UK data protection law has undergone some subtle but noteworthy reform through the implementation of the Data (Use and Access) Act 2025 (DUA Act). The DUA Act is largely aimed at providing clarity to the existing law. The Information Commissioner’s Office (ICO) has commented that the new legislation makes it easier for businesses to protect individuals’ personal information alongside promoting growth and innovation.
With the implementation of the DUA Act being phased between June 2025 and June 2026, it’s crucial for businesses to review their data protection practices now.
A summary of some of the key changes is provided below, as well as some recommended actions for businesses, as appropriate, to comply with the new law.
Recognised legitimate interests
To lawfully process data, organisations must satisfy one of six lawful bases, as set out in the UK General Data Protection Regulation (UK GDPR). A new lawful basis for processing personal data has been introduced by the DUA Act, namely, ‘Recognised Legitimate Interests’. These include processing personal data for national security, public security and defence purposes, to respond to an emergency, to prevent, investigate and detect crime and to safeguard vulnerable individuals.
Although businesses are still required to prove the processing is necessary, this new lawful basis removes the requirement to carry out comprehensive Legitimate Interest Assessments for the above types of processing.
Direct marketing
The DUA Act provides that ‘legitimate interests’ may be relied upon when sending direct marketing. In reality, this is unlikely to change practices around direct marketing, as businesses must still remain compliant with the Privacy and Electronic Communications Regulations (PECR) when sending direct marketing by electronic mail (email, SMS and automated calls), by obtaining consent or relying on the soft-opt in exemption.
For businesses that send direct marketing by post, legitimate interests may be a valid lawful basis for this processing. In these cases, a Legitimate Interests Assessment should be carried out.
Perhaps more noteworthy is that the ‘soft opt-in’ exemption for electronic direct marketing has been extended to charities. The soft opt-in means that individuals are provided with an ‘opt-out’ option rather than specifically having to ‘opt-in’ to receive direct marketing if certain conditions are met, including where the sole purpose is to further the charity’s charitable purposes, where the recipient’s contact details were obtained in the course of the recipient expressing an interest in one or more of the charity’s charitable purposes, and the individual has the option to opt out in every communication from the charity.
Care should always be taken by any organisation seeking to rely on the soft opt-in for electronic marketing to adhere to the rules and requirements, particularly when considering which goods or services can be marketed in this way. If in doubt, organisations should seek legal advice as the sanctions by the ICO for non-compliance, like any breach of GDPR, can be significant and with decisions published by the ICO.
Scientific research
The DUA Act allows businesses to obtain broad consent from individuals for the purposes of scientific research (as opposed to consent for a specific research purpose), where:
- it was not possible to identify the exact purpose of the research at the time that the consent was obtained;
- seeking consent for the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research; and
- individuals can consent to processing for only part of the research, if they wish.
In addition, individuals’ personal data can be re-used for scientific research purposes without giving them a privacy notice, where that would involve a disproportionate effort for the business (as long as individuals’ rights remain protected and the privacy notice is published on the business’ website).
Automated decision making
‘Automated Decision Making’ (ADM) involves decisions made by a machine with no meaningful human involvement – an area that is rapidly developing. Previously, automated decisions that had a legal or significant impact on a data subject were prohibited unless certain conditions applied. Significantly, the DUA Act states that the prohibition on ADM will only apply if the decision is based wholly or partly on special categories of personal data (which are more sensitive forms of personal data, such as health, racial, and religious data). This removes the restrictions on ADM for personal data. Particularly for an increasing number of businesses that use or intend to use artificial intelligence, this is a welcome relaxation of the law. Businesses must still ensure that there is a lawful basis for processing personal data, and safeguards are in place to protect it.
Subject access requests
The obligation for businesses to carry out a ‘reasonable and proportionate’ search for personal data following receipt of a subject access request (SAR) has been given statutory footing. Whilst no explanation is provided as to what constitutes a ‘reasonable and proportionate’ search, the wording provides businesses with some insight into the extent of their legal obligation.
In addition, organisations may ‘stop the clock’ during the one-month deadline to respond to a SAR to request further information from the individual making the SAR.
Data transfers outside the UK
The DUA Act has sought to ease the regulations surrounding transfers of personal data to third countries. Businesses will be able to apply a ‘data protection test’ before making data transfers to third countries, which is met if the level of data protection provided in the third country is ‘not materially lower’ than the standard provided in the UK. This differs from the current requirement of an ‘essentially equivalent level of data protection’ required in the third country, suggesting that a degree of lower data protection standards in the third country may be acceptable to permit data transfer. However, businesses must act reasonably and proportionately when applying the test. The nature and quantity of the personal data to be transferred to the third country will be relevant when doing so.
Cookies
The DUA Act allows for some cookies to be set without obtaining consent from the individual, for example, those that may be used to collect information for statistical purposes and for improving the functionality and appearance of a business’s website, provided that individuals are kept informed and they are given the ability to opt out.
Complaints procedures
The DUA Act requires businesses to provide a means for individuals to make complaints specifically relating to the use of their personal data, such as an online complaints form. Complaints must be acknowledged within 30 days of receipt of the complaint, and they must be responded to ‘without undue delay’.
Enhanced protection for children
When a business offers online services that children can access, the DUA Act requires that the business must consider the greater data protection afforded to children’s personal data, and how this can be implemented when making the online services accessible.
Changes to ICO enforcement
The ICO is to have increased enforcement powers, including the ability to require individuals to attend interviews as part of a data protection investigation. Also, the financial penalties under PECR will be increased to align with the UK GDPR, which include maximum fines of the greater of £17.5 million or 4% of the company’s previous financial year’s annual worldwide turnover.
Recommendations for businesses and organisations
The DUA Act has brought businesses clarity in some areas of data protection law, making it potentially more straightforward to adhere to the rules whilst undertaking data processing and related activities.
It is recommended that organisations review their current data protection policies and procedures to ensure they are compliant with the changes brought about by the DUA Act, as and when they are implemented, including:
- Review the lawful bases relied upon for data processing activities and amend these where necessary, ensuring that privacy impact assessments are updated;
- Consider whether it is necessary to obtain consent for collecting certain cookies and update the Cookies Policy where required;
- Review policies on direct marketing and whether an ‘opt-out’ can be utilised;
- Consider whether the business could make effective use of ADM as a means of innovation and efficiency, given the relaxation of restrictions in this area, and update privacy notices accordingly;
- Ensure enhanced data protection measures are in place for children accessing any online services, and document these measures in a data protection impact assessment;
- Ensure you have a data protection complaints policy and a mechanism for individuals to make an online complaint about the use of their personal data;
- Review data transfers to third countries and update data transfer clauses in contracts, as well as risk assessments.
For businesses requiring assistance with updating their current practices, please contact Robert Whitaker at Robert.Whitaker@teeslaw.com, Elliot Stafford at Elliot.Stafford@teeslaw.com, or Gabriella Cox at Gabriella.Cox@teeslaw.com for further guidance.
The ICO is in the process of updating its guidance on data protection following the implementation of the DUA Act. In the meantime, further information can be found by following these links:
- Data (Use and Access) Act 2025
- ICO guidance on what the DUA Act means for organisations
- ICO’s plans for updated guidance
