On June 19th 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, bringing important updates to UK data laws. It amends, but importantly doesn’t replace, the UK GDPR, Data Protection Act 2018 (DPA), and PECR. These changes aim to boost innovation and economic growth while preserving strong safeguards for individuals’ rights.

What it means for organisations

More Room to Innovate

  • Research use: organisations can more clearly use personal data for scientific (including commercial) research with ‘broad consent’ and may omit individual privacy notices if they publish details online instead
  • Automated decision‑making: expands lawful grounds (e.g. ‘legitimate interests’) for non-sensitive decisions, with safeguards
  • Cookie use: non-essential cookies, for analytics or basic functionality, can now operate without explicit consent 

Simpler Compliance

  • Introduces recognised legitimate interest lawful bases, removing the need for impact balancing in routine cases (e.g. network security, marketing, internal admin)
  • Organisations must have a formal data‑use complaints process, such as an online form, acknowledge complaints within 30 days, and respond promptly

Enhanced Data Transfer Rules

  • Adopts a risk-based transfer approach for international data flows, assessing whether protections in other countries are “materially lower” than UK standards

What It Means for Law Enforcement & Public Bodies

DUAA clarifies data-use rules for law enforcement and intelligence agencies, aligning their regimes and introducing designation notices so they can act under a unified legal framework when jointly authorised by the Secretary of State.

ICO Powers & Regulatory Landscape

The Act strengthens the powers of the (soon-to-be renamed) Information Commission, enabling it to:

  • Compel witnesses or reports
  • Conduct technical assessments
  • Issue PECR fines up to £17.5 million or 4% of global turnover

Phased Roll-Out

Changes will be introduced gradually over two to twelve months following Royal Assent. Meanwhile, the ICO will maintain existing regulations, applying amendments as they become effective.

What Organisations Should Do Now

  • Familiarise yourselves with DUAA’s changes especially around research, automated decisions, cookies, and complaints
  • Prepare a complaints process if not already in place
  • Revisit cookie consent mechanisms and marketing practices, including charity soft opt-in rules
  • Consider using the new lawful bases (e.g. recognised legitimate interests) for internal needs like security and administration
  • Keep an eye on ICO guidance and updates via their newsletters

Pixie's Thoughts

The DUAA reflects a forward-thinking shift in UK data law, balancing innovation with robust protections. By clarifying research use, automated decision-making, legitimate interests, and cookie rules, the Act provides clear pathways for organisations to use data more confidently.

However, compliance won't happen overnight. With phased implementation ahead, now is the time to audit data operations and prepare for smoother, smarter data use whilst staying firmly within legal bounds.