The Data (Use and Access) Act (DUAA) received Royal Assent on 19 June 2025. The DUAA enacts the changes to the UK’s data protection regime that have been contemplated since the Data: a new direction consultation in 2021.
This article looks to help organisations who are subject to the UK’s post Brexit assimilated General Data Protection Regulation (the UK GDPR), Data Protection Act 2018 (DPA 2018), and Privacy and Electronic Communications Regulations (PECR) navigate the changes.
First, it covers changes that may require action and then details the changes that could be impactful where enforcement action is taken. It then goes on to describe the bulk of the changes that will not necessarily require any action. These are changes designed to unlock the power of data and promote innovation, such as changes to the rules on automated decision-making. Organisations may wish to make changes to adapt to the new regimes, though they will only be able to do so to the extent that they are not subject to the EU rules.
Finally, it provides an update on the position EU adequacy. At the time of writing, the Commission has reviewed the Data (Use and Access) Act and has launched the process to adopt a new adequacy decision.
Scope
In its 144 sections and sixteen schedules, the DUAA covers considerable ground, including smart data and digital verification, as well as a new National Underground Asset Register and digital registration of births and deaths. This article is limited to the data protection and e-privacy reforms in the DUAA.
In the data protection space, it covers changes for organisations subject to the UK GDPR and Part 2 DPA 2018, as well as relevant changes in relation to regulation and enforcement. It does not cover changes relevant for organisations subject to Part 3 DPA 2018 (Law enforcement processing), nor does it cover Part 4 DPA 2018 (Intelligence services processing) in detail.
Entry into force
Most of the changes we describe require a statutory instrument to bring them into force. Indications from the Department of Science, Innovation and Technology (shared at the Privacy Laws & Business conference on 9 July 2025) suggest they will be brought into force around December 2025. There are some exceptions below where provisions come into force two months from Royal Assent (20 August 2025), or on Royal Assent (given on 19 June 2025) – we have indicated where this is the case.
Jump to:
- Changes requiring action
- Complaints – new obligations for controllers to facilitate complaints
- Changes that will be impactful when enforcement action is taken
- Expanded powers for the ICO – reports
- Expanded powers for the ICO – power to request documents – coming into force 20 August
- Expanded powers for the ICO – interview notices
- New secondary duties – promoting innovation and protecting children
- Fining powers under PECR
- Amendments to definitions under PECR
- The new Information Commission
- Information society services likely to be accessed by children
- Changes to drive innovation and simplify compliance
- ICO codes of practice – already in force to some extent
- Processing for research, archiving and statistical (RAS) purposes
- Information to be provided to data subjects
- Purpose limitation
- Automated decision making
- Data subject rights
- Legitimate interests
- International transfers
- Cookies / trackers
- Direct marketing and PECR breach notifications
- EU adequacy
- Our take
Complaints – new obligations for controllers to facilitate complaints
Data subjects’ rights to complain have been restructured, with the focus shifting to complaints to the controller rather than complaints to the ICO.
Controllers must facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically and by other means.
If a controller receives a complaint, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received. The controller must take appropriate steps to respond to the complaint and inform the complainant of the outcome of the complaint, all without undue delay. Appropriate steps can include making enquiries and informing the complainant about progress on the complaint.
The ICO is currently drafting guidance and will consult in winter 2025/2026. In the meantime, it would be wise to ensure that data subjects have a prominent method through which they can complain, and data protection complaints made through all channels (including through e.g. customer service) are dealt with promptly. In practice, data subject access requests (DSARs) and erasure requests frequently accompany complaints, so a prompt and joined up process is needed to ensure that the applicable time period can be met.
Alongside this, data subjects no longer have a right to complain to the ICO under Article 77 UK GDPR, and the ICO will not have a duty to handle complaints under Article 57(1)(f). Data subjects “may” still complain to the ICO, and the ICO will continue to have an obligation to facilitate complaints under s.165.
The ICO’s powers to refuse to act on manifestly unfounded or excessive requests, or charge a reasonable fee, are also extended to cover all requests, rather than just requests from data subjects and data protection officers.
Changes that will be impactful when enforcement action is taken
The DUAA includes various new powers and duties for the ICO, as well as creating a replacement body to be called the Information Commission.
Expanded powers for the ICO – reports
The ICO’s current assessment notice powers already include entry to premises and powers to require the controller or processor to direct them to specific documents to allow the observation of processing. These will be expanded to include a new power to require a report from an ‘approved person’. This new power resembles the Financial Conduct Authority (FCA)’s and Prudential Regulation Authority’s powers to require a report by a skilled person under s.166 Financial Services and Markets Act 2000 (FSMA).
Where required by the ICO, the controller or processor must nominate an approved person to prepare a report on a specified matter. The ICO has the power to reject the controller or processor’s choice (with reasons) and nominate a different approved person. The controller or processor must give reasonable assistance to the approved person and will also be responsible for their costs. The ICO can issue a fine where the organisation fails to provide reasonable assistance.
The legislation sets out the new power at a high-level, but further guidance will be needed to set out how the power will be exercised; in the context of s.166 FSMA, the FCA’s powers are set out in detail in the FCA handbook under SUP5. The DUAA creates a duty for the ICO to provide this guidance, though at the time of writing, there is no timeline available for when it will be issued.
Expanded powers for the ICO – power to request documents – coming into force 20 August
When the ICO issues an information notice, it will now have an explicit power to require documents as well as information.
The relevant provision of the DUAA (s.97) is one of the few that come into force two months from Royal Assent and will not require secondary legislation to be brought into force.
Notices from the ICO – coming into force 20 August
The ICO will now be able to give notice via email. The DUAA also makes various other amendments clarifying the process for giving notice by post. These provisions also come into force two months from Royal Assent and will not require secondary legislation to come into force.
Expanded powers for the ICO – interview notices
The DUAA creates a new power for the ICO to require an individual to attend an interview and answer questions with respect to any matter relevant to an investigation. Individuals can be called to interview if they are the controller or processor, or if they work for (or worked for) or have been involved in the management or control of the controller or processor.
New secondary duties – promoting innovation and protecting children
The principal objective of the ICO continues to be to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest. The DUAA adds that this principal objective also includes promoting public trust and confidence in the processing of personal data.
The DUAA also adds a new list of factors for the ICO to have regard to. These include the desirability of promoting innovation and competition, as well as the fact that children merit specific protection. These will sit alongside the ICO’s existing obligation under s.108 Deregulation Act 2015 to have regard to the desirability of promoting economic growth, and to take action where it is needed and proportionate.
The new duties are very much in alignment with the current Information Commissioner’s stated priorities, but will now be crystallised in the statute.
Fining powers under PECR
The DUAA makes significant changes to the ICO’s enforcement powers under PECR, aligning them with its powers under the DPA 2018. Fines can now be up to the higher of £17.5 million or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, as for data protection infringements, rather than the old £500,000 threshold retained for PECR.
The changes also remove the requirement to establish that a contravention has caused substantial damage or substantial distress. This could be impactful should the ICO consider enforcement on cookies where, for example, the absence of a ‘reject all’ button would have been unlikely to cause substantial damage or distress.
Amendments to definitions under PECR
Definitions under PECR are also updated to capture a wider range of communications. The definition of a ‘call’ is extended so that it includes attempts to make a connection via a telephone call, rather than just calls that are actually connected. The DUAA also amends the definition of a ‘communication’ to include information that has been transmitted, rather than just information that has been exchanged or conveyed. This means that texts and emails that have been sent but not necessarily received fall within the scope of PECR. The definition of a ‘recipient’ of a communication is amended to include an intended recipient. It also incorporates the definition of ‘direct marketing’ under the DPA 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.)
The DUAA also clarifies the scope of Regulation 6 PECR (which imposes restrictions on storing or gaining access to information in the terminal equipment of a subscriber – i.e. cookies and trackers). It provides that a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment. This will more clearly capture a wider range of technologies, including fingerprinting.
The new Information Commission
The powers and duties of the ICO currently formally fall to the Information Commissioner – currently John Edwards. The Information Commissioner is a corporation sole, appointed by the monarch by Letters Patent.
That is about to change – all continuing powers and duties, as well as the new powers and duties described above, will fall to a new Information Commission. The Information Commissioner’s functions, property, rights, and liabilities will transfer over to the new Information Commission. John Edwards will continue his term of office as Chair of the Information Commission, with Paul Arnold as interim CEO. Applications for non-executive directors are open until 1 August.
Information society services likely to be accessed by children
Article 25 UK GDPR (data protection by design and by default) is amended to add new “children’s higher protection matters” that must be taken into account in the course of providing information society services which are likely to be accessed by children. These are:
- how they can best protect and support children using the services;
- the fact that children merit specific protection with regard to their personal data, because they may be less aware of the risks and consequences involved; and
- the fact that children have different needs at different ages and at different stages of development.
The ICO is already required to take these points into account when enforcing, as they are covered under the Age appropriate design code. The DUAA brings them into the statute, meaning that the ICO could enforce specifically on these points under Article 25 UK GDPR.
Changes to drive innovation and simplify compliance
Alongside the changes described above, the DUAA includes a number of changes designed to promote innovation and simplify compliance. These changes do not necessarily require any changes to compliance processes. Organisations may wish to make changes to the extent they are not subject to the EU GDPR or EU implementations of the e-Privacy Directive.
ICO codes of practice – already in force to some extent
The ICO will be required to prepare new codes of practice where required to do so by regulations made by the Secretary of State. The DUAA also sets out the process for preparation and approval of the codes. The ICO has already confirmed it plans to produce a statutory code of practice on AI and automated decision-making, “so organisations have certainty on how to deploy AI in ways that uphold people’s rights and build public confidence.”
The power of the Secretary of State to make regulations requiring the ICO to produce a new statutory code came into force with Royal Assent on 19 June (see s.142(2)(h) DUAA). Our reading is that the provisions on the process for creating these new codes will need to be brought into force via secondary legislation. This will likely be dealt with alongside the other substantive data protection provisions by around December 2025.
Processing for research, archiving and statistical (RAS) purposes
Scope of purposes
The DUAA restructures provisions relating to processing for research, archiving and statistical purposes, referred to as “RAS Purposes”. The examples of each of these purposes previously provided for in the recitals of the UK GDPR are brought into Article 4, removing any uncertainty as to whether they fall in scope. The DUAA also eliminates any ambiguity as to whether “scientific research” must be “scientific” in nature, and whether “processing for RAS Purposes” must be “necessary for RAS Purposes” (i.e. without the processing, the RAS Purpose cannot be fulfilled), explicitly confirming in each case that it must. RAS Purposes can include the initial collection and/or anonymisation of personal data.
Interaction with relaxation of purpose limitation principle
Processing for RAS Purposes is identified as being automatically compatible with the existing purpose for which the data was collected, provided the applicable safeguards are applied (see below for more information on the DUAA provisions relating to re-purposing of personal data).
Relaxation of standard of consent for scientific research
The requirement for specificity stated purposes is relaxed in connection with consent relating to processing for scientific research (as opposed to RAS Purposes more broadly), provided that:
- at the time consent was sought, it was not possible to fully identify the research purposes;
- reliance on consent is consistent with generally recognised ethical standards relevant to the relevant area/s of research;
- so far as the intended purposes allow, the data subject is given the opportunity to consent only to processing for part of the research; and
- the consent is otherwise compliant.
Safeguards applicable to RAS Processing
As under the existing regime, processing can only be processed for RAS Purposes where:
- it is not likely to cause substantial damage or substantial distress to the data subject/s;
- it is not carried out to make measures or decisions with respect to the data subject, except where its purposes include approved medical research; and
- appropriate technical measures are applied (such as, for example, pseudonymisation).
Further provisions relating to safeguards for RAS Purposes can be made by regulation.
Information to be provided to data subjects
Currently, controllers who collect personal data from a source other than the data subject are not required to provide the transparency information prescribed under Article 14 UK GDPR (other than by making it publicly available) to the extent this would be “impossible or would involve a disproportionate effort” or would “render impossible or seriously impair the objectives of the relevant processing”. Currently, there are no corresponding exemptions from Article 13 UK GDPR, where information is collected directly from the data subject.
The DUAA amends Article 13 UK GDPR to create an “impossible or would involve a disproportionate effort” exemption that applies only to further processing for RAS Purposes. It would not apply to initial collection. The ICO has also flagged that organisations must protect people’s rights in other ways, including by making the information publicly available, as is currently (and will remain) the case under Article 14.
Article 14(5) UK GDPR has been restructured to reflect the ICO’s interpretation of the exemptions. A new Article 14(5)(e) now contains the “impossible or disproportionate effort” exemption. A new Article 14(5)(f) exemption applies where providing information is likely to render impossible or seriously impair the objectives of the processing. Both the new 14(5)(e) and 14(5)(f) can apply to any type of processing, not just processing for RAS Purposes. As mentioned above, the requirement for safeguards, including making the information available publicly, continues to apply, now under Article 14(7).
This results in a position where, when undertaking processing for RAS Purposes in circumstances where provision of a privacy notice would render impossible or seriously impair that RAS Purpose:
- A controller that collected personal data directly from data subjects will be required to give notice:
- where the RAS Purpose is its primary purpose, and/or
- where the RAS Purpose is a further processing purpose, unless to do so proves impossible or disproportionate (for example, if it has pseudonymised the data and/or combined it with other data sets, rendering it too challenging to provide notice of the re-purposing).
- A controller that collected personal data from a third party or affiliate would not need to provide notice (subject to the safeguards mentioned above).
Purpose limitation
Provisions relating to re-purposing of personal data are clarified and expanded. They apply in addition to, not instead of, the requirement to satisfy a lawful basis for the processing.
Two slightly different sets of rules apply depending on whether the data was collected on the lawful basis of consent, or under another lawful basis.
For data collected on the basis of consent, the rules are more restrictive, with further processing considered compatible for:
- any new specified, explicit and legitimate purpose the data subject has consented to;
- ensuring that processing complies with the principles under Article 5(1) UK GDPR;
- use for a reason listed in a new annex of “processing to be treated as compatible”, and it is not reasonable to expect it to obtain new consent – reasons listed in the annex include responding to requests for information from a public body (or other bodies carrying out public tasks), and safeguarding vulnerable individuals; or
- use for various public interest objectives, including prevention, investigation, detection or prosecution of criminal offences, where it is not reasonable to expect it to obtain new consent.
Where consent is not relied on for the original processing, the new use is also considered compatible for the purposes above (without the requirement on it not being reasonable to obtain new consent where relevant). In addition, further processing may be possible for:
- RAS Purposes (subject to the applicable safeguards); and
- any other compatible purpose, with the criteria for determining compatibility remaining substantively unchanged.
Automated decision making
The DUAA reframes the restrictions on solely automated decision making with legal or significant effects (ADM). These provisions do not apply for decisions that are not significant or include meaningful human involvement.
The default prohibition is lifted for ADM not based on special category data. Controllers no longer need to rely on one of the narrow exceptions and can carry out ADM based on legitimate interests (though as discussed below, it is not possible to rely on “recognised legitimate interests”).
The list of safeguards is expanded to balance this change. The controller must still provide information about the ADM and allow the data subject to require human review or contest the decision. The data subject now also has the right to make representations.
For ADM based on special category data, the default prohibition remains, with exceptions that are very similar to those currently available under Article 22 UK GDPR:
- the data subject has given their explicit consent; or
- the processing is necessary for reasons of substantial public interest substantiated by law and subject to safeguards, and the ADM is required or authorised by law or necessary for a contract between the data subject and a controller.
ADM that constitutes a significant decision cannot be undertaken in connection with a recognised legitimate interest without first undertaking a legitimate interest assessment.
Further regulations can be made in respect of ADM, but the described safeguards cannot be removed.
Data subject rights
The following provisions (previously set out in ICO guidance) have been brought into the articles of the UK GDPR:
- Stopping the clock – the time period of one month for responding to a data subject rights request starts when the controller receives:
- the request;
- information reasonably requested by the controller to respond to the request; or
- the fee (if any) charged in connection with the request has been paid.
- Searches – the data subject is only entitled to receive what the controller can provide based on a reasonable and proportionate search.
Legitimate interests
A new “recognised legitimate interests” lawful basis has been added to Article 6 UK GDPR. Where processing is carried out for a “recognised legitimate interest”, controllers do not need to carry out a balancing test to consider whether their interests are overridden by those of the data subject. This does not remove the potential requirement to undertake a legitimate interests assessment (which although not mandatory is considered to be best practice by the ICO). However, the “balancing” limb will automatically be met in respect of “recognised legitimate interests” which include:
- disclosing personal data in response to a request from an individual or entity that has a stated public interest ground under applicable law;
- safeguarding national security, protecting public security, or for defence purposes;
- responding to an emergency;
- detecting, investigating or preventing crime, or apprehending or prosecuting offenders; and/or
- safeguarding vulnerable individuals.
As is the case with the existing lawful basis of legitimate interests, the recognised legitimate interests basis cannot be relied upon by public bodies. It will also not be possible to rely on this new “recognised legitimate interests” basis where using ADM, as discussed above. If using ADM, controllers can still rely on the art 6(1)(f) “classic” version of legitimate interests for the above purposes – but a balancing test will be necessary.
The existing provision in the recitals of the UK GDPR that the following types of processing can constitute a legitimate interest is brought into art 6 UK GDPR:
- processing for direct marketing purposes;
- intra-group sharing for internal administrative purposes; and
- processing undertaken to ensure the security of network and information systems.
International transfers
The provisions on international transfers under the DUAA bake the ICO’s risk-based approach to international transfers into the statute.
The standard of protection required under both adequacy decisions and alternative transfer mechanisms is updated to from requiring that “the protection of natural persons guaranteed by the UK GDPR is not undermined”, to requiring that the standard of protection provided “is not materially lower” than the standard of the protection provided under the UK GDPR and the DPA 2018. This is now referred to as the data protection test.
For transfers subject to “appropriate safeguards” like standard contractual clauses and binding corporate rules, a transfer impact assessment must be carried out, but this can be done by meeting the data protection test reasonably and proportionately.
The UK GDPR is also amended to set out the factors the secretary of state must consider when deciding whether the data protection test is met for new adequacy decisions, now referred to as “transfers approved by regulations”. The review period is also amended from every four years to “ongoing monitoring”. The secretary of state will also have a new power to recognise new transfer mechanisms.
The ICO will be consulting on new guidance in winter 2025/2026.
Cookies / trackers
The DUAA adds a new schedule to PECR. This clarifies that certain types of trackers are ‘strictly necessary’ and so exempt for the requirement for consent for storage or access to information stored in the terminal equipment. These include preventing or detecting fraud in connection with the provision of the service requested (presumably this would capture services confirming that a user is human).
In addition, there are certain types of trackers that would previously have been classed as ‘functional’ (and so requiring consent) that can now be used where the user is provided with clear information and given a simple means of objecting, free of charge. These are:
- collection of information solely for statistical purposes, with a view to making improvements to the service; and
- website appearance or functionality.
In each case, the exception can only be relied on where the use described is the sole purpose – i.e., further use for advertising is not possible.
The ICO has already made changes to its storage and access guidance to reflect these changes. In addition, it may be looking to go further than the statute in adopting a risk-based approach. It recently launched a call for evidence on “whether there are circumstances in which storage and access of information for certain advertising purposes can pose a low risk to user’s privacy”, open until 29 August. It plans to publish a statement on a new risk-based approach to regulating PECR in August 2026.
Direct marketing and PECR breach notifications
For direct marketing, the ‘soft opt-in’ is also extended to the charities sector.
The timeframe for breach notification by public electronic communications services providers under PECR is also amended to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”, to bring it into line with UK GDPR breach notifications.
The UK’s “adequacy” for free flows of personal data from the EEA under the GDPR was granted for a period of four years in June 2021. The decision would, of course, have expired in June 2025, but the Commission granted a six-month temporary extension to give it the opportunity to review the Data (Use and Access) Act.
At the time of writing, the Commission has completed this review and launched the process to adopt a new EU GDPR adequacy decision for the UK. This review looked at the changes and concluded that, ultimately, sufficient protections were maintained. For example, in relation to ADM, it found that the UK had modified the framework, but that ADM continues to be subject to key safeguards. The Commission concluded that the UK GDPR and DPA 2018 continue to ensure a level of protection for personal data that is essentially equivalent to the EU GDPR level.
The new decision will apply for six years from its entry into force. Reviews will continue to take place at least every four years, however.
In terms of the approval process, the draft decisions will now be sent to the European Data Protection Board for its opinion. The Commission will also seek approval from a committee composed of representatives of the EU Member States. The European Parliament also has a right of scrutiny over adequacy decisions.
Few changes require proactive steps for all controllers – as discussed above, controllers would be wise to review their complaints process and look out for ICO guidance. The changes to the ICO’s powers could be very impactful when enforcement action is taken. In particular, both controllers and processors may wish to monitor for ICO guidance on the new power to require a report at the controller’s / processor’s expense. Organisations should also be mindful of the new penalty threshold under PECR, and removal of the requirement to establish substantial damage / substantial distress.
Many of the other changes will be welcome. Controllers receiving DSARs can already benefit from the clarity on reasonable and proportionate searches. For other changes, such as the reframing of the ADM restrictions, organisations may wish to consider changes to the extent that their processing is not caught by the EU GDPR.
The ICO’s timetable for new guidance is available on its website, with much of the guidance expected winter 2025 / 2026. The Commission’s new adequacy decision will need to be approved before 27 December 2025 for the UK to retain its adequacy status.