Between June 2025 and June 2026, the government will implement the Data (Use & Access) Act (DUAA) to promote innovation and economic growth nationwide. 

The DUAA makes several updates to data protection law, of which the ICO says ‘make things easier for organisations, while [protecting] people and their rights’. But with changes comes uncertainty, leaving businesses and data protection experts alike wondering how they can prepare themselves.

In this blog, we cover your next steps and the opportunities available to simplify data protection compliance. 

To Prepare for the DUAA, You Should:

• Familiarise Yourself with the Changes
• Implement a Complaints Procedure
• Meet New Requirements for Children’s Online Services
• Update Your DSAR Response Procedure
• Update Cookie Consent
• Review Use of Automation
• Organise Data Protection Training

1. Familiarise Yourself with the Changes

The Data (Use & Access) Act is as technical a read as the UK GDPR, PECR and Data Protection Act (DPA). Your Data Protection Officer (DPO) or the people responsible for managing compliance will need to spend time assessing the changes the DUAA makes to data protection law. 

In our podcast, Data Protection Made Simple, we break the DUAA down into simple terms and provide practical tips for staying compliant with the law. Listen in now:

• Part 1: The Data (Use and Access) Act 2025
• Part 2: The Data (Use and Access) Act: What’s Next for UK Organisations?

If you need more support, our data protection consultancy can help run through which changes impact your business the most. 

2. Implement a Complaints Procedure

Under the DUA Act, data subjects now have the right to complain directly to a data controller if they believe their personal data is being processed unlawfully. Initially dealt with by the ICO, controllers now must have a formal complaints process for handling data protection concerns.  

Your complaints procedure should include:

• Clear instructions on how and where to file complaints
• An easily accessible form for individuals to submit complaints
• The steps you’ll take to resolve and respond* to complaints
• How you will keep individuals informed of outcomes 
• Appointed staff members trained in handling complaints

*Responses must be within 30 days of receiving the complaint.

3. Meet New Requirements for Children’s Online Services

One in five UK internet users is a child, so there’s every chance your online service may be used by an age group you never designed for. The DUAA expects you to prioritise the best interests of a child when designing and developing online services, ensuring they are protected in the digital age.

This applies to a variety of services, including apps, websites and connected toys. If you meet the existing Age Appropriate Design Code (AADC), you will have already satisfied this new requirement. 

4. Update Your DSAR Response Procedure   

The DUAA is expected to make subject access request (SAR or DSAR) handling and response easier; therefore, your internal procedure should now provide this flexibility. 

Your procedure should make clear: 

• Your refined search scope – You should only make ‘reasonable and proportionate searches’ when fulfilling a subject access request. 
• Stop the clock provision – Guidance on how your staff can pause the one-month deadline for responding to DSARs if they’re waiting for identity verification or further clarification of scope.

5. Update Cookie Consent 

Under the DUA Act, consent is no longer required where cookies or similar technologies fall within low-risk processing. These exempted purposes include:

• Statistical/analytics purposes to improve services
• System security and fraud detection
• Improving website functionality or tailoring the website to user preferences

You must assess whether your website’s analytics or functional cookies qualify for this exemption, considering whether they are strictly necessary and low risk. With this in mind, you’ll need to update cookie consent banners, policies and internal documentation to reflect the change in consent. 

For charities, you will also have to implement a clear opt-out option for direct marketing sent based on the soft opt-in rule. 

6. Review Use of Automation 

One way the DUAA is promoting innovation is through its new provisions (Articles 22A-22D of the UK GDPR) governing automated decision-making (ADM). 

To welcome this innovation, make sure you:

• Include the new provisions under Articles 22A-22D in any data protection impact assessments (DPIAs) covering ADM
• Confirm the legal basis when special category data is required 
• Add transparency statements and human review protocols where ADAM affect individuals significantly 

7. Organise Data Protection Training 

You may know what to do, but how you need to do it might not be as clear. Now is the perfect time to schedule some refresher data protection training to ensure everyone is up to speed. 

As a training provider, we can support your business with training tailored to your sector and processing requirements. All courses are up to date with the DUA Act, so your team will receive the latest insights on maintaining compliance. 

How Does the DUA Act Help Your Business?

• Research provisions: The Act clarifies when personal data can be used for scientific research (including commercial) and permits ‘broad consent’ for such purposes.
• Automated decision-making: It broadens the ‘lawful bases’ that can be relied upon for significant automated decisions using personal data, potentially including ‘legitimate interests’, provided suitable safeguards are in place.
• Cookie rules: The DUAA permits the use of certain types of cookies, such as those employed for statistical analysis or enhancing website functionality, without requiring explicit consent.
• New ‘recognised legitimate interests’: For specific ‘recognised legitimate interests’ (e.g., public security), businesses no longer need to balance the impact on individuals against the benefits of data use.
• ‘Soft opt-in’ for charities: Charities can send electronic marketing to individuals who’ve supported or shown interest in their work, unless they object.
• Subject access requests (SARs): The Act clarifies that only ‘reasonable and proportionate’ searches are required when responding to SARs.
• Improved clarity: The legislation’s wording and structure have been refined to facilitate easier understanding and application.

Need Help? Contact Our Data Protection Consultants Today

As a GDPR consultancy, our goal is to make data protection easy to understand and easy to do. If you need expert support navigating the DUAA, please contact our team, and we’ll be in touch.