Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
Read moreDUA — how to prepare for the UK’s new data privacy regime
AuthorsEleanore BeardEmily Rickard
8 min read
The Data (Use and Access) Bill received Royal Assent on 19 June 2025 and is now known as the Data Use and Access (DUA) Act. Designed to amend the UK’s existing data privacy regime, the DUA Act will harness the power of data for economic growth, support a modern digital government and ultimately improve people’s lives.
Importantly, since DUA will amend three existing laws — UK GDPR, PECR and the Data Protection Act 2018 — its implementation will require businesses to revisit and refine their general data protection compliance, processing activities and policies. Particular attention should be paid to direct marketing practices, as significantly larger fines will apply for non-compliance.
Although many of the provisions aren’t yet in force, it’s important for all businesses to be ready. The changes started being phased in from June 2025 and this will continue until August 2026.
Here, Eleanore Beard and Emily Rickard from our data protection team delve into the key changes and explain how businesses should prepare.
DUA — key changes to UK data privacy laws explained
1. UK GDPR
Changes to the lawful bases for processing
The existing legislation has six lawful bases for processing personal data (non-special category data) under Article 6.
These are:
- Consent.
- Contract.
- Legal obligation.
- Vital interests.
- Public task.
- Legitimate interests.
The DUA Act introduces a new “recognised legitimate interests” lawful basis. Businesses can rely on a recognised legitimate interest without needing to conduct a balancing test.
The new recognised legitimate interest base applies to:
- Safeguarding national security, protecting public security or defence.
- The detection, investigation and prevention of crime or the apprehension and prosecution of offenders.
- Safeguarding vulnerable individuals under 18 or those at risk from neglect or physical, mental or emotional harm and protecting the wellbeing of such individuals.
- Responding to emergencies.
- Processing for the purposes of making a disclosure of personal data to another person for the performance of a task in the public interest.
The DUA Act also allows you to re-use personal data where the purpose is compatible with the original purpose without having to undertake a compatibility test.
Data Subject Access Requests (DSARs)
The DUA Act clarifies that a controller is only required to carry out reasonable and proportionate searches.
This includes taking into consideration:
- The circumstances of the request.
- Any difficulties involved in finding the information.
- The individual’s right of access to their personal data.
Additional rights for data subjects
While you may already have an internal complaints procedure and advise data subjects that they can follow it for data protection concerns, the DUA Act introduces a formal process for data subjects to make complaints about how their data is being handled.
This new formal method of complaint is different from the right to object. The complaint process will require you to investigate and respond to general data protection complaints.
The right to object (which is retained) allows the data subject to object to the processing of their personal data in some circumstances. In marketing, this is an absolute right — meaning that you must stop processing the personal data. In other circumstances, you must only stop processing personal data if you can’t demonstrate legitimate grounds that override the data subjects’ interests.
Businesses will be mandated to implement accessible complaints procedures (such as an online form) and respond to complaints raised within 30 days. If you don’t currently have a complaints process, you should implement a way for individuals to make a complaint about how you use their personal information and extends to data subjects’ rights.
You may also be required to report to the ICO (Information Commissioner’s Office) on the number of complaints made to your organisation.
Definition of scientific research
Under the existing UK GDPR framework, special category personal data may be processed for scientific research purposes — provided that the appropriate consent is obtained.
The DUA Act broadens the definition of ‘scientific research’ to explicitly include both private and commercial research activities. It also clarifies that an individual can give a “broad consent” to an area of scientific research.
Adequacy standard for international data transfers
The DUA Act changes the standards for international data transfers from the EU’s “essentially equivalent” standard to a lower “not materially lower” threshold.
It’ll specifically allow the UK Government to recognise third countries, territories and sectors (countries outside of the UK without an adequacy decision) as providing adequate protection for personal data — provided that the overall level of protection is assessed as essentially equivalent to the levels of protection within the UK.
However, businesses must be aware that where there’s a mix of UK nationals’ and EU nationals’ data within the dataset, the transfer needs to be carefully considered in light of the amendment. EU nationals’ data will also be subject to the EU GDPR requirements.
Reducing the standard for adequacy could cause concern in Europe. The European Commission is undertaking a review of the UK’s adequacy decision in light of this amendment and may decide that the UK won’t get an adequacy decision.
If you’re making any international transfers that include EU nationals’ data, you should carefully consider this transfer and whether it’s lawful.
Automated decisions
The DUA Act will also reduce the restrictions on the use of automated decision making, opening up the lawful bases that you can rely on — including legitimate interests — so long as you adhere to the safeguards. These include providing transparency about the significant decisions made, enabling the data subject to make representations about and challenge the decision and enabling the data subject to have human intervention.
The change doesn’t apply to “special categories” of personal data (such as health data, biometric data, race or ethnic origin, sexual orientation and religious or political beliefs).
If you provide online services for children, you’re required to consider their needs when deciding how to use their personal information. You should also adhere to the ICO's children's code.
2. PECR
ePrivacy — cookies & marketing
The DUA Act strengthens PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) enforcement by aligning its penalty regime with the UK GDPR. This means that there’ll be a dramatic increase in the fines imposed for breaches of PECR.
The maximum fine for cookie-related non-compliance under PECR is now £17.5m or 4% of an organisation’s total annual worldwide turnover.
However, despite the higher penalty the DUA Act does introduce more flexibility around consent. It’ll lessen the burden on organisations in relation to cookie requirements with the removal of the consent requirement under PECR in respect of cookies placed for certain specified purposes.
Explicit consent is no longer required for non-essential, low-risk cookies (such as certain analytics and functionality cookies) provided that users are given clear and sufficient information about their use and are offered an opt-out mechanism. You’ll still need to assess the privacy impact of the cookie by conducting a proportionality test.
The DUA Act has also amended the PECR legislation to allow charities to use the soft “opt-in”. This allows marketing to be sent to people who’ve showed an interest in the charity.
3. ICO reform
The DUA Act will further:
- Change the structure of the ICO.
- Rename the ICO the ‘Information Commission’.
- Grant the ICO stronger audit, reporting and enforcement powers.
The ICO can now also issue notices extraterritorially, enhancing its global regulatory reach.
Next steps for businesses
To stay fully protected, all businesses should review their current data protection and cybersecurity measures to ensure compliance with the new frameworks.
Our data protection experts can help you to review and update your privacy frameworks to reflect the changes to subject access requests, automated decision-making and cookie consents. Our team includes Data Protection Practitioners and senior commercial solicitors who understand your operating environment and regulatory drivers.
We can help you to assess your current lawful bases and consider whether one of the recognised legitimate interests could be applied. We can also confirm the lawful basis for the automated decisions made where special category data is involved and ensure that your data protection impact assessment (DPIA) is updated to cover the new criteria.
Our team can further assist with structuring and implementing an appropriate complaints process and assist you in responding to complaints.
We regularly provide bespoke training to update your teams on key data protection issues. We’ll review your current data protection practices and tell you how to fix any gaps. We can additionally provide training on data protection law and trends in the form of on- or off-site interactive workshops, seminars, webinars and more.
If you need advice, we’re here to guide your full journey to compliance with the new data privacy regime.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
The European Union Intellectual Property Office (EUIPO) has ushered in a new chapter for design protection with reforms to the legal framework governing design rights.
Read more
Our retail law team explore what retailers must do to stay compliant with consumer protection laws, advertising standards and more when looking to capitalise on social commerce.
Read more