)(f) of the UK GDPR, which includes:

• National security, public safety and defence
• Emergency response
• Safeguarding of vulnerable individuals
• Crime prevention 
• Disclosure of data in the public interest 

When data processing is based on any of these interests, no balancing test is required. This test, also known as a legitimate interests assessment, balances the controller’s interests against the individual’s rights and freedoms to ensure processing is fair. 

Removing the balancing test recognises the ‘societal value of the processing in specified situations and the potential negative impacts of any delay.’ 

6. International Data Transfers

Under the DUAA, international data transfers are permitted if the receiving country has data protection standards that are similar (not materially lower) to those of the UK. This replaces the EU-style adequacy framework, making it easier to approve data transfers to a wider range of countries. 

Rather than being ‘essentially equivalent’ and now ‘materially lower’, the UK has more flexibility to transfer data outside of the EU’s stricter standards. 

7. New Complaints Procedure 

Data subjects now have the right to complain to a data controller if they’re concerned that the way their information is processed breaches data protection law.

While individuals have always had the right to complain, the DUAA now places the burden for acting on that complaint with the controller, rather than the ICO. 

In response to this, controllers must implement a clear response procedure, whereby all complaints are acknowledged within 30 days of receipt. Controllers are also required to respond without undue delay and inform the individual of the outcome. 

For more insight, read our recent blog on this new complaints provision to find out how you can prepare.  

8. Reforms to the ICO

Currently, all powers and responsibilities are held by one individual, the Information Commissioner. The DUAA will replace the ICO with the Information Commission, which will be led by a chair and a chief executive, with other non-executive and executive members also in place.   

This significant institutional change will promote diversity in decision-making by sharing across the board, rather than a sole decision-maker.

The Information Commissioner will have additional duties to consider, which you can learn about on GOV.UK’s ICO factsheet.  

How Has the DUA Act Changed the PECR?

1. Time Period to Report Breach

The Data (Use and Access) Act now requires communication providers to report personal data breaches to the ICO ‘without undue delay’ and no later than 72 hours of becoming aware.

The PECR currently requires businesses to report breaches within 24 hours, so the new time period (72 hours) is in line with the reporting period under the UK GDPR. 

2. Non-Compliance Fines

The DUAA aligns the maximum fines for PECR breaches with the UK GDPR, increasing them to £17.5 million or 4% of a company’s global annual turnover, whichever is greater.

With the original fine at £500,000, this increase places significant responsibility on businesses to strengthen PECR compliance. 

3. Soft Opt-In Rule for Charities

Charities can send marketing emails and texts to individuals who have expressed interest or offered support to the charity. This is known as the ‘soft opt-in rule’, which allows charities to send electronic marketing without needing explicit consent.  

Individuals must be able to opt out at any time, whether it’s at the first instance or later down the line. This means charities can continue to send communications to an individual until they explicitly opt out.

4. Cookie Compliance Exemptions 

While the PECR required consent for all but ‘strictly necessary’ cookies, the DUAA introduces new exemptions for specific ‘low-risk’ scenarios, provided that clear information and an opt-out option are offered to users.

Under the new rules, consent is no longer required for the use of cookies for the following purposes:

• Statistical analysis for service improvement (e.g., website analytics).
• Website functionality and improvement, such as adapting a website to a user’s preferences.
• Security and fraud prevention.

When Will the DUAA Changes Take Effect? 

Changes to data protection law will come into force two to twelve months after Royal Assent (June 2025). GOV.UK will announce further details of the regulations and the exact dates when each measure will commence. 

Want to Learn More? Subscribe to Our Podcast

Our podcast, Data Protection Made Easy, is your go-to hub for the latest news and changes in data protection law. Recently, our team hosted two live sessions discussing the DUA Act and how businesses can prepare going forward. 

Catch up and listen to:

• Part 1: The Data (Use and Access) Act 2025
• Part 2: The Data (Use and Access) Act: What’s Next for UK Organisations?

Our award-winning podcast is available on Spotify, Amazon Music and many other podcast sites. Subscribe now to avoid missing out. 

Speak to Our Data Protection Consultants Today

Our data protection consultancy can help you prepare for all the changes in the DUAA. Whether it’s setting up a complaints procedure or updating cookie consent, we’re here to guide you through. 

Need support? Get in touch with our team today.