Data (Use and Access) Bill Granted Royal Assent
On 19th June 2025, the Data (Use and Access) Bill was granted Royal Assent and will now be known as The UK Data (Use and Access) Act 2025, or DUAA.
At this point, it is important to clarify The DUAA will amend the existing UK data protection laws, not replace them. This means, we will still have the three primary underlying laws; UK GDPR, Data Protection Act 2018 and PECR 2003.. they’ll just look a bit different.
Reforms to data protection legislation were first proposed by the Conservative Government, promising to “overhaul” data protection legislation post-Brexit.. the early version of these reforms were more radical – even abolishing the requirement for Data Protection Officers (DPOs).
The Labour Government then introduced their version of new legislation in October 2024 with far fewer significant changes – the UK and EU laws still remain very closely aligned, which it is hoped will improve the chances of our post-Brexit adequacy being renewed.
The Bill would have been passed long ago, had it not been for attempts by the House of Lords to introduce new transparency obligations by AI developers in respect to holders of copyright in training data. These clauses were rejected by the Commons, so are not in the final version of the law.
What changes are coming?
The key changes to UK data protection, which will be implemented in a phased approach between June 2025 and June 2026 law are:
Recognised legitimate interest as a formal lawful basis: if you rely on legitimate interest for one of the “recognised, pre-approved” reasons, then there is no need to complete a legitimate interest assessment (LIA) to demonstrate you’ve considered the rights of all parties – ie, the data subject and data controller. mIn instances your use is NOT on the pre-approved list, then you’ll still need to complete an LIA.
Disclosures that help others perform their public tasks: organisations will be able to share data with organisations without having to decide if you if there’s a risk to this. Instead, the responsibility lies with the organisation making the request. It is hoped this will aid the sharing of data where there’s an overall public interest.
Assumption of compatibility: similar to the changes to legitimate interest.. nine “compatible” purposes are listed, for which the controller is not required to do complete an assessment.
Automated decision making: one of the more significant divergence from the EU laws – automated decision making only applies where the decision is based entirely, or partly on special category data. The safeguards of human review and transparency will continue to be required for all solely automated decisions.
“Soft opt in” for charities: one of the more significant changes – if you’re a registered charity, you are now permitted to send electronic marketing messages (emails / SMS / WhatsApp) as long as they support or express interest in your work.. unless they specifically object. If you have obtained a contact from a 3rd party, you’ll still need to rely on consent. To learn more about this specifically, take we have another blog post all about this!
Spam Messaging: historically, PECR investigations for spamming have been based on the number of DELIVERED messages. Any investigation will now be based on the number SENT messages – so the intention of the organisation.
Cookies: where the sole purpose of cookies is to enable optimisation of the website, these cookies can be dropped – but an opt out must remain.
PECR enforcement: the Information Commission’s fining powers have increased significantly from a cap of £500,000 to in line with GDPR. This means, any failures involving marketing – cookie use, email / SMS broadcasting, telemarketing, etc could lead to fines of up to £17.5m or 4% of global turnover. The ICO are very active in PECR fines, so any organisations undertaking mass direct marketing should carefully review their activities.
Data Subject Access Requests: a controller will only need to provide information in response to a DSAR based on “reasonable and proportionate” searches. The one calendar month “clock” does not start until the controller has been able to confirm the identity of the data subject.
Data Protection Complaints Mechanism: complaints must, in the initial instance, be directed to the data controller, who must have a complaints procedure in place, and keep a full record of these. Controllers must acknowledge complaints within 30 days and respond without undue delay. If they fail to address the complaint, it can be escalated to the ICO – who may look at it far more seriously as the initial “triage” was unsuccessful.
Children and Online Services: if you provide an online service that is likely to be used by children, the DUA Act 2025 explicitly requires you to take their needs into account when you decide how to use their personal data. Much of this should already be addressed if you conform to the ICO’s Age Appropriate Design Code (AADC).
Research Provisions: the DUA Act 2025 makes it clearer when you use personal information for the purposes of scientific research, including commercial scientific research. It clarifies that people can give “broad consent” to an area of scientific research.
Privacy Notices: you can re-use people’s personal data for scientific research without giving them a privacy notice if the efforts are disproportionate. As long as you protect their data throughout and publish a privacy notice on your main website, the privacy notice does not have to be served directly.
Next Steps
As with any significant changes in legislation, we understand there will be uncertainty on how these changes impact companies in reality, and how to implement them effectively. That’s where the Privacy Helper Team come in. We have tracked the journey of this Bill carefully since October and can explain the changes in real terms to your organisation.
To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data protection compliance within your business.
Follow us on LinkedIn
