On June19, 2025, the UK Data (Use and Access) Act 2025 (the “DUAA”) received Royal Assent.  The law is intended to further the overall goal of modernizing and streamlining existing law and enhancing data governance to keep pace with emerging technologies.

The DUAA introduces changes in key areas of data protection and privacy, such as legitimate interests, international data transfers and automated decision-making (“ADM”), while also addressing provisions related to scientific research, smart data and public registers.

The DUAA will come into effect in phases over the course of 2025-2026. Secondary legislation will specify the dates various provisions will come into force; it is anticipated that the bulk of the provisions will be live by June 2026.

Relevant Provisions

Data Subject Access Requests

The DUAA clarifies certain requirements related to data subject access requests (“DSARs”). The amendments state that data subjects are entitled only to information resulting from a “reasonable and proportionate” search by the business. The DUA also extends the time allowed for responding to a DSAR from one to two months when data subject requests are complex or numerous.  

Complaint Handling

Under the current UK data protection framework, individuals who believe their personal data has been mishandled have typically had one route for redress: submitting a complaint directly to the ICO.  However, the DUAA requires that data subjects must now first raise their complaint with the data controller before escalating it to the ICO. Organizations also are now legally required to implement a formal complaint process for handling data protection concerns.

Automated Decision Making

The DUAA seeks to facilitate the use of ADM by relaxing the current prohibition in Article 22 of the UK GDPR in cases where organisations implement safeguards.

However, the Act differentiates impactful ADM processes from more routine ones. It requires that appropriate safeguards are in place for the broader scope of decisions based “predominantly” on ADM (rather than “solely”).Solely automated processing exists only where no “meaningful human involvement” is present. Additional guidance is expected about how the word ‘meaningful” is used in the law. However, where “significant decisions” – those that produce legal effects or similarly significant consequences – are based solely on automated processing, the DUAA requires additional safeguards.

Provisions Related to Scientific Research

The DUAA broadens the definition of scientific research to encompass any research “reasonably described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.” It expands the exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The definition also removes the need for a public interest assessment with respect to the processing of scientific research data. Under the new definition, data subjects will be able to consent to the use of their data for scientific research purposes even if it is not possible yet to identify what they are.

‍

International Data Transfers 

In a departure from the existing approach, which allows “transfers on the basis of an adequacy decision, the amended framework references “transfers approved by regulations,”  To approve transfer to a country by regulations, the UK Secretary of State must be of the view that the “data protection test” is met, i.e., the standard of protection in the third country is “not materially lower” than that of the UK.  Like the UK GDPR, the DUAA articulates considerations which the UK Secretary of State should assess when determining whether the data protection test is met for a third country.

‍

Recognized Legitimate Interests: A New Basis for Processing

The DUAA introduces “recognised legitimate interests” as a new, lawful basis for processing personal data. Building on the existing lawful basis of legitimate interests, this new basis allows businesses to process data for specific purposes defined under the DUAA without conducting a traditional legitimate interests assessment (“LIA”).

Additionally, the DUAA outlines a further list of processing activities which “may” be processed under the existing lawful basis of legitimate interests. While such activities are not “recognised legitimate interests” and therefore still require an LIA, the law allows businesses more surety when seeking to rely on legitimate interests for a specific activity.

‍

Purpose Limitation

The DUAA clarifies the concept of “further processing.” Among other things, it outlines criteria to help assess whether further processing of data is compatible with the purpose originally stated. These include the link between the new and original purposes, the context in which the data was originally collected and the possible consequences for data subjects of the further processing being contemplated. It also sets out instances when processing for a new purpose would be deemed compatible with the original purpose, for example where the data subject consents or where the processing meets certain specified conditions.

‍