Data (Use and Access) Act 2025 (DUAA): What’s New?

By

Data (Use and Access) Act 2025

In June 2025, the UK passed a major reform of its data protection and privacy laws: the Data (Use and Access) Act 2025 (DUAA). This Act introduces a number of amendments to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR), which provide organisations with the opportunity to innovate and do things differently, rather than needing to make lots of changes to comply with the law. (Not all sections of the new law came into effect immediately, with some coming into force over a 12-month period).

Key Focus of the Data (Use and Access) Act 2025

  • Introduction of a “stop the clock” rule, so if a requester for information has to clarify or provide further information, the deadline for the organisation’s response is paused.
  • New rule requiring steps to be taken to help people who want to make complaints about how their personal information is being used, such as providing an electronic complaints form. Also acknowledging complaints within 30 days and responding to them ‘without undue delay’.
  • Clearer rules for new types of data processing e.g. artificial intelligence. Organisations using automated systems must check that safeguarding processes comply with the new rules.
  • Clarify rights and lawful basis with specific uses such as crime prevention and safeguarding now having automatically ‘recognised legitimate interest’.
  • Higher protection of data likely to be accessed by children.
  • Changes to rules around some types of cookies, meaning that some do not have to get consent, such as information collected for statistical purposes and improve the functionality of a website. 

Data (Use and Access) Act Considerations

Guidance is available from the Information Commissioner’s Office, ICO, and as the full regulations are rolled out by June 2026, guidance will be updated. The guidance will provide clarification on such terms as “reasonable and proportionate” and what counts as “sufficient safeguards” in automated decision-making.

The DUAA requires that organisations conduct staff training, as it brings new regulations to existing data protection laws, including new rules about automated decision systems, which, with the increased use of artificial intelligence, will be crucial. To demonstrate compliance, regular and refreshed staff training is really important to show that the organisation is meeting the new data protection expectations. 

Data (Use and Access) Act 2025 - what you need to know online course

Organisations are likely to need to map out which changes will affect them and make these changes to ensure compliance with the DUAA. These are likely to be organisational policies, processes and cookie banners.

Despite the impression that maybe some of the data protection rules have been relaxed, the rights of individuals are still very strong and it may arise that complaints increase.

You may also be interested in:
PCI DSS 4.0: Why Staff Training is Key to Compliance
Employment Law Changes: Are your Staff Trained?
Preventing Sexual Harassment: Is your Business Compliant?
Failure to Prevent Fraud: Are your staff trained and ready?

Author: Carolyn Lewis
1/7/25

Sources:
Information Commissioner’s Office
GOV.UK

Leave a Reply

Your email address will not be published. Required fields are marked *

Keep up to date with what’s happening in the world of education, training and skills. Receive details of offers and newly launched courses, and tips on effective online and blended learning practise by signing up to our monthly newsletter. We guarantee not to sell or pass on your details and you can unsubscribe at any time.

© eLearning Marketplace Ltd       Terms and Conditions  |  FAQs  |  Privacy Policy  |  Copyright Notice      Site by Spyke