Home » UK Data Privacy Reform 2025: Key Changes under the Data (Use and Access) Act (DUAA)
Blog 16 min read

UK Data Privacy Reform 2025: Key Changes under the Data (Use and Access) Act (DUAA)

Jun 27, 2025 UK Data Privacy Reform 2025: Key Changes under the Data (Use and Access) Act (DUAA)

This blog was originally posted on 27th June, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY SAMANTHA ANGUIANO, REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

On 19 June 2025, the UK Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent.

This new legislation amends existing UK data protection laws to promote innovation and economic growth, and to simplify compliance for organizations while still protecting individuals and their rights.

Background of the Data (Use and Access) Act

To fully understand the recently enacted DUAA, it is helpful to look back at its origins. The Act builds on the foundations of the 2024 Data Protection and Digital Information (“DPDI”) Bill, which was ultimately withdrawn after raising significant concerns. Still, that earlier bill served as a valuable starting point, highlighting key challenges in the UK’s data protection landscape.

One of the motivations behind reform was the growing criticism that the UK GDPR – while strong in protecting individuals – was seen as overly complex and burdensome for smaller businesses. According to a 2020 assessment by the European Commission, SMEs in the EU were spending nearly 40% of their IT budgets on GDPR compliance. Academic studies also found that the regulation’s complexity led some start-ups to abandon innovation, wrongly assuming their ideas couldn’t comply with data rules.

The 2024 DPDI Bill was introduced to reduce burdens for organisations not engaging in high-risk data processing. It was projected to save small and micro businesses around £100 million annually, through both reduced compliance costs and increased Gross Value Added. However, it was strongly remarked by experts that in the latest amendment the bill evolved into more of a radical overhaul of UK data protection. Some late-stage amendments raised serious concerns and were seen as too risky and threatened the UK’s adequacy decision under the EU GDPR.

Although the bill was ultimately shelved, its purpose and underlying rationale endured. Legislators kept seeking the update to the existing data protection legislation but opted for a refinement rather than revolution (how the 2024 Bill was seen by many). Hence, many of the more radical or controversial proposals from previous DPDI versions were dropped – including those that might have undermined core GDPR principles.

What’s New in the DUAA?

Key updates include:

  • Reformed DSAR timeframes and scope
  • Safeguards for research-related processing
  • Clarification of recognised legitimate interests
  • New rules for automated decision-making (“ADM”)
  • Cookie compliance exemptions for low-risk analytics
  • Updated rules for international data transfers
  • Reinforcement of children’s data protection under data protection by design

Looking for further updates in UK & EU product compliance? Check out our recent webinar, EU & UK Product Compliance: What’s Hot in 2025 & Beyond.

Safeguards for Processing for Research

One of the most discussed areas of the DUAA is its treatment of scientific, historical, and statistical research.

The DUAA amends Article 13(4) of the UK GDPR and introduces a new paragraph (5) to clarify that, when personal data is collected exclusively for scientific or historical research, the general obligation to inform the data subject does not apply, provided appropriate safeguards under UK law are in place.In addition, the Act restructures the relevant safeguards (e.g. pseudonymisation and data minimisation) into a dedicated chapter of the UK GDPR. While the safeguards themselves are not substantively changed, the revised drafting confirms that data minimisation, including pseudonymisation, is permitted and expected.

Recognised Legitimate Interests

Another key amendment by the DUAA, is portrayed through Schedule 4, which amends the UK GDPR to clarify which legitimate interests are formally recognised under Article 6(1)(f). When processing is based on any of these recognised interests, no balancing test is required, as long as the processing is necessary and respects the rights of the data subject.

The recognised legitimate interests now include:

  • Disclosure of data in the public interest
  • National security, public security, and defence
  • Emergencies
  • Detection, prevention, or prosecution of crimes
  • Safeguarding of vulnerable individuals

Automated Decision-Making

The DUAA also reformulates the rules for automated decision-making (“ADM”) by replacing Article 22 of the UK GDPR with new Articles 22A to 22D.

Under the pre-DUAA regime, ADM was restricted unless:

  • The data subject gave explicit consent
  • It was necessary for a contract
  • It was authorised by UK law (with safeguards)

The DUAA removes these limitations and expands the scope for using ADM, provided that appropriate safeguards are in place. These include:

  • Inform the individual about the decision
  • Allow the individual to make representations
  • Offer human intervention
  • Enable the person to contest the decision

Notably, organisations cannot rely on the newly recognised legitimate interest basis as the sole legal basis for ADM under these provisions.

Cookies and ePrivacy

The DUAA amends the Privacy and Electronic Communications Regulations (PECR), particularly the rules on storing or accessing information on users’ devices (“cookie rules”).

Storage or access is prohibited unless an exception applies. These exceptions, outlined in Schedule 12, include cases where storage is strictly necessary for delivering a service requested by the user, potentially reducing the compliance burden for low-risk technical uses such as essential analytics.Transparency and opt-out options remain mandatory.

International Data Transfers

The DUAA also revises the UK’s test for assessing international data transfers. Instead of requiring “essentially equivalent” protection (as per the EU GDPR), the UK now allows transfers where the protection is not materially lower than UK standards.

This change is intended to provide flexibility while maintaining alignment with the EU–UK adequacy decision. Substantive changes are set out in:

  • Schedule 7 – General processing transfers to third countries
  • Schedule 8 – Law enforcement-related transfers

Interested in global cybersecurity developments? A New Era of Product Cybersecurity: Navigating Regulatory Developments in 2024-2025 examines the evolving regulatory landscape of product cybersecurity across several key jurisdictions.

Data Protection by Design: Children’s Higher Protection

Section 81 of the DUAA reinforces the principle that children deserve higher protection regarding their personal data.While no new obligations are imposed directly on online service providers, this section enables the Secretary of State to issue future regulations where data processing presents heightened risks – particularly in contexts involving children. This aligns with the UK GDPR view that children may be less aware of the consequences of data processing and require additional safeguards.

Data Subject Access Requests (“DSAR”) Responses

Before the DUAA, Article 15 of the UK GDPR granted individuals the right to access their personal data, but the law did not explicitly limit the scope of searches required to fulfil these requests.

Although ICO guidance suggested that only reasonable and proportionate efforts were needed, this standard was not formally stated in law.

The DUAA, Section 76 amends Article 12 of the UK GDPR to codify that organisations must only conduct reasonable and proportionate searches when responding to DSARs.

This means:

  • Organisations are not required to conduct exhaustive or disproportionate searches
  • They must justify the scope of their search based on context and available resources

Timing remains unchanged (1 month), but the DUAA confirms:

  • The deadline may be extended by up to two months if the request is complex or multiple requests are received
  • The data subject must be informed within the first month if an extension is used, and the reason must be explained

What Should Businesses Know?

For most organisations, especially those operating across both the UK and the EU, the message is one of continuity with caution. The core principles of the UK GDPR remain intact, including the obligation to appoint Data Protection Officers (DPOs), maintain Records of Processing Activities (ROPAs), and uphold individual rights.

However, the Data (Use and Access) Act 2025 (DUAA) introduces targeted reforms that businesses should be aware of. These changes aim to reduce administrative burdens while maintaining regulatory standards. Organisations should take this opportunity to review and, where necessary, update their:

  • DSAR (Data Subject Access Request) procedures
    The DUAA clarifies that organisations are only required to conduct reasonable and proportionate searches when responding to access requests.
  • Automated Decision-Making (“ADM”) policies
    Especially in internal contexts like HR or finance, organisations should ensure ADM practices are compliant with updated guidance and safeguards under the DUAA.
  • Cookie compliance frameworks
    New exemptions introduced by the DUAA mean some uses of cookies may no longer require consent, however, this depends on context. Existing cookie banners and consent mechanisms should be reassessed accordingly.
  • International data transfer mechanisms
    Particular attention should be given to data transfers to non-EEA countries, ensuring the legal basis for such transfers remains valid under the updated framework.

While the DUAA represents a refinement of existing legislation rather than a replacement, it signals the UK’s intention to retain data adequacy with the EU while tailoring its regulatory environment to domestic needs. Businesses should remain proactive in aligning with these changes, even as the broader structure of the UK GDPR remains stable.

Stay Ahead Of Regulatory Change in UK Data Privacy Privacy Reform

Want to stay ahead of regulatory developments in product safety policies and regulations?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network
C2P-Laptop-Heatmap

Chemicals Quarterly – Q2 2025 Regulatory Update

Your Q2 2025 update on key regulatory changes affecting chemicals in products worldwide.

register now

Related Resources