The (Data Use and Access) Act 2025 (“DUA Act”) is a long-awaited legislative change intended to simplify data protection laws. Although the changes do not overhaul the current data protection legislation in its entirety, the changes affect how individual’s personal data will be processed.

Data protection in the UK is currently governed by 3 key authorities:

• The Data Protection Act 2018 (“DPA”);
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”); and
• The UK GDPR

This article will discuss some of the ways in which these authorities have been amended, as well as the introduction of some key systems which should regulate future procedures and technological changes. Please note we do not cover all of the amendments in this article:

Changes made by the DUA Act:

1)    Digital Verification Services (“DVS”)

The Secretary of State must publish a framework concerning the provision of DVS. This could have a major impact on how individuals and business interact with services, such as electronic signatures and right to work checks.

The main intention of the DVS framework, is to enable data controllers and processors to reduce the amount of personal data they hold, reducing risks of data leaks, and to ensure that providers of DVS are compliant with current data protection regulations.

2)    Responding to data subject access requests

The rules for responding to subject access requests have been amended so data controllers only need to carry out “reasonable and proportionate” searches within “one calendar month” in order to comply with any such requests. Furthermore, data controllers will be able to effectively ‘stop the clock’ on the time limit where they require additional information from a data subject (such as the verification of their identity).

3)    Complaints

Under the DUA Act, organisations must establish straightforward and accessible complaints processes, including the introduction of a specific complaints form and a clear requirement to respond within 30 days.

4)    Collection of cookies

The DUA Act introduces a number of exemptions to accessing information in a data subject’s computer, by way of cookies. This means data can be accessed without the users consent for improving the functionality and appearance of a website or collecting data for statistical purposes (depending on the user’s preferences). However, the website operator must give the user the option to object to data being accessed this way.

This ‘soft-opt-in’ approach has also been extended to charities, allowing them to send direct marketing communications to users who have previously engaged or expressed their interest in the organisation. This will allow charities to further their charitable objectives, by directly seeking support from users who are likely to assist them.

5)    Increased fines and powers

A key change to note, is the increase to the fines that could be imposed by breaching the PECR. Fines have been raised from £500,000 to £17.5m or 4% of an organisation’s annual turnover (whichever is higher) for serious breaches. This brings the PECR fines in line with the current UK GDPR levels.

In addition, regulators are granted enhanced powers to conduct audits and inspections, including the ability to require organisations to provide evidence of compliance with data subject access requests, legitimate interests assessments, and data sharing protocols.

6)    Recognised legitimate interests

There has also been clarification when processing data is necessary for the performance of a task carried out in the public interest. This will remove the need for some organisations to carry out legitimate interest assessments. UK GDPR has traditionally been fairly vague with its guidance on this issue, however, the DUA Act has included a non-exhaustive list of circumstances where certain organisations, such as the NHS or law enforcement, can lawfully process data in the public interest. These include safeguarding vulnerable victims and fraud prevention.

For processing activities not on the recognised list, organisations must continue to conduct a balancing test to ensure that their interests do not override the rights and freedoms of data subjects. The DUA Act provides more structured guidance on how to conduct and document this assessment.

7)    International data transfers

The Secretary of State is required to introduce new regulations which will determine when the transfer of personal data abroad will be lawful. Although these regulations have not been introduced at this time, the DUA Act includes key considerations regarding the circumstances of the overseas country when deciding if a transfer of data is lawful. These include:

• Relevant international obligations;
• Data protection regulations;
• The rule of law; and
• Human rights.

Next steps

Although not all of the changes come into force immediately, businesses should start to review their internal policies and procedures to ensure they will be compliant with the DUA Act:

• Review your privacy and cookie policies;
• Make sure any responses to subject access requests are reasonable and proportionate;
• Undertake a full review of internal policies and training requirements and update these, as relevant to comply with the new rules; and
• Keep an eye out for new regulations relating to overseas data transfers.

If you require any advice in relation to data protection, or how the new legislative changes will affect your business, please contact the Geldards commercial team.