Navigating the Data (Use and Access) Act 2025: What It Means for Businesses

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025.

It marks a significant update to the UK’s data protection framework, including targeted amendments to the UK GDPR, the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR)

Rather than a wholesale overhaul, DUAA introduces specific reforms designed to foster innovation while preserving individuals’ privacy rights.

But what are the main changes that businesses need to be aware of?

Quentin Archer, Consultant Solicitor specialising in data protection at Jurit LLP, explores.

What are the key changes in data protection law under the Data (Use and Access) Act 2025?

1. A new lawful basis: “recognised legitimate interests”

DUAA introduces a fresh lawful basis that allows processing without the balancing test which is normally required for the use of the “legitimate interests” ground for data processing.  It applies in public interest contexts such as crime prevention, safeguarding, emergencies, and public security.

However, where the ‘legitimate interests’ basis is used for other purposes, such as direct marketing or intra-group data sharing, a Legitimate Interests Assessment (LIA) is still required.

2. Expanded scope for scientific research

The Act clarifies that “scientific research” encompasses both commercial and non-commercial activities. It also introduces the concept of broad consent, allowing individuals to consent to a general research area rather than specific projects.

Not only this, organisations can reuse personal data for research without issuing fresh privacy notices if it’s disproportionately burdensome, as long as transparency is maintained – for instance via publicly available notices.

3. Streamlined handling of Data Subject Access Requests (DSARs) and complaints

DUAA formalises existing ICO guidance: Controllers are required to conduct “reasonable and proportionate” searches – not exhaustive efforts.

“This is very helpful for businesses, as it introduces a degree of common sense into DSAR responses.  Up to now, data controllers have often felt obliged (usually because of pressure from the data subject or their advisers) to carry out lengthy and expensive searches, usually to no one’s benefit,” commented Quentin.

Importantly, the Act introduces a “stop the clock” provision: Response times for DSARs pause when seeking clarifications from the individual (e.g., to verify identity or refine the request), with the countdown resuming once clarifications are received.

The Act also requires businesses to establish formal processes for handling data protection complaints from individuals, which must include making it easy to submit a complaint, acknowledging it within 30 days, and responding without undue delay after taking appropriate steps.

“This creates a new statutory right for individuals to raise issues directly with organisations, rather than going straight to the Information Commissioner,” added Quentin.

4. Relaxed cookie consent requirements & harsher penalties

Non-essential, low-risk cookies (e.g., for analytics or site functionality) may now be deployed without explicit consent, provided users receive clear information and a straightforward opt-out mechanism.

At the same time, enforcement under PECR is tightened: Fines rise to the higher of £17.5 million or 4% of global turnover, aligned with UK GDPR thresholds.

5. Enhanced enforcement powers for ICO

The DUAA also empowers the ICO to compel witness attendance, request technical reports, and issue significant fines – particularly under PECR.

To support these powers, the ICO is preparing statutory guidance and has initiated public consultations, including on recognised legitimate interests and data protection complaint procedures.

What impact will new data protection law have on businesses?

Although DUAA received Royal Assent in June 2025, changes are being phased in over two to 12 months.

The first provisions began in August. Businesses should closely monitor ICO guidance for commencement schedules.

Opportunities and simplification

• Broader use of personal data for research through broad consent mechanisms.
• Reduced burdens for DSAR handling and cookie consent management.
• New lawful basis streamlines certain compliance procedures
  These reforms offer business-friendly flexibility – if used responsibly.

New Obligations

• Establishing formal processes to handle data protection complaints by June 2026.
• Updating privacy documentation to reflect new lawful bases and research provisions.
• Enhancing transparency and opt-out mechanisms for low-risk data uses, while revising cookie banners and notices.

Heightened Risk & Governance Requirements

The ICO’s strengthened enforcement and larger financial penalties heighten compliance risks.

Businesses must ensure proper documentation, governance, and internal oversight to guard against regulatory exposure.

Other aspects of the DUAA

While the changes to data protection law have grabbed most of the headlines, the DUAA also covers other matters such as digital verification services, the creation of a national underground asset register, and the digitisation of the registration of births and deaths.

Five top tips for businesses

1. Audit DSAR procedures: Embed “stop the clock” handling and proportionate search principles.
2. Review lawful bases: Identify where “recognised legitimate interests” may apply and document clear rationale.
3. Assess research practices (where applicable): Consider implementing broad consent strategies and establish appropriate transparency channels.
4. Design complaints mechanisms: Build robust, timely procedures to handle data protection complaints.
5. Stay informed: Monitor ICO consultations and guidance releases; engage in consultation where practical.

The Data (Use and Access) Act 2025 represents a pragmatic recalibration of UK data law – balancing innovation with user rights.

“While it provides valuable flexibility for research, automation, and DSAR handling, it also introduces tighter oversight and enforcement tools. For businesses, success under DUAA will require proactive governance, clear documentation, and readiness to adapt as new guidance unfolds,” Quentin concluded.

For help and support with this, our data protection team can advise. Get in touch for more information.