DUAA, short for the Data (Use and Access) Act, is legislation on data protection and privacy in the UK which received Royal Assent on 19th June 2025.
It’s not to be mistaken for the 2018 UK General Data Protection Regulation Act (GDPR) or the 2003 Privacy and Electronic Communications Regulations (PECR), nor is it a replacement for either of those.
In this article, we’ll go over what the DUAA is, what’s included in it, and the key changes that this act makes.
What does DUAA mean for enterprises?
How to stay informed about DUAA
DUAA is a new Act of Parliament, which amends and updates some laws on digital information matters, including the 2018 GDPR Act and the 2003 PECR. According to the Information Commissioner’s Office (ICO) and GOV.UK government guidance, DUAA intends to encourage innovation, improve economic growth, and simplify the rules for organisations. These changes provide an avenue for things to be done differently, rather than having to make definitive changes for legal compliance. These changes are from June 2025 to June 2026 and will be phased into operation.
Many of the key changes are more permissive towards organisations and their handling of user data; for example, the introduction of ‘Legitimate Interests’; the usage of storage and access technologies (for example, cookies) without explicit consent in “certain, low-risk situations”; and a “stop-the-clock” rule allows organisations to pause response time for subject access requests if they need to get more information, alongside several other changes.
The key changes, as highlighted by GOV.UK, are as follows:
Organisations may make decisions based wholly on automated processes which have “legal or similarly significant effects on individuals” and make decisions in wider scenarios.
However, safeguards must be implemented which give people the opportunity to challenge decision-making regarding them. GOV.UK sets out these safeguards:
The fringe-case scenarios where the above safeguards do not have to be applied are when it is to protect national security and to prevent the obstruction of justice.
DUAA now includes a “stop the clock” rule for organisations responding to subject access requests, which is a request made by an individual to access a copy of their personal data. Under the DUAA, organisations can now pause their response time if they need more information from the requester.
New rules require online services, likely to be accessed by children, to consider how they can protect and support them when designing their services.
The DUAA recognises that ‘scientific research’ may also include commercial research. This change means that researchers have broader areas of related research, with further safeguards put in place to protect personal data within research.
With this act, there are now new legal grounds for organisations to process personal data. Legitimate interests are data that an organisation has access to without needing explicit consent if the reason for processing that data is for a justifiable, real interest (hence, legitimate interest) as long as fundamental rights and freedoms are not infringed upon. What counts as ‘legitimate interest’ can be quite broad, even more so in a B2B context; whilst it can be for scenarios like crime prevention and emergency response, it can also be for “commercial interests, individual interests or broader societal benefits.”
DUAA simplified the rules and provides clarification for transferring personal data internationally. This is particularly helpful to SMEs, as many third-party apps and cloud software may be using data processing servers outside of the UK, such as in the USA.
Under DUAA, organisations now have to respond and handle complaints from those concerned with the way their data is being used, potentially breaching data protection legislation. This may be via an e-complaint form, and then following up with the individual to let them know the outcome of the complaint.
Storage and access technologies, such as cookies, are now accessible to organisations without explicit user consent under the DUAA under low-risk scenarios.
The DUAA has also amended the Data Protection Act in order to support law enforcement to work more efficiently and closer with UK intelligence agencies, safeguarding national security.
As mentioned previously, the ICO and GOV.UK have stated that the DUAA will foster innovation. How so?
With the clearer classification of when and what personal information can be used for scientific research, which also includes commercial research, as well as clarification that users can give ‘broad consent’, it means that businesses have the opportunity to conduct improved research to better understand audiences.
With the DUAA, an organisation is able to reuse personal information for scientific research without giving a privacy policy “if that would involve a disproportionate effort” and as long as users’ rights are still protected and what is being done is explained by publishing a notice on the website.
Barring special category data (e.g., race, ethnicity, religious beliefs, etc.), ‘legitimate interest’ can be used as a lawful basis to process personal information to make significant automated decisions about them as long as safeguards are in place.
The DUAA also allows some cookies to be set without needing consent, such as cookies that collect information for stats and for improving website functionality.
To stay up-to-date and informed about what is happening with DUAA and what to expect, you can refer to GOV.UK’s guidance on DUAA, which gives an accessible overview of key points and changes brought by the Act.
The best resource would be the published and current version of the bill, which is available for download.
Because of the Data Use and Access Act, the Information Commissioner’s Office (ICO) is working on new guidance. They’ve also published their own guide on DUAA and go over a couple of changes that organisations can expect due to this bill.
If you’re concerned about navigating DUAA and where it starts and ends, we help SMEs with all aspects of their IT support, including ensuring data is secure and compliantly processed. Feel free to contact us for a no-obligation chat.
Need IT Support now? We can help. Contact us below, call us on 01844 318131 or email ask@colit.co.uk.
Stay up to date with the latest news on IT, technology and security issues.
