Understanding the Data (Use and Access) Act 2025: a new era in data protection and governance

The Data (Use and Access) Bill officially received Royal Assent on 19th June 2025, marking a significant shift in the UK’s data protection landscape. Now known as the Data (Use and Access) Act 2025 (1) (DUAA 2025), this new legislation brings both exciting opportunities and important responsibilities for organisations handling personal data.

The DUAA 2025 is designed to strike a balance between innovation and privacy protection, providing clearer guidelines for businesses while offering more flexibility in how data is used. However, with these changes come new obligations, and it is crucial for organisations to adapt their data governance practices to ensure ongoing compliance.

In this blog, we’ll break down the key changes and outline practical steps you can take to prepare for the DUAA 2025’s impact, ensuring that your organisation is not only compliant but is also fostering trust and respect for user privacy.

1. Embrace the shift in data governance

The DUAA 2025 is more than just a compliance framework; it is an invitation to rethink how organisations handle personal data. The new Act calls on organisations to evolve how they govern data in order to strike the right balance between data-driven innovation and robust privacy protection.

While the Act offers greater flexibility in some areas, it also places significant responsibility on businesses to embed data protection into their operational culture. The key to success is not waiting for enforcement action but proactively using the new rules as an opportunity to reinforce data governance practices and strengthen public trust.

2. Checklist: which Data (Use and Access) Act 2025 changes to focus on

Here are the top areas organisations need to focus on to ensure compliance under the DUAA 2025:

• Lawful Basis for Processing. The DUAA 2025 introduces a significant change: the “recognised legitimate interests” as a lawful basis for processing. This allows for greater flexibility but requires organisations to ensure they are assessing and justifying these interests appropriately. It's vital to integrate this into your internal processes to ensure transparency and fairness.

• Complaints Handling. The DUAA 2025 mandates that all organisations implement a formal complaints handling process (more on this later). This process must be clearly documented, offering users a simple, effective way to raise concerns. Failure to comply could not only lead to legal repercussions but may also erode trust in your organisation. Make sure that your complaints handling procedure is user-friendly and accessible.

• Automated Decision-Making. Some restrictions around automated decision-making have been loosened under the DUAA 2025. However, this means organisations must reassess their risk thresholds and ensure that safeguards are in place to mitigate potential harm caused by automated decisions. Review your processes for decision-making algorithms and ensure that they are still fair, transparent, and accountable.

• Children’s Data. If your business or service targets minors or could be accessed by children, you will now need to meet enhanced safeguards when handling children’s data. These provisions are stricter to protect younger users, so it’s essential to update your data protection practices to comply with these new standards.

3. Revisit your cookie strategy

One of the most discussed aspects of the DUAA 2025 is its flexibility on consent, particularly when it comes to cookies. Under certain conditions, consent requirements for cookies have now been relaxed. This provides an opportunity for businesses to redesign their cookie banners, update their transparency language, and refine technical implementations to make them more user-centric. The emphasis is now on demonstrating respect for user autonomy, not just ticking a compliance box.

4. Review your marketing practices

If your organisation is in the charity sector, the DUAA 2025 introduces new provisions that allow certain communications (such as email) to be sent without prior consent.

However, this only applies within a well-defined set of circumstances. It’s crucial to revisit your marketing practices, especially around consent, and ensure that you understand the new boundaries for communication.

5. Data protection complaints: a core component of customer service

The DUAA 2025 underscores the importance of integrating data protection complaints into your broader customer service framework. It’s not just about being compliant; it’s about actively creating accessible, user-friendly routes for individuals to express their concerns. Handling data protection complaints effectively and transparently can go a long way in fostering trust and demonstrating your commitment to privacy.

6. Re-assessment of DPIAs and governance structures

The DUAA 2025 encourages a more proportionate, context-sensitive approach to Data Protection Impact Assessments (DPIAs). This means that rather than using a one-size-fits-all approach, your DPIAs should now be tailored to the specific risks and benefits associated with each data-processing activity.

To align with this shift, review your governance structures and DPIA processes to ensure they are agile and adaptable. You may want to link your DPIA process with benefits realisation frameworks to showcase tangible value, not just risk mitigation. This shift could also help align privacy efforts with business goals, promoting an ethical, value-driven approach to data use.

7. A people-centred approach to compliance

At its core, the DUAA 2025 is about striking a balance between compliance and ethical data practices. It’s not just about ticking boxes; it’s about integrating privacy into the DNA of your organisation and demonstrating a genuine respect for the individuals whose data you process.

The DUAA 2025 provides a unique opportunity for businesses to build trust and develop data strategies that are not only legally compliant but also people-centred. This is a chance to lead by example in fostering resilience and ethical growth, ultimately driving better relationships with customers and stakeholders.

Conclusion

The Data (Use and Access) Act 2025 offers businesses both challenges and opportunities. The best way to prepare is not to wait for enforcement but to take proactive steps to review and refine your data protection practices now. By embedding data protection into the heart of your operations, updating your policies, and ensuring your team is trained on the revised requirements, you can not only comply with the law but also enhance trust and transparency with your users.

Let’s use this shift as a catalyst for positive change in data governance, fostering a future where both innovation and privacy coexist seamlessly.