Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully passed through both Houses of Parliament and has just received Royal Assent on 19 June 2025. This long-anticipated Act is not a dramatic overhaul of existing law, but rather a refinement of it. Its purpose is to provide clarity, remove unnecessary administrative burdens, and ensure the UK’s data regime works both for organisations and for individuals in the digital economy.

In short, the Act represents an evolution. Nevertheless, for businesses processing personal data, it’s a crucial development that will require careful attention, particularly for those engaged in scientific research, direct marketing, and automated decision-making, or handling international data transfers.

This article will explore the key changes that the DUAA introduces and explore what these mean for business compliance in practice.

Key changes introduced by the DUAA

1. 1. Definition of Scientific Research

One of the more welcome developments in the Act is the introduction of a clearer and broader definition of scientific research for data protection purposes. For some time, there has been uncertainty about what qualifies as “scientific research” under the UK GDPR, despite its importance in providing certain exemptions from data processing restrictions. The DUAA addresses this by defining scientific research as “any research that can reasonably be regarded as scientific and conducted in the public interest.”

This is a pragmatic move, aligning the UK GDPR with the interpretations already used in regulatory guidance and case law. By formalising this broader definition, the Act should ease compliance burdens for research organisations, academic institutions, and even private companies conducting research. It also opens up new opportunities for innovation, particularly in sectors like healthcare and technology, where the boundaries between commercial and public interest research can often blur.

2. 2. Clarification of the Purpose Limitation Principle and Further Processing

For many organisations, one of the trickiest areas of GDPR compliance has been navigating when and how personal data collected for one reason can be reused for another. The so-called “purpose limitation principle” has always required that further processing be compatible with the original purpose. But what does compatible really mean?

New Article 8A

The DUAA tackles this by setting out a new Article 8A, which establishes clear circumstances where further processing will be deemed compatible with the original purpose. These include situations where:

• • the data subject gives fresh consent;

• • where processing is for research or archiving; or

• • where it serves the public interest or relates to crime prevention or safeguarding.

This clarity is significant. It offers businesses a stronger legal foundation when reusing data, especially where there is a strong public or societal benefit. However, controllers must still ensure that they meet transparency obligations (unless specific exemptions apply) and should document decisions carefully to demonstrate compliance.

3. 3. Changes to Lawful Bases for Processing (Legitimate Interests)

Perhaps one of the most practical changes in the Act is the introduction of a non-exhaustive list of” recognised legitimate interests” that controllers can rely upon for lawful data processing. ‘Legitimate interests’ is one of the common bases relied upon for processing personal data, where previously, controllers had to undertake a three-part test to balance their legitimate interests against the rights of individuals, often a subjective and cautious process.
Now, with Annex 1 to the UK GDPR providing examples of recognised legitimate interests, including national security, emergency response, and crime prevention, controllers have greater certainty when relying on legitimate interests as a basis for processing. While this doesn’t remove the need for careful assessment, it does simplify compliance for organisations operating in sectors where these purposes regularly apply, such as public services, security, or regulated industries.

For businesses engaged in direct marketing, the Act’s explicit recognition of marketing as a legitimate interest is especially helpful. However, this recognition doesn’t eliminate the need to respect individual rights, including providing clear opt-out options for data subjects.

4. 4. International Data Transfers

International data transfers have long been a sticking point for UK organisations, particularly since Brexit, as maintaining the UK’s adequacy status with the EU is critical for many businesses with European links. Traditionally, adequacy decisions have required a high degree of equivalence between the UK’s data protection regime and that of the recipient country.

The DUAA moves to a risk-based approach by introducing a new “data protection test” whereby the Secretary of State will assess whether a third country’s data protection is “not materially lower” than UK standards. This subtle shift recognises that insisting on identical protections is often unrealistic in an increasingly globalised world. Instead, it focuses on whether differences in legal frameworks actually present meaningful risks to individuals’ data rights.

For businesses, this could simplify lower-risk international transfers, reduce red tape, and encourage cross-border trade. However, organisations handling sensitive or large-scale international data flows will still need to remain alert to evolving adequacy decisions and ensure appropriate safeguards remain in place. We would recommend that organisations have a

5. Data Subject Access Requests (DSARs)

DSARs are an important data subject right but have often been a source of frustration for both businesses and individuals. For organisations, managing broad or unclear requests can be time-consuming and resource-intensive, while individuals sometimes face delays or inadequate responses.

The DUAA introduces two helpful clarifications. First, it provides a statutory basis for “pausing the clock” while awaiting further information from the requester, formalising what has until now been ICO guidance. Second, it confirms that searches need only be “reasonable and proportionate”, helping organisations set clear, defensible boundaries on how far they go to find requested data.

Importantly, the Act also introduces a new complaints procedure, requiring individuals to first complain to the data controller before escalating to the ICO. This should give organisations a fair chance to resolve disputes before regulatory involvement, encouraging more effective internal governance.

6. Automated Decision-Making (ADM)

As artificial intelligence (AI) increasingly permeates decision-making processes, the law around automated decision-making needed updating. Currently, under Article 22 of the UK GDPR, individuals have the right not to be subject to solely automated decisions that have legal or similarly significant effects, with only limited exceptions.

The DUAA proposes to replace this provision with a more flexible regime, allowing for broader use of ADM in low-risk scenarios, provided that appropriate safeguards are in place. This is a clear signal of the UK’s intent to create adata framework that is AI-friendly while still upholding fundamental rights.

For businesses using AI for recruitment, credit assessments, or customer profiling, this change provides new opportunities, but it also brings new responsibilities. Organisations will need to invest in transparent decision-making systems and ensure robust governance to manage risks.

7. Digital Verification Services (Digital ID)

The DUAA also recognises the growing need for secure digital identification systems by introducing a framework for Digital Verification Services (DVS). This framework will include publicly available registers, codes of conduct, and the introduction of a trust mark to demonstrate compliance.

If implemented well, this could transform how businesses verify customers’ identities, reducing reliance on cumbersome paper-based processes and enhancing trust in digital services. It also has potential relevance for sectors like financial services, property, and online marketplaces, where verifying identity securely is essential.

8. Strengthened Enforcement and Penalties

One of the most striking changes is the alignment of penalties under PECR with those of the UK GDPR, raising the maximum fine from £500,000 to £17.5 million or 4% of global turnover (whichever is higher). This is a substantial increase and highlights the government’s intent to take compliance with marketing rules, particularly around cookies and direct marketing, more seriously.

For businesses engaged in email marketing, SMS campaigns, or web analytics, this change is a wake-up call to review practices and ensure robust consent mechanisms are in place. With the ICO already deploying automated scanning technology to detect cookie breaches, enforcement action is likely to become more proactive, in which organisations should be alive to the potential financial and reputational repercussions.

9. Protection of Children’s Data

Children’s privacy is an area of growing regulatory focus, and the DUAA addresses this by requiring that higher protection standards are applied by services likely to be accessed by children. This is in line with broader trends, including the ICO’s Children’s Code, but formalising these obligations in primary legislation gives the ICO stronger grounds for enforcement.

Organisations providing digital services to young users, whether educational apps, gaming platforms, or online marketplaces, should review their platforms carefully to ensure they are child-friendly by design.

What does this mean for your Business?

For most businesses, the DUAA represents a steady refinement of the UK’s data protection framework rather than an overhaul. However, that does not mean that organisations should become complacent. The increased penalties for PECR breaches, in particular, raise significant risks for those involved in marketing and online services.

Perhaps most importantly, the Act reflects the UK’s attempt to balance regulatory certainty with innovation, particularly in areas like AI, scientific research, and international trade. For businesses, this means there are opportunities as well as obligations.

We would strongly recommend that organisations prepare for these changes by:

• Conducting a review of internal policies and privacy notices.
• Refreshing direct marketing practices to mitigate enforcement risks.
• Preparing for AI-related transparency obligations.
• Implementing robust procedures for DSARs.
• Implementing a complaints procedure (if they do not have one in place already) and remaining compliant with the response timeframe.

Ultimately, the DUAA brings clarity and opportunity but also underscores the need for ongoing vigilance in data protection compliance. With the right preparation, businesses can position themselves to benefit from this next phase in the UK’s data privacy landscape.

If you need any assistant with implementing the changes above, please do not hesitate to contact of our experienced data protection lawyers.