The UK Data Use and Access Act

The Data Use and Access Act 2025 (“DUAA”) introduces modest reforms to UK data protection law by amending the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (“PECR”). The reforms span several key areas:

 

Recognised legitimate interests.

Introduces a seventh lawful basis: “recognised legitimate interests”. This permits processing for specific, high-priority purposes-such as national security, public security, defence, crime prevention or detection, safeguarding vulnerable individuals, and emergency response-without requiring the traditional balancing test against an individual’s rights.

 

While these recognised purposes do not require a formal Legitimate Interests Assessment, other principles like transparency still apply. Separately, the DUAA amends the standard legitimate interests basis to create a presumption of legitimacy for common activities such as direct marketing, intra-group transfers for administrative purposes, and network security. For businesses, these changes provide greater flexibility when processing personal data and reduce documentation burdens.

 

Automated decision-making.

Relaxes restrictions on certain forms of automated decision-making (“ADM”). Previously, solely automated decisions with legal or similarly significant effects on individuals were prohibited unless narrow exceptions applied, namely, those based on contract necessity, law, or explicit consent.

 

The DUAA now permits such decisions under any lawful basis, such as legitimate interest, provided appropriate safeguards are in place. These include informing individuals about significant decisions made solely by automated means and giving them the ability to contest the decision and obtain human intervention. 

 

Crucially, this relaxation does not apply to “special category data” (e.g., racial or ethnic origin, religious beliefs, health, trade union membership, or political opinions), which still requires explicit consent, or circumstances where the decision is necessary for a contract or required by law and the substantial public interest condition is met. This change is expected to ease compliance challenges where algorithms or artificial intelligence tools are used for ADM in areas such as recruitment.

 

Subject access requests.

Codifies existing case law and regulator guidance on handling subject access requests. Organisations may formally stop the clock on the statutory one-month deadline while seeking clarification from a requester, and searches need only be “reasonable and proportionate”. The “reasonable and proportionate” limitation has retrospective effect, treated as having come into force on 1 January 2024.

 

These changes provide businesses with greater clarity and flexibility when responding to complex requests, allowing time to seek clarification without breaching deadlines and ensuring that search efforts remain proportionate to the circumstances.

 

PECR enforcement and cookies.

Aligns PECR enforcement powers with the UK GDPR, increasing maximum fines for cookie and direct marketing breaches from £500,000 to £17.5 million or 4% of global annual turnover. The scope of PECR now extends to any form of online tracking such as device fingerprinting and email tracking pixels. New cookie consent exemptions are introduced for low-risk purposes like website analytics, appearance preferences, and emergency assistance, though these still require a prominent opt-out mechanism.

 

For businesses, the significantly increased penalties elevate the risk profile of marketing non-compliance, while the new exemptions offer some relief for low-risk tracking activities.

 

International transfers.

Moves away from the previous “essentially equivalent” standard for international data transfers. Personal data may now be transferred to third countries where the level of protection is “not materially lower” than that afforded under UK law. This outcomes-based approach is intended to simplify transfer risk assessments, though it creates a point of divergence for organisations also adhering to the EU GDPR’s stricter standard.

 

Regulatory structure and complaints.

Replaces the corporation sole model of the Information Commissioner’s Office (“ICO”) with a new body corporate, the Information Commission. The new structure introduces collective governance through a chair, chief executive, and additional executive and non-executive members, with the chair retaining the title "Information Commissioner". All existing regulatory functions will transfer to the new body.

 

From 19 June 2026, controllers must establish formal complaints-handling processes, acknowledge complaints within 30 days, and respond appropriately. The Information Commission may refuse to investigate complaints where the individual has not first approached the organisation directly. 

 

For businesses, this means implementing internal complaints procedures becomes a statutory requirement, but the regulator’s ability to decline complaints that bypass these procedures should reduce the volume of regulatory enquiries.

 

Children’s higher protection matters.

Introduces specific requirements for information society services likely to be accessed by children. When determining appropriate technical and organisational measures, controllers must now account for the “children’s higher protection matters”, namely, how children can best be protected and supported when using the service, and the recognition that children merit specific protection given their potentially limited awareness of data processing risks and rights, with needs that vary by age and developmental stage. Preventive and counselling services are excluded from these requirements.

 

Businesses offering online services to children, should assess their design processes, age verification approaches, and impact assessments to ensure they adequately address these considerations.

 

What stage is the Act at now?

The DUAA received Royal Assent on 19 June 2025, with implementation following a four-staged commencement plan through to Summer 2026.  

• Commencement Status. The most substantial data protection reforms took effect on 5 February 2026 under the Commencement No. 6 Regulations. This stage activated the majority of Part 5 of the DUAA, including the increased PECR penalties and core UK GDPR amendments.
•  Guidance Progress. The ICO has been releasing updated regulatory guidance in phases. Key updates published so far include revised “Right of Access” guidance (published in December 2025) and clarifications around how new International Transfers will operate under UK GDPR (published in January 2026).
•  Upcoming Milestones. Several critical pieces of guidance are still in development. Final guidance on “Recognised Legitimate Interests” and updated “ADM and Profiling” advice are expected during Spring 2026, including a statutory Code of Practice on AI and ADM. Detailed guidance regarding the research, archiving and statistical exemptions is anticipated by Summer 2026.
•  Final Implementation. The final major milestone is the complaints handling obligation scheduled to come into force on 19 June 2026. This one-year lead-in period is intended to allow businesses time to establish the necessary internal processes and submission mechanisms. 

 

What should UK firms be doing to comply?

UK businesses should act now to ensure their policies and practices reflect the new framework by:

 

Lawful bases.

Review processing activities against the new lawful bases. Where processing relies on recognised legitimate interests, update records of processing and privacy notices accordingly. The ICO’s draft guidance clarifies that while a balancing test is not required, the necessity test still applies and the right to object remains.

 

Automated decision making.

Organisations taking advantage of the expanded ADM provisions should review ADM processes and ensure appropriate safeguards are operationalised, including transparency and providing mechanisms for human intervention and contestability. This reform will be especially relevant to organisations using AI-driven tools, such as for recruitment or automated eligibility assessments.

 

International transfers.

Assess international transfer mechanisms against the new “data protection test” and conduct formalised transfer risk assessments. The ICO’s updated guidance provides clarity on the three-step test for restricted transfers.

 

Complaints handling.

Establish internal complaints-handling procedures ahead of 19 June 2026. Ensure data subjects can lodge complaints directly, that complaints are acknowledged within 30 days, and that complainants are kept informed of progress and outcomes.

 

PECR compliance. 

Review cookie consent mechanisms and direct marketing practices in light of the increased penalties. The new cookie exemptions for statistical, appearance, and emergency assistance purposes are relatively narrow and still require a prominent opt-out. Businesses should also audit practices around unsolicited emails, cold calls and SMS.

 

Children’s services.

Providers of online services likely to be accessed by children should audit their data protection by design measures against the new “children’s higher protection matters” duty. Organisations already conforming to the Children’s Code are likely to comply, but should document their approach. 

 

---

 

Anita Hodea is an associate at Katten Muchin Rosenman LLP

 

Main image courtesy of iStockPhoto.com and inkoly