What has happened so far?
It has been a year since the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025. Now that all of the data protection provisions have come into force, with various new pieces of ICO Guidance to supplement them, we wanted to take the opportunity to give you a refresher on the key changes to UK data protection law introduced by DUAA, the ICO Guidance that’s been published to provide some further context, and some practical tips.
What is the Data (Use and Access) Act 2025?
Broadly speaking, DUAA amends a number of provisions in the UK GDPR, Data Protection Act 2018 and PECR. It also contains provisions which deal with how the UK manages data (both personal and non-personal data) generally, e.g. in relation to the growth of digital verification services and new Smart Data schemes like Open Banking, although these broader points are outside the focus of this article.
Summary of Key Changes
Click below to be taken to some of the Key Changes in the Data (Use and Access) Act 2025:
- Lawful Basis (Recognised Legitimate Interests)
- International Data Transfers (Risk-based Transfer Risk Assessments)
- Data Subject Access Requests (DSARs) (Reasonable and Proportionate Searches)
- Complaints to Organisations (A new right to complain)
- Marketing Rules (Soft opt-in for non-commercial organisations)
- Cookies (Further exemptions to the consent rule)
- Automated Decision Making (A relaxation of rules to encourage AI?)
1. Lawful Basis (Recognised Legitimate Interests)
Amendment: Where an organisation wishes to rely on the lawful basis that its processing of personal data is necessary for its legitimate interests (or those of a third party), that organisation must typically conduct a legitimate interests assessment (“LIA”). An LIA consists of three steps: (1) identifying the legitimate interest(s), (2) considering if the use of the personal data is necessary for the purposes of those interests, and (3) balancing the interests against the rights, interests and freedoms of the individuals whose personal data is being processed.
DUAA amends Article 6 UK GDPR to include a new “recognised legitimate interests” lawful basis, such that organisations do not need to carry out the third step of the LIA (i.e. the ‘balancing exercise’), when processing data for certain specific purposes. DUAA sets out a list of circumstances in which organisations might rely on recognised legitimate interests, which includes discreet processing activities such as responding to an emergency, the prevention or detection of crime and safeguarding vulnerable individuals.
NB While there is no need to conduct any balancing exercise when relying on a recognised legitimate interest, organisations must still identify the relevant recognised legitimate interest and demonstrate that its use of personal data for that interest is necessary.
ICO guidance: On 23 March 2026, the ICO published guidance on recognised legitimate interests. The guidance explains in detail each of the recognised legitimate interests listed in DUAA and what organisations should consider before relying on each.
Why is this important to you? This addition will be of benefit to organisations who wish to rely on legitimate interests in a limited set of circumstances (note that the list of recognised legitimate interests does not include processing for commercial purposes). One caveat: if an organisation is processing special category data (e.g. data relating to race, health, religion, ethnicity, philosophical beliefs etc.) or criminal convictions data, the organisation will still need to meet the requirements of Articles 9 and 10 UK GDPR as appropriate, so there may still be some work to do to ensure that the relevant data is being processed lawfully, even if a recognised legitimate interest applies.
2. International Data Transfers (Risk-based Transfer Risk Assessments)
Amendment: DUAA sets out further detail about how organisations should conduct transfer risk assessments when transferring personal data out of the UK to a country that has not been deemed ‘adequate’ for data protection purposes. In particular, organisations “acting reasonably and proportionately” must consider whether the standard of protection provided by e.g. (a) standard contractual clauses, (b) the recipient country’s laws and practices and (c) the use of other safeguards would result in ‘materially lower’ standards than those in the UK GDPR (and may only transfer the data where it concludes that the standards are not materially lower). This is a lower threshold than under the EU GDPR, which requires that organisations consider whether the protections abroad would be “essentially equivalent” to those set out in the EU GDPR.
ICO guidance: On 15 January 2026, the ICO updated its guidance on international data transfers. In particular, it elaborated on what is considered a ‘restricted’ international transfer by introducing a “three step test” and providing practical examples.
Why is this important to you? This codifies the UK’s ‘risk-based approach’ in relation to transfer risk assessments, which was already set out in the ICO’s previous guidance on international data transfers. NB If an organisation is subject to the EU GDPR and UK GDPR, it will still need to undertake the more detailed EU-standard of transfer risk assessment for personal data subject to the EU GDPR.
3. Data Subject Access Requests (DSARs) (Reasonable and Proportionate Searches)
Amendment: DUAA makes clear that when an organisation receives a DSAR, it is only required to conduct a “reasonable and proportionate search” for the requester’s personal data.
ICO guidance: In December 2025, the ICO updated its guidance on DSARs. The ICO makes clear that, when considering what is a “reasonable and proportionate search”, an organisation should consider (among other things):
- the circumstances of the request;
- the volume of information it may need to search in order to respond;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
Why is this important to you? This change codifies the existing position, but is still useful in clarifying points that organisations should consider when handling particularly broad DSARs.
4. Complaints to Organisations (A new right to complain)
Amendment: DUAA introduces a formal right for individuals to make data protection complaints directly to organisations, together with a corresponding obligation on organisations to facilitate the making of complaints, and to notify individuals of their right to complain (for example in a privacy notice). Organisations must acknowledge receipt of a complaint within 30 days and take steps to respond without undue delay.
ICO guidance: In February 2026, the ICO published new guidance on “How to deal with data protection complaints” which provides practical advice to help organisations meet the new complaints obligations introduced by DUAA. It’s worth noting that the ICO gives organisations flexibility on the methods for facilitating complaints: this could be as simple as allowing complaints via email, or using something more sophisticated, like an online complaints portal.
Why is this important to you? This is another example of DUAA codifying something that already happened in practice – even before DUAA, the ICO already encouraged individuals to try to resolve complaints directly with organisations in the first instance. The requirement to facilitate the making of complaints is new, though, and we will be publishing a separate blog post on the complaints requirements under DUAA in due course.
5. Marketing Rules (Soft opt-in for non-commercial organisations)
Amendment: DUAA extends the ‘soft opt-in’ exemption to charities, so that they can send electronic direct marketing without opt-in consent, provided that: (a) the marketing is for the sole purpose of furthering the charity’s charitable purposes; and (b) the recipient’s contact details were obtained in the course of that individual expressing an interest in, or offering or providing support for, those charitable purposes. The individual must also be given the chance to opt-out of receiving the marketing at the time they provide their details and in every subsequent marketing message.
ICO guidance: On 28 April 2026, the ICO updated its guidance on direct marketing in light of the new charitable purpose soft opt-in.
Why is this important to you? This change will be music to the ears of charities who will be able to send marketing e-mails and texts to supporters without having to obtain their opt-in consent (previously, the soft opt-in exemption only applied in the context of a commercial sale, or negotiation for a sale). Hannah Lyons has produced a blog post summarising some of the key takeaways from the ICO’s guidance.
6. Cookies (Further exemptions to the consent rule)
Amendment: Previously, organisations were required to obtain consent prior to placing cookies on individuals’ devices, except for ‘essential cookies’ required to enable the relevant website to function correctly. DUAA has expanded the types of cookies that do not require consent, including (a) statistical cookies to make improvements, (b) cookies that enable the appearance or function of a website to reflect user preferences, (c) cookies that protect the security of a user and prevent and detect fraud and (d) cookies that help to identify an individual’s geolocation in an emergency. However, individuals must be provided information about the purposes of these cookies and be able to opt-out of their use.
ICO guidance: The ICO updated its guidance on cookies in July 2025 to reflect changes to the cookies rules following DUAA. We will be publishing a separate blog post on these rules in due course.
Why is this important to you? This may well help some organisations who use cookies purely for functionality rather than e.g. for advertising, since such organisations may not need to obtain consent (e.g. via a cookie banner) prior to placing cookies. However, for other organisations who do use advertising cookies, analytics cookies etc., not much will change here.
It is also worth noting that the fines for breaches of PECR (which would include breaches of direct marketing and consent rules) are also being brought into line with the level of fines under the UK GDPR and so will be increased significantly from the current maximum of £500,000 to up to £17.5 million or 4% of global annual turnover, whichever is greater.
7. Automated Decision Making (A relaxation of rules to encourage AI?)
Amendment: DUAA has replaced Article 22 UK GDPR (which relates to automated decision-making) with a number of new automated decision-making provisions. In particular, the reference to individuals having a right not to be subject to automated decision-making has been removed: instead, certain restrictions have been put in place on ‘significant decisions’ based solely on automated processing – this includes: (a) a general prohibition on such decisions that are based on special category data except in certain circumstances and (b) requirements to inform individuals of automated decision-making about them and allow them to challenge such decision-making.
ICO guidance: The ICO has published draft guidance on automated decision-making which reflects changes introduced by DUAA. We wait to see the final version of this guidance.
Why is this important to you? This appears to be a watering down of the provisions on automated decision making – perhaps to encourage the development of AI and similar technology in the UK (but the practical implications remain to be seen!).
We will continue to keep you abreast of any developments in relation to DUAA, including updates on the ICO’s guidance and its enforcement activities in relation to changes introduced by DUAA.
The material in this article is provided for guidance and general information only and is not intended to constitute legal or other professional advice upon which you should rely. In particular, the information should not be used as a substitute for a full and proper consultation with a suitably qualified professional. Please do contact the Bates Wells team if you require further advice.