News & Views

What the Data (Use and Access) Act 2025 means for your business

Few Parliamentary Bills have garnered more media attention in recent years than the Data (Use and Access) Act 2025 (‘DUA Act’). The DUA Act’s draft papers effectively ping-ponged between the Houses of Parliament over numerous issues, with none more contentious than the attempt to include additional transparency measures on how AI tools have collected its source data. Whilst lobbied by big artists like Elton John and (the appropriately named) Dua Lipa, this issue was eventually dropped from the Bill to be discussed in more detail via consultation process led by the Secretary of State due within 9 months of the DUA Act coming into force. Whilst we await the results of this investigation and report, the DUA Act’s 144 sections and 16 Schedules still contains a whole host of topics that businesses will need to be aware of as they come into effect.

When will these changes come into effect?

The DUA Act received Royal Assent on 19 June 2025 and with it came some immediate changes, some to be implemented over the coming months, and all others to be implemented in due course via secondary legislation. 

There are only a handful of changes immediately effective, including:
•    s78 – searches in response to data subjects’ requests.
•    s122 – relating to smart meter licence communication licences.
•    s126 – retention of biometric data and recordable offences.
•    s128 – retention of pseudonymised biometric data.
•    s129 – retention of biometric data from INTERPOL.

Just four sections come into full effect from 19 August 2025:
•    s69 – consent to law enforcement processing.
•    s82 – logging of law enforcement processing.
•    s96 – notices from the Information Commissioner.
•    s97 – power of the Information Commissioner to require documents.

All other sections will therefore be subject to additional secondary legislative acts to be implemented by the Secretary of State, with a keen eye also being kept on the ICO’s supporting guidelines.

What is the impact on businesses?

It is important to note that the DUA Act is supplementary to the Data Protection Act 2018 / UK GDPR, and so the changes being implemented will require tweaks to your practice, rather than wholesale changes. One of the key objectives of the DUA Act was to try and create efficiencies in business practices, and so there are not many immediate changes that need to be made, but certainly ones to be aware of.

For example, the DUA Act’s changes to Data Subject Access Requests (DSARs) simply embody the ICO’s previous guidance on best practice. The changes introduced by s.75-79 DUA Act, for example, clarify that the 30 day clock for responding to DSARs only starts once the recipient has verified the identity of the requestor / data subject, and that the clock can be paused whilst seeking clarifications on aspects of the DSAR, whilst the recipient performs “reasonable and proportionate” investigations and searches for the data subject’s personal data.

Your website - cookies, complaints, and protection of children

In a recent article, we discussed the importance of ensuring that your business website remains compliant, and the DUA Act brings additional factors to consider for your site. For example, the remit of what constitutes as ‘strictly necessary only’ cookies is going to be broadened to cover additional ‘low risk’ cookies and trackers such as statistical purposes and optimising the site’s appearance. The ICO is expected to report on this and the use of certain tracker technologies later in the year. The cookies and permissions sections on your site will therefore need to be reviewed in line with this – still ensuring that that opt-outs are made available.

Businesses will be required to ensure that they provide data subjects with a means for raising complaints regarding the use of their personal data (s103). This will therefore likely need to become part of your website’s functionality to ensure that you are able to respond to complaints within the mandated 30-day window, with the Secretary of State due to provide guidance as to which types of organisations will need to report the number of complaints received. Acknowledging, collating, and reporting on data subject complaints will therefore need to become standard practice.

If your services are likely to be accessed by children that then the DUA Act also requires a ‘data protection by design’ approach (s81), to sit alongside and bolster protections afforded to children from harmful content.

Business processes - automated decision-making, legitimate interests and direct marketing

The DUA Act looks to ease up business processes associated with processing data. Whilst the current data protection laws restrict the use of personal data for automated decision-making processes which have legal or significant effects upon the data subject, this restriction will be limited to just using special category personal data for automated decision-making processes, potentially freeing up the use of personal data that sits outside of that category. Secondary legislation is anticipated to firm this measure up and provide specific examples, with the anticipation being that AI-based tools will be more readily able to process personal data. 

Whilst many businesses have argued around the collection and use of personal data for business and marketing purposes as ‘legitimate interests’, the DUA Act will provide the legislative clarification that direct marketing will be a legitimate interest. Charities were also permitted to use the ‘soft opt-in’ mechanism for marketing communications. However, the protections afforded to individuals under PECR, as outlined in our recent article, remain. 

In a move that recognises the sheer volume of data being processed from time to time, and how many times personal data has been handled and the associated administration required, the DUA Act provides a caveat to the GDPR’s obligation to provide privacy information to individuals, noting that this requirement will not apply if providing that information would be ‘impossible or would involve disproportionate effort’.

Processing existing data that has been validly collected will also become easier for businesses with the expansion around what constitutes acceptable ‘historical’ or ‘scientific research’ (s67-69), and what will be ‘compatible purposes’ (Schedule 5) as the reason for which the personal data was originally sourced.

Government level - digital verification, smart data and registers 

During the drafting of the DUA Act, there was excitement about the possibility of there being a better-defined list of what constitutes a legitimate interest and/or consolidation of case law with the concept of ‘recognised legitimate interests’. However, these are more aligned for national/governmental considerations, such as disclosure for the prevention of crime, or for matters national or public security. 

One of the novel creations of the DUA Act is the concept of a trusted digital ID verification framework. Whilst not a new idea, Part 2 of the DUA Act looks to bolster and promote existing frameworks via a digital verification services register and their adoption by certain authorities. The DUA Act also looks to better support the process of personal data within the utilities and security space with smart meter communications licences (s122), internet service providers (s124), the creation of the National Underground Asset Register (Part 3), and local authority security and equipment for registration of births and deaths (Part 4).

What’s next?

A lot of attention will be focussed on the actions of the Secretary of State over the coming months as well as those of the Information Commissioner’s Office, who are due to release updates as the legislative field develops, and will themselves be undergoing changes under the DUA Act, with their scope, powers, and business structure to be revised and strengthened over the next 12-24 months. This will all, of course, be performed with the echoes of GDPR looming large, as well as the EU’s next adequacy decision (due late 2025) on how the laws of England and Wales do or do not align with the practices on the continent. 

What is certain is that your business website, contracts, and policies will need to be reviewed and updated as this area continues to shift.

For further information, please email Mark Hughes or Philip Bowers or call 0151 906 1000.