The Data (Use and Access) Act 2025 (DUAA) represents the UK’s most significant package of data protection and digital information reforms since the introduction of the UK GDPR. Although the DUAA received Royal Assent in June 2025, many of its core amendments to the UK’s data privacy regime take effect on 5 February 2026, following the publication of the Commencement No. 6 Regulations. We examine the DUAA in greater detail here: The data use and access bill: potential changes to UK data protection legislation and the ICO has issued the following statement on the commencement of the Data (Use and Access) Act (DUAA) which contains links to various related guidance notes. We have set out some of the headline changes below:
Introduction of a new lawful basis: “Recognised Legitimate Interests”
A new lawful basis for processing personal data - “Recognised Legitimate Interest” - has been introduced by the DUAA and is distinct from the existing “Legitimate Interests” basis under the UK GDPR and is limited to five pre-approved public interest purposes, including:
- public task disclosure request condition (this only applies to data sharing with organisations who have public tasks or official functions in UK law);
- national security, public security and defence condition (appropriate if you need to handle personal information to safeguard national security, protect public security or for defence purposes);
- emergencies condition (appropriate if the situation meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (e.g. which threatens serious damage to human welfare) and your use of the personal information is necessary to respond to that emergency);
- crime condition (appropriate if you need to handle personal information to detect, investigate or prevent crime, including capturing or prosecuting offenders); and
- safeguarding condition (appropriate if you need to use personal information to safeguard a “vulnerable individual”).
We note that right to object still applies, even though no full balancing test is required. Organisations should assess whether their processing activities could benefit from this new basis and asses whether their privacy notices and records of processing should be updated.
DSARS
The DUAA establishes “an applicable time period” and procedure for responding to data subjects rights requests in various circumstances – and establishes that controllers need only carry out “reasonable and proportionate” searches for information and personal data in response to a DSAR. A “stop the clock” mechanism is added which allows controllers who reasonably require further information in responding to a DSAR request to pause the clock whilst they await a response. It is worth noting that provisions relating to data subject complaints (new under the DUAA, requiring controllers to acknowledge a complaint within 30 days and respond “without undue delay”) come into force on 19 June 2026.
ADM
The DUAA includes new provisions on automated decision-making i.e decisions requiring no human involvement (ADM) which relax and rewrite GDPR restrictions on the use of personal data where safeguards are in place to:
- provide a data subject with information about the decision made about them;
- enable a data subject to make representations and to challenge the decision; and
- enable a data subject to obtain human intervention about the decision.
Only automated decisions that result from processing of special categories of personal data (such as health-related data) still require explicit consent or contractual necessity.
PECR changes
One of the main PECR changes that the DUAA amends relates to the substantial increase in enforcement fines from the pre-DUAA maximum amount of £500,000 to align with the UK GDPR fines being up to a maximum of 4% worldwide turnover. The DUAA also expands the categories of cookies that can be deployed without user consent. The new exemptions include:
- to collect statistical information to improve the service;
- for functional purposes, that is, the way in which the information society service (the website) is displayed on a subscriber or user's device; and
- where the sole purpose is to locate the geographical position of a subscriber or user in response to their emergency communication.
In relation to the first two exemptions, the website operator must provide clear and comprehensive information about the purpose of the tracking and a new right to opt out free of charge. In addition, changes to the means by which a subscriber or user may signify their consent to cookies includes: amending or setting controls on the internet browser which the subscriber or user uses or using another application or programme.
Data transfers
Terminology changes under the DUAA mark the major change to the UK data transfer regime – “Data Protection Test” replaces “Adequacy Decision” with adequate countries to be approved by regulation as well as replacing the terms ‘transfer risk’ or ‘impact assessment’. A simplified data protection test for transferring personal data to third countries and international organisations is established; designed to assess whether the standard of protection for the processing of personal data in a non-UK country or international organisation is "not materially lower" than that of the UK GDPR and DPA 2018.
Enhanced ICO powers
The ICO receives strengthened investigation and enforcement powers under the DUAA including the power to require a controller or processor to appoint an approved person to prepare a report for the Commissioner on a specified topic; require individuals to attend interviews during regulatory investigations; and has notice rights to permit a notice requiring specific documents to be provided. Structural changes to the ICO have not yet been implemented, and the Information Commissioner’s Office (ICO) has not been yet replaced with the “IC”’ being the Information Commission.
Practical implications
Organisations should now prioritise:
- reviewing and updating UK GDPR documentation, including privacy notices and data subject rights procedures, to reflect the new lawful basis;
- reviewing cookie notices to determine whether exemptions can be applied and whether new opt‑out mechanisms are required;
- assessing enforcement risk, particularly in areas where the DUAA introduces flexibility coupled with ongoing ICO scrutiny, such as analytics and automation‑related decision‑making.
We will continue to monitor ICO guidance publications around the new provisions, as well as monitor the progression of the EU Digital Omnibus and its potential impact on the privacy requirements for UK companies operating within the EU.
