On 19 June 2025, the UK’s Data Use and Access Act (DUAA) 2025 received Royal Assent, marking an evolution in the country’s data protection framework. Rather than replacing existing laws, the DUAA amends key legislation including the UK GDPR, Data Protection Act (DPA) 2018, and Privacy and Electronic Communications Regulations (PECR). The Act aims to strike a balance between safeguarding individual rights and enabling innovation and economic growth.
The majority of changes introduced are set to be phased in between June 2025 and June 2026. Among the most notable are clarified rules for scientific research, including the ability to rely on broad consent and reuse personal data without direct privacy notices in certain cases. The DUAA also introduces a new ‘recognised legitimate interests’ lawful basis for processing data, providing a presumption of legitimacy for certain activities with public or business benefit. Moreover, it simplifies the rules on automated decision-making, and relaxes some cookie consent requirements, allowing certain uses without prior approval. Further, subject access request response timeframes and expectations are clarified, with organisations needing to make ‘reasonable and proportionate’ searches1.
The Information Commissioner’s Office (ICO) has already responded with updated guidance and a phased approach to future resources2. From an enforcement perspective, the Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR.
You can track the ICO’s publications and plans for guidance and resources here.
In the upcoming months, we can expect the ICO to release3:
- detailed guidance on right of access;
- updated codes of conduct and certification guidance;
- an interactive tool on substantial public interest conditions;
- updated clarification on the definition of consent under the DPA; and
- public consultations on complaints guidance, international transfers, and the new lawful basis of recognised legitimate interest.
For companies, the DUAA presents both opportunities and responsibilities. For businesses already compliant with the UK data protection regime, immediate wholesale changes to compliance programmes are unlikely. However, it would be prudent to review data governance practices, assess where new provisions may apply, and prepare for phased implementation through 2026. Staying proactive and on top of updates to guidance, will ensure compliance and unlock the potential benefits of a more innovation-friendly data regime.
While we frame these changes under the DUAA as evolutionary, there is arguably a quiet revolution underway. Of particular interest will be how organisations embrace the shifts affecting data-driven R&D—especially the adjustments to legitimate interests and data re-use provisions. Though these changes may appear minor, their potential impact is substantial, as thelogy are crafted to better support data-driven innovation. Stay tuned as we continue to unpack the key developments and what they mean for your organisation.
Special thanks to Kayan Sayeed for their valuable contributions to this post.
1 https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes
3 https://ico.org.uk/about-the-ico/what-we-do/our-plans-for-new-and-updated-guidance/