Introducing the UK Data (Use and Access) Act 2025 (DUAA)

The Data (Use and Access) Act (DUAA) represents the UK's first significant data protection reform since Brexit and it seeks to reshape the UK's data protection landscape whilst maintaining compatibility with EU standards to preserve seamless EU-UK data transfers.

What is the Data (Use and Access) Act?

The DUAA comprises three core pillars:

1. reforming the UK GDPR framework

2. establishing new mechanisms for business and customer data sharing

3. creating a digital identity verification framework

Its goal is enabling data to be used and accessed to grow the economy, improve public services and make people's lives easier. But, unlike wholesale reform that might jeopardise the UK's EU adequacy status, the DUAA adopts a more nuanced approach. It seeks to modernise UK data protection law whilst preserving the essential compatibility with EU standards that businesses rely on for international operations. The EU decision on adequacy of the UK regime comes up for renewal on 27 December 2025.

Practical Actions for Businesses

We have set out below a detailed summary of the key changes introduced by the DUAA as well as some sector specific considerations, but these are the main actions to be considered by businesses in light of the DUAA:

• review internal policies and procedures particularly in relation to when legitimate interest assessments are required and to automated decision making
• review DSAR guidance and procedures to ensure that there is appropriate record keeping and application of exemptions
• establish a clear data subject complaints submission mechanism and publicise it
• review cookie banners and notices to take statistical / functionality improvement cookies out of scope for cookie consents
• privacy notices may need to be reviewed to account for changes in processes and procedures;
• review the business model opportunities and threats arising from the wider provisions of the DUAA that go beyond GDPR / PECR reform

Organisations should also monitor the outcome of the European Commission's adequacy review in relation to the UK. Loss of adequacy status would fundamentally alter the compliance landscape for any organisation transferring data between the EU and UK, potentially requiring implementation of Standard Contractual Clauses or other transfer mechanisms as well as transfer risk assessments for EU-UK data transfers.

For more information about the changes, please click here.