The Data Use and Access Act 2025 (DUAA) represents one of the most significant updates to UK data protection law in recent years. The Act amends existing legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Its aim is to modernise data regulation, simplify compliance for organisations, and enable responsible data sharing, while maintaining strong protections for individuals’ personal data.
For organisations operating in the UK, understanding the DUAA is critical to maintaining compliance and leveraging the opportunities it introduces.
Key Changes Under the DUAA
Automated Decision-Making
The DUAA provides a clearer framework for automated decision-making. Organisations can now use automated processes in a wider range of circumstances, provided that safeguards are in place. These safeguards include:
- Informing individuals about decisions that affect them.
- Allowing individuals to challenge decisions and make representations.
- Ensuring human intervention is available when needed.
These provisions maintain transparency and fairness while enabling businesses to use automated systems more effectively.
Recognised Legitimate Interests
The Act introduces a new lawful basis for processing personal data: recognised legitimate interest. This allows organisations to process data for purposes such as crime prevention, public security, safeguarding, and emergency response, without needing explicit consent, provided the processing is proportionate and necessary.
Subject Access Requests
The DUAA clarifies the rules for responding to subject access requests, including a “stop the clock” provision. Organisations may pause the response period if they require additional information from the requester, resuming the timeframe once the information is received. The Act also emphasises proportional searches to ensure requests are reasonable.
Data Protection Complaints
Organisations are now required to have clear procedures for handling data protection complaints. This ensures individuals have a straightforward method to raise concerns about their personal data and that organisations resolve these concerns efficiently.
International Data Transfers
The DUAA introduces a more flexible “data protection test” for transferring data outside the UK. Transfers are permitted if the recipient country’s protections are not materially lower than UK standards. The Act also allows the Secretary of State to authorise transfers, providing clarity for organisations that operate across borders.
Smart Data Schemes
The Act establishes frameworks for smart data schemes, similar to open banking initiatives. These schemes facilitate secure data sharing between consumers, businesses, and third parties, promoting innovation and improving service delivery.
Cookies and Consent
Under the DUAA, cookie consent requirements are simplified for certain low-risk cookies, such as those used for site analytics, functionality, and security. Explicit consent is no longer required for these types of cookies, provided users are informed and can opt out. Organisations should update their cookie policies and notices to reflect these changes and maintain transparency with users.
Implications for Organisations
Organisations should take proactive steps to comply with the DUAA:
- Review data processing activities to ensure alignment with the new lawful bases and requirements.
- Implement safeguards for automated decision-making to maintain transparency and accountability.
- Establish clear complaints procedures to handle data protection concerns efficiently.
- Prepare for international data transfers by reviewing current mechanisms against the new data protection test.
- Update cookie policies and notices to reflect the simplified consent requirements and provide clear information to users.
Staying informed of guidance from the Information Commissioner’s Office (ICO) is crucial, as the Act introduces new responsibilities and opportunities for organisations handling personal data in the UK.
For further guidance, organisations can refer to the ICO’s website: ICO Data Use and Access Act 2025 Guidance
How North Signal Can Help
Navigating the new requirements under the Data Use and Access Act 2025 can be complex, particularly for small and medium-sized enterprises. North Signal supports organisations in ensuring compliance while making the most of the opportunities the Act provides.
We can help with:
- Data Protection Assessment and Gap Analysis
- Review your current data processing activities against the new DUAA requirements.
- Identify gaps in lawful bases, automated decision-making safeguards, and subject access request procedures.
- Policy and Procedure Updates
- Update your privacy policies, cookie notices, and internal procedures to reflect the changes in consent and low-risk cookie usage.
- Develop clear internal complaint-handling processes for individuals exercising their data rights.
- Automated Decision-Making Guidance
- Advise on implementing safeguards and transparency measures for automated systems.
- Ensure individuals have clear channels for representation and challenge.
- International Data Transfers
- Assess your current data transfer mechanisms and provide guidance on meeting the DUAA’s “data protection test” for transfers outside the UK.
- Smart Data Scheme Implementation
- Support organisations looking to participate in secure, controlled data-sharing initiatives.
- Advise on best practices for innovation while remaining fully compliant.
- Training and Awareness
- Equip staff with the knowledge they need to understand and apply the DUAA in day-to-day operations.
- Provide practical guidance for managing cookies, handling personal data requests, and maintaining compliance.
By working with North Signal, organisations can reduce compliance risk, streamline processes, and confidently adapt to the DUAA 2025, ensuring that data practices are both lawful and efficient.
North Signal 