How the Data Use and Access Act 2025 changes UK Data Protection law

At a glance

The Data Use and Access Act (DUAA) has a few purposes:

1. To enable data sharing across industry in ‘Smart Data Schemes’, like open banking.
2. Set standards for Digital Verification Services ‘DVS’.
3. Provisions for the National Underground Asset Register and register of births and deaths.
4. Make changes to Data Protection and ePrivacy regulations; and
5. Updates to the Information Commission

We will focus on some items in section 4 for the purposes of this article.

Data Protection & ePrivacy – what has changed?

Depending on your organisation you will have different interests in this new law. As we specialise in helping commercial organisations we will focus on the items that we think are of particular interest to these organisations.

One key aspect of the changes is now UK Data Protection law looks like: UK GDPR + Privacy and Electronics Communications Regulations (PECR) + Data Protection Act 2018 + DUAA.

Marketing & Cookies

The definition of Direct Marketing has been encoded in the DUAA as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.

You may already be familiar with PECR – the regulations that covers email and telephone marketing as well as cookies. The DUAA adapts PECR to make some interesting changes.

You no longer need to get consent for cookies for statistical or personal preferences. But must provide a method to opt-out free of charge.

This change fits the general theme we have seen across European regulators where they do not see statistical cookies (i.e. how many people have visited your website) as a type of cookie that has significant harm to people. You are still required to get consent for your marketing cookies and trackers.

The inclusion of personalised preference is interesting. We recommend interpreting this narrowly to be things like; the language preferences of the visitor, as opposed to; your personalised content campaigns.

Whilst there might be grey areas between this concept, remember that things like language preferences are typically set by the user whereas personalisation is generally based on profiling data and used for marketing purposes – which are still bound by the rules of the UK GDPR. It stands to reason that the more preferences you provide the user to select for themselves, the more easily you can change your website appearance to match their personal preferences.

If you work for charities, some good news is that you now have the ability to leverage the ‘soft opt-in’ rules. This can allow you to send marketing communications to people on the basis of opt-out rather than opt-in consent.

Remember you need to meet the soft opt-in’ conditions which are that the contact details need to be obtained during the ‘course of a sale’ (e.g. when they register interest or attempt to donate), give the person the opportunity to opt-out at the time and in every communication thereafter.

Recognised legitimate interests

Under DUAA we now have more recognised legitimate interests. These are processes which can be conducted under the ‘legitimate interests’ lawful basis.

These interests include:

1. Direct marketing*
2. Intra-group data sharing
3. Information security
4. National security
5. Emergencies
6. Crime
7. Safeguarding vulnerable individuals

*remember that people still have an unequivocal right to object to their data being used for marketing purposes so you will need to continue to offer the right to opt-out to Direct Marketing.

We might get more recognised legitimate interests in future. The DUAA allows Ministers to legislate further recognised legitimate interests.

Data Rights

You will no doubt be familiar with Subject Access Requests (SAR) where people request the information you hold on them.

The DUAA puts into law guidance already provided by the ICO on the timings for delivering data and the level of search organisations have to conduct to deliver the data.

Typically you have one calendar month to respond to SARs. However, there are often times where you need to obtain more information to process a SAR. This could be confirming the identity of the requester or seeking more information to help you locate the data the person is seeking. The DUAA allows organisations to stop-the-clock from the moment the information is requested to the moment it is received.

The DUAA also encodes previous ICO guidance that organisations need only to conduct a ‘reasonable search’ for data. It is for the organisation to determine what is ‘reasonable’ when searching for data for SARs.

Children’s Data

There is a recognition that children need a higher standard of protection of personal data and organisations need to demonstrate how they are protecting this vulnerable group. This emphasises the necessity of complying with the regulator’s Age appropriate design code.

Research, Archiving, and Statistical (RAS) purposes

There is a big push in the DUAA to enable data processing for RAS purposes. Commercial organisations will be pleased to see that their commercial research is counted as falling into the RAS purposes.

Organisations can further process personal data for RAS purposes providing they have implemented appropriate safeguards – such as informing people of data used for these purposes.

Automated decision making

The DUAA expands the use of solely automated decisions to more purposes but still requires safeguards to be in place; such as a person being able to request human involvement.

DUAA allows the processing of special category data (e.g. health) for automated decisions providing it is necessary to enter into a contract or required by law.

There is much more to unpack in the DUAA than we have managed to fit in this article. For more information about how we can help you with compliance with data protection law please contact hello@tecplus.co.uk