News & Events
The Data Use and Access Act 2025: What do businesses and other organisations need to know?
Many organisations have spent the last eight years embedding GDPR compliance into their day-to-day operations. For many businesses, GDPR is now established and familiar, with core policies, procedures and governance frameworks already in place. However, the legal and regulatory landscape continues to evolve, and recent developments mean that organisations may now have an opportunity to revisit how they approach certain areas of compliance.
On 5 February 2026, the majority of the provisions of the Data Use and Access Act 2025 (the DUAA) came into force. Although the DUAA received Royal Assent last summer, its implementation has been staggered. The UK Information Commissioner’s Office (ICO) has described the DUAA as legislation which changes data protection laws to promote innovation and economic growth and make compliance easier for organisations, while continuing to protect individuals and their rights.
For businesses and other organisations that act as controllers of personal data, the key point is that the DUAA does not simply impose new obligations. Instead, many of its reforms create new flexibility, offer greater clarity, and allow organisations to take a more pragmatic approach to data protection governance, provided they remain within the framework of UK GDPR and wider UK data protection law.
What is the Data Use and Access Act 2025?
The DUAA is a significant development in UK data protection law. It sits alongside the UK GDPR and the Data Protection Act 2018 and is intended to refine how the UK regime operates in practice.
While some organisations may have assumed the DUAA would require widespread change, many of its provisions are better viewed as opportunities to reassess existing processes. In certain areas, organisations may be able to streamline compliance activity, reduce administrative burden, and align internal policies more closely with operational realities.
That said, organisations should not ignore the DUAA. It will influence how the ICO interprets and enforces data protection requirements. Organisations that fail to take account of the new position may find themselves working to outdated standards, or maintaining procedures that are more restrictive than necessary.
Subject access requests: what does “reasonable and proportionate search” mean?
When the DUAA first came into force last June, one of the key changes was the introduction of statutory wording confirming that organisations responding to a subject access request only need to carry out a “reasonable and proportionate search” for the requested personal data.
This reflects what was already widely understood to be the position under UK GDPR, but the clarification is still significant. In practice, subject access requests can be highly disruptive, particularly for organisations dealing with large volumes of data, legacy systems, or broad requests made in the context of disputes.
The DUAA should give organisations greater confidence to manage requestors’ expectations from the outset. Controllers are not expected to carry out excessive searches or “leave no stone unturned” if that would be disproportionate in the circumstances. For many organisations, this provides a stronger legal basis for setting clear boundaries around the scope of searches.
What changed on 5 February 2026?
The most commercially relevant DUAA reforms came into effect on 5 February 2026. These changes affect several core areas of day-to-day data processing, and organisations should consider whether their existing compliance documentation still reflects the current legal position.
Recognised legitimate interests: is an LIA still required?
The DUAA introduces a new concept of “recognised legitimate interests”. This is a defined list of limited circumstances where organisations can rely on legitimate interests as a lawful basis without first conducting a legitimate interests assessment (LIA).
This may reduce the governance burden for organisations, particularly where the processing is clearly justified and serves an obvious public interest. The recognised legitimate interests list includes, for example, certain disclosures to public authorities and law enforcement.
This does not mean legitimate interests can be relied on without thought, but it does reduce the extent of documentation required in specific scenarios. Organisations may wish to review where legitimate interests is currently used and assess whether any processing falls within the recognised categories.
Direct marketing: what does the DUAA mean for marketing communications?
Marketing remains one of the most scrutinised areas of data protection compliance. The DUAA now expressly confirms that direct marketing can be a legitimate interest.
In practice, many organisations already relied on legitimate interests for marketing activities, but this clarification allows for greater confidence when documenting lawful basis decisions and responding to regulatory queries.
The DUAA also extends the ability of charities to rely on the ‘soft opt-in’ method for electronic marketing communications to supporters. While that change is sector-specific, it reflects a broader direction of travel towards allowing organisations to communicate more easily with existing audiences, provided appropriate safeguards are in place.
For businesses and other organisations, the key question is whether marketing practices have become overly cautious over time, particularly where internal policies were drafted in 2018 and have not been revisited since.
Cookies: can your organisation reduce consent requirements?
Cookie compliance continues to be a practical challenge for many organisations, especially those operating consumer-facing websites where cookie banners can affect user experience and conversion rates.
The DUAA broadens the range of cookies that can be set without requiring user consent. This may be helpful for businesses that rely on cookies for functionality, security, analytics, and service improvement.
However, organisations should not assume this means cookie consent banners can simply be removed. The impact will depend on what cookies are used and why. Organisations should consider reviewing their cookie audits and consent tools to determine whether certain cookies currently treated as consent-based may now fall within the expanded exemptions.
International data transfers: has compliance become easier?
International data transfers remain a key compliance issue for UK organisations using global suppliers or group-wide systems.
The DUAA reduces the burden on controllers when assessing the lawfulness of proposed international transfers of personal data. While it does not remove the need for appropriate safeguards, it is intended to make the compliance process more proportionate and commercially workable.
For organisations, this may provide an opportunity to revisit transfer risk assessments and internal templates, particularly where the current approach has become resource-heavy or overly complex. Organisations should ensure their transfer governance reflects the updated legal framework, while still providing robust evidence of compliance.
Automated decision-making: what does this mean for AI and automation?
Automation and AI-driven decision-making are increasingly embedded into business operations. From recruitment and performance management to fraud prevention and customer profiling, many organisations rely on systems that make decisions at scale.
The DUAA expands the circumstances in which controllers can use automated decision-making to make significant decisions about individuals. This may offer greater flexibility for organisations seeking to deploy automated tools more widely, particularly where they previously felt constrained by restrictions on solely automated decisions.
However, this remains a high-risk compliance area. Organisations will still need to ensure they can demonstrate appropriate safeguards, including transparency and mechanisms to challenge decisions where required. For organisations investing in AI, the DUAA may support innovation, but it also increases the importance of ensuring governance and documentation remain up to date.
What changes are still expected later in 2026?
Only a small number of DUAA provisions are still to come into force, and these are expected to apply before the end of June 2026.
The most directly relevant outstanding change for controllers is the new requirement to have a defined procedure for handling data protection complaints. This includes an obligation to acknowledge complaints within 30 days and respond without undue delay.
For many organisations, this will require a more structured approach to complaint handling. Organisations that currently deal with privacy concerns informally through HR teams, customer service functions, or general enquiries should consider whether their processes are sufficiently clear, consistent and auditable.
Is your GDPR compliance framework still fit for purpose?
A key takeaway from the DUAA is that data protection compliance should not be treated as static. While many organisations put extensive GDPR documentation in place in 2018, the ICO’s guidance and enforcement approach has continued to evolve, and the DUAA is part of that wider trend.
The ICO expects organisations to periodically review their policies and procedures to ensure they remain accurate and reflect the organisation’s real-world processing activities. Organisations may therefore wish to bring forward their next review, particularly if their existing policies are heavily based on early GDPR interpretations.
In some compliance areas, the law now allows greater flexibility than many organisations have historically assumed. For businesses and other organisations, the DUAA presents an opportunity to modernise governance, reduce unnecessary administrative burden, and ensure data protection frameworks support commercial objectives while remaining compliant.