Navigating the Data Use and Access Act

Answer

The UK’s data protection landscape has entered a new chapter with the enactment of the Data (Use and Access) Act 2025 (DUAA). Receiving royal assent on 19 June 2025, the DUAA replaces the shelved Data Protection and Digital Information Bill and introduces changes to the current framework for businesses using and accessing personal information in the UK. The majority of the changes made by the DUAA to UK data protection law are comprised of minor relaxations of data protection requirements. Given the extra-territorial scope, businesses worldwide may also be subject to these changes if offering, or planning to offer, services into the UK.

Due to the changes brought by the DUAA, it’s important to understand both the act’s intended goals and its impact on data compliance requirements in the UK. Therefore, this article discusses:

• the aims of the DUAA;
• the resulting changes to data protection compliance in the UK; and
• practical steps that organisations can take to adjust to the new regulatory environment.

What are the DUAA's objectives?

A UK government press release on 19 June 2025, the same day as royal assent, outlined the DUAA's key focus areas.

First among these is the ambition to stimulate economic growth by unlocking the potential of data-driven innovation. The government estimates that the DUAA's new data regime could add £10 billion to the UK economy over the next 10 years by streamlining data exchange among government bodies and stakeholders. In addition, individuals will benefit from increased data-sharing capabilities and turbocharged innovation in technology and science.

A news story from the Information Commissioner's Office (ICO), published on the same day, states that businesses are expected to benefit from new opportunities to innovate and expand within the UK, while also facilitating enhanced protection of individuals' personal information.

Accordingly, it’s evident that the DUAA aims to facilitate technological advancement for businesses, while simultaneously enhancing accountability and adherence to data protection regulations. With this in mind, what are the changes businesses should prepare for?

What are the data protection reforms?

The DUAA introduces data protection reforms by making a number of changes to the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

The DUAA is divided into eight sections, addressing topics including smart data schemes, digital identity verification, amendments to current data protection laws and the creation of a new information commission. Presented below are the principal provisions that organisations should consider when striving for compliance with the UK's new data protection framework:

• New lawful ground of 'recognised legitimate interests': the DUAA introduces a new lawful ground where the need to carry out a balancing assessment is removed. The lawful ground includes national security, public security and defence as well as emergencies and crime.
• Use of automated decision-making: widening of the grounds that can be relied upon for solely automated decisions – this includes being able to rely on legitimate interests where special category data isn’t being processed.
• International data transfers: the process for transferring data overseas, which involves assessing the safeguards in the recipient jurisdiction relative to the UK's data protection framework, has been updated to make the process easier.
• Clarifications to data subject access requests: the DUAA includes a ‘stop the clock’ rule, allowing businesses to pause the response period if additional information is needed from the requester. Additionally, it’s been clarified that businesses are only required to perform searches that are ‘reasonable and proportionate’ when responding to such a request (albeit this has been standard practice in the UK for a number of years).
• Cookies-usage and consent: consent requirements for cookies have also been streamlined, meaning that certain non-intrusive cookies don’t require consent, although organisations are still obliged to provide an opt out feature.
• Enforcement powers under the PECR: fines under PECR have been raised to align with UK GDPR levels.
• Formal complaints handling procedures: organisations must help individuals who want to make a complaint about how their personal information has been handled. They must acknowledge data complaints within 30 days and deal with them without ‘undue delay’.

You can read more about these changes in the ICO's overview of what the DUAA means for organisations and how it might make things easier.

The Department for Science, Innovation and Technology (DSIT) has published a summary of the government’s plans for bringing into force provisions in the DUAA. The summary helpfully includes an implementation timeline. DSIT advises that implementation will proceed in four distinct phases:

• Stage one (august 2025): technical provisions that clarify aspects of the legal framework commence.

• Stage two (autumn 2025): approximately three to four months after royal assent, the digital verification services provisions commence.
• Stage three (winter 2025): approximately six months after royal assent, the main changes to data protection legislation, excluding complaints handling, will come into force.
• Stage four (early 2026): remaining provisions, including complaints handling and ICO governance changes, will come into force.

What’s next for copyright and AI regulation?

One of the most debated aspects of the DUAA, prior to royal assent, was whether the DUA Bill should cover transparency on AI models using copyrighted works to train the models. This issue led to a ‘ping pong’ between the Lords and Commons, where we saw a number of passionate debates on the topic of transparency. The Lords largely being in favour of including transparency measures in the bill to protect creatives and the Commons largely taking the view that the bill wasn’t the appropriate place to address this issue. During the debates, the tension between the rights of creators and the interests of the UK tech industry was evident.

Ultimately, the Lords conceded on the issue of transparency (at least in terms of the DUA Bill) and the final text of the bill was agreed.

Concerning AI and copyright, we ended up with a requirement in the DUAA for the government to publish:

• an economic impact assessment on AI and copyright by 19 March 2026;
• a report on the use of copyrighted works in the development of AI systems by 19 March 2026; and
• a progress statement on each of the above by 19 December 2025.

The government has since made some progress on this. In July 2025, the government announced the establishment of expert working groups on AI and copyright, which include representatives from both the creative and AI sectors, in an attempt to find practical solutions to AI and copyright. In the same month, Minister for Science Patrick Vallance said, in the House of Lords, that the UK is considering drafting legislation for AI technologies and there would be a consultation on this topic. So far, the consultation hasn’t launched. We also know that DSIT published an AI Sector study on 3 September 2025 that assesses the sector's £23.9 billion (and growing) contribution to the UK economy – a figure likely to be discussed further in the upcoming economic impact assessment report.

What can businesses do to prepare?

Businesses will want to work towards complying with the DUAA in advance of the various stages of implementation.

To start, organisations may consider conducting thorough audits of their current data processing practices, including their direct marketing activities.

In addition, organisations could consider updates that may be required to their cookies policies and collaborate with the internal teams and system providers that will assist with updating their cookie banners or notices. Moreover, organisations should start work on a procedure for data protection complaints that complies with the DUAA's requirements.

Businesses could also review contracts with third parties, including data processors, cloud providers and international parties, to check whether agreements are compliant with the changes that require positive action.

Finally, horizon scanning is another important part of compliance and will inform preparations. Businesses should engage with the ICO's consultations on specific parts of the DUAA and keep an eye out for updated versions of a range of ICO guidance – the ICO will set out its plans on its website as work progresses, but we can expect some of the updated guidance to be released by the end of 2025 and early next year.  

Conclusion

While the changes weren’t as substantial as initially expected, the DUAA still introduces changes to the UK data protection framework, which businesses and stakeholders need to prepare for.

Furthermore, while the sections addressing AI and copyright were removed prior to royal assent, direct regulation in these domains will arrive in due course. Businesses are advised to stay alert for updates, as the future legislative landscape will continue to evolve. To stay ahead, organisations must actively monitor legislative developments, ICO guidance and participate in industry consultations. By anticipating changes and adapting early, companies can ensure their privacy programme, processes and legal terms are compliant with the changes introduced by the DUAA.

Jade Wadey is a trainee solicitor at Womble Bond Dickinson.