What is the Data Use and Access Act 2025?
The Data Use and Access Act 2025 (DUAA) has been defined as the primary legislative framework refining the UK GDPR to promote a pragmatic, risk-based approach to data protection. It transitions the UK regime away from defensive checkbox compliance toward a system that values proportionality and economic innovation. This legislation represents the most significant architectural shift in UK data protection since 2018.
The DUAA 2025 does not replace the UK GDPR but refines its application for modern business needs. It explicitly aims to reduce the administrative weight on businesses, particularly SMEs, who previously spent disproportionate budgets on maintenance. Proactive organisations can leverage these changes to achieve frictionless compliance.
The transition to the DUAA regime marks a fundamental shift in how data protection professionals operate. It empowers teams to move from being compliance gatekeepers to becoming strategic architects of compliance. This shift allows more time for high-impact governance and less on manual data discovery.
How does the DUAA 2025 change regulatory oversight?
The DUAA 2025 replaces the single-person office of the Information Commissioner with a multi-member corporate body called the Information Commission. This new structure resembles the Financial Conduct Authority (FCA) in its operational breadth. The Commission is legally mandated to consider innovation, competition, and economic growth alongside data protection.
This structural change ensures that regulatory decisions align with broader UK economic goals. The Information Commission will oversee the transition to new standards for complaints and data handling. This maturation of the UK data regime reflects a move toward effective, rather than merely exhaustive, oversight.
In this article we introduce five key pillars of change, which will impact the role of the DPO and over the coming weeks we will diver deeper into each change.
Pillar 1: How does the DUAA impact PECR Fines?
How have PECR fines and cookie rules changed?
The DUAA 2025 relaxes consent requirements for low-risk cookies, such as those used for basic analytics and security. Users must still be provided with clear information and a simple opt-out mechanism. This change aims to reduce cookie banner fatigue for website visitors.
While consent rules are relaxed for low-risk trackers, the financial stakes for non-compliance have surged. PECR fines have risen from a maximum of £500,000 to £17.5 million or 4% of global turnover. This dramatic increase makes poorly managed cookie banners an existential financial risk.
Strategic readiness requires ensuring that users have a free and simple way to opt out of trackers. Operational sloppiness in marketing and web tracking now carries the same weight as a major data breach. Robust infrastructure is essential to mitigate these high-stakes risks. You should review your cookie banners making sure that consent is valid, if you rely on an ‘Accept All’ button too freely, you are likely at risk.
Pillar 2: How does the DUAA 2025 impact AI Governance?
What is Automated Decision Making?
Automated Decision-Making (ADM) is defined as the process of making a decision by automated means without any meaningful human involvement. Within the framework of the Data Use and Access Act 2025 (DUAA), this specifically relates to decisions that produce legal or similarly significant effects on an individual.
What does “meaningful human involvement” mean practically?
Meaningful human involvement is the standard used to determine if a decision is solely automated under the new regime. For a decision to move outside the strict prohibition, human oversight must be substantive and not merely a symbolic sign-off. A superficial rubber stamp approach will no longer suffice for legal compliance under this framework.
Data Protection Officers must now define and document what this involvement looks like in practice. This involves assessing the extent to which human reviewers can actually influence or change an automated outcome. If the human reviewer lacks the authority or information to intervene, the decision remains solely automated.
How does the DUAA impact Automated Decision Making?
The DUAA 2025 shifts the UK from a general prohibition of Automated Decision-Making (ADM). While solely automated decisions with legal or significant effects were previously restricted, they are now generally permitted for standard personal data, provided human intervention and contestation rights are in place. This change supports the deployment of AI systems in various sectors.
Organisations must maintain an inventory of AI systems with demonstrable human oversight. The shift toward permissive ADM requires robust documentation of safeguards. Automation of these records ensures that AI innovation remains compliant and transparent.
Pillar 3: DSAR Changes
What is the reasonable and proportionate search standard for DSARs?
The reasonable and proportionate search standard is the legal confirmation that controllers are not obligated to conduct exhaustive searches across every legacy system. Introduced via Section 78 of the DUAA, this standard balances the search effort against the importance of providing data access. This offers significant relief to resource-strapped teams.
A key support feature is the Stop the Clock mechanism for Data Subject Access Requests (DSARs). If a request is vague, you can legally pause the statutory response time while waiting for clarification. This provision aligns with existing case law and reduces the pressure of unnecessary deadlines. This also offers data protection teams to better represent the data subject as they get to understand exactly what they need, which might in turn assist with discovery.
Pillar 4: Recognised Legitimate Interests (RLI)
What are Recognised Legitimate Interests (RLIs)?
Recognised Legitimate Interests are high-value processing activities for which a Legitimate Interest Assessment (LIA) balancing test is no longer required. This list includes activities such as fraud prevention, safeguarding vulnerable individuals, and responding to emergencies. This represents a significant quick win for organisational efficiency.
By migrating vital processing activities to the RLI basis, you immediately reduce your ongoing administrative burden. While the LIA is removed for these specific cases, transparency and necessity principles still apply. Auditing your Record of Processing Activities (ROPA) is essential to identify these opportunities.
The ProvePrivacy platform will help to map your new Recognised Legitimate Interests within your ROPA. This ensures that your legal bases are updated to reflect the most efficient compliance pathways. It reduces manual workload while maintaining regulatory integrity.
Pillar 5: Complaints Handling
What is a DUAA Complaint?
A DUAA Complaint is defined as a formal submission where an individual considers an organisation has infringed data protection legislation through the handling of their personal information.
Section 103 of the DUAA inserts Section 164A into the Data Protection Act 2018. This creates a statutory right for data subjects to complain directly to controllers. Organisations must provide accessible submission routes, such as electronic forms.
Controllers must acknowledge every data protection complaint within a strict 30-day window. Investigations must proceed without undue delay, including keeping individuals informed of progress. Internal processes are required to handle complaints and final outcomes must be clearly communicated to the complainant.
The Information Commission gains new powers to monitor these internal processes. It may require organisations to report on the volume and nature of complaints received. Automated logging is important to demonstrate compliance with the 30-day acknowledgement rule.
When is the deadline for DUAA internal complaints handling?
The mandatory deadline for implementing formal internal complaints handling processes is 19 June 2026. Under Section 103 of the DUAA, all controllers must have a formal, two-tier internal process operational by this date. This mandate essentially transforms the office of the Data Protection Officer (DPO) into a miniature ombudsman service.
Organisations are legally required to acknowledge data protection complaints within 30 days. They must also provide accessible, electronic submission routes that are easy to use. The Information Commission can now require organisations to report on the volume and nature of these complaints.
Strategic readiness requires an infrastructure that can automate the 30-day complaint clock. Failure to implement these structured intake and investigation workflows may lead to regulatory scrutiny. The ProvePrivacy platform will automate this mandatory 2026 workflow via its Incident Reporting module.
Data Management Comparison: Manual vs. ProvePrivacy
| Feature | Manual Spreadsheets | New to the ProvePrivacy Platform |
|---|---|---|
| Complaints Handling | Manual tracking; high risk of missing 30-day deadline. | Automated alerts and structured 2026 workflows. |
| DSAR ‘Stop the Clock’ | Manual process, subject to error. | Automated timekeeping and notifications |
| RLI Mapping | Manual LIA balancing for every activity. | Pre-mapped Recognised Legitimate Interests within the ROPA. |
Sources
- Data (Use and Access) Act 2025 – Official Legislation: https://www.legislation.gov.uk/ukpga/2025/2/contents
- ICO Guidance: How to Deal with Data Protection Complaints: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/how-to-deal-with-a-complaint-about-data-protection/
- GOV.UK: DUAA Factsheet for UK GDPR and DPA: https://www.gov.uk/government/publications/data-use-and-access-bill-2024-factsheets/data-use-and-access-bill-uk-gdpr-and-dpa-2018-factsheet
- The DPO Centre: DUAA vs UK GDPR Business Guide: https://www.dpocentre.com/duaa-vs-uk-gdpr-business-guide/
