Business Article

New UK Data Law: What the Data Use and Access Act 2025 Means for You

August 18th 2025
by teamcude
< 1 minute read

The Data Use and Access Act 2025 received Royal Assent on 19 June 2025. But what does it actually mean for businesses, organisations, and individuals?

If you’re running a UK business or work with personal data in any form, this law affects you. It updates parts of the UK GDPR, the Data Protection Act 2018, and the Electronic Communications Regulations to give more clarity, flexibility, and control over data use.

The Basics: What Is the Data Use and Access Act?

The DUA Act (short for Data Use and Access Act) is the UK government’s latest step to modernise data protection law. It introduces:

  • New rules around automated decision making
  • Clearer rules on smart data schemes and digital verification services
  • Updated data subject access request processes
  • Provisions for scientific research and international data transfers

The aim? To make data easier to share safely and to support innovation in sectors like finance, health, and technology without lowering data protection standards.

Data Use and Access Act 2025

Data Use and Access Act 2025

Key Changes You Need to Know

1. AUTOMATED DECISION MAKING

The DUA Act changes how organisations can make automated decisions for example, when software makes choices without human input.

Key updates:

  • Automated decisions that have significant effects must now involve meaningful human intervention
  • Some cases (like national security or preventing interference in investigations) are exempt
  • People must be told when decisions are automated and given a way to challenge them
2. DIGITAL VERIFICATION SERVICES

This reform establishes a UK trust framework for services such as e-signatures and digital IDs. It’s designed to reduce the need for businesses to collect large amounts of personal data.

  • Providers must register under a statutory scheme.
  • New information gateways allow data sharing between public authorities and these services
  • The Information Commissioner’s Office (ICO) will offer guidance on how to meet the new standards
3. SMART DATA SCHEMES

The Act lays a foundation for smart data schemes, allowing users to share data securely with trusted third parties. This is similar to what Open Banking allows in finance.

It encourages other organisations to take part in controlled data sharing, which:

  • Enables online services to be more efficient
  • Promotes competition and user choice
  • Reduces admin for users and providers

Better Access and More Control Over Your Data

SUBJECT ACCESS REQUESTS

If you’ve ever filed a subject access request, you know how slow and complicated they can be. The DUA Act simplifies the process:

  • Introduces a stop-the-clock mechanism during clarification stages
  • Sets more explicit rules on what counts as reasonable and proportionate searches
  • Organisations can withhold specific data if it relates to legal privilege or client confidentiality but they must explain why

These updates help both data subjects and organisations by reducing disproportionate effort and improving transparency.

Scientific Research and Recognised Legitimate Interests

The new law encourages the use of data for scientific research, making it easier for researchers to access anonymised datasets without over-complicated red tape.

It also introduces the idea of recognised legitimate interests and specific purposes, where processing data is assumed to have a lawful basis without requiring user consent. This might include:

  • Preventing crime
  • Ensuring public safety
  • Running essential public services

But organisations must still apply appropriate safeguards.

Data Protection Act 2018: What’s New?

The DUA Act aligns the older Data Protection Act 2018 with the new provisions introduced across UK data protection law. This includes significant updates in the following areas:

  • Law enforcement processing (Parts 3 and 4), where the Act introduces more precise boundaries for the use of personal data by law enforcement and intelligence services. It simplifies the legal framework, promoting operational efficiency while maintaining safeguards related to national security and individual rights.
  • Special category data, such as health records, biometric data, and genetic information. The Act clarifies how organisations should handle this type of data, setting out stricter consent requirements and reinforcing the need for appropriate safeguards.
  • Data subject access requests, with new rules that support more efficient responses. This includes the “stop-the-clock” rule for clarification and guidelines on what counts as a reasonable and proportionate search. Organisations are now expected to provide clearer explanations when withholding data due to exemptions like legal privilege or client confidentiality.

By modernising these areas, the UK aims to balance public interest and individual privacy, ensuring that privately funded and publicly held data can be processed legally, securely, and with full accountability under the reformed framework.

Changes to Direct Marketing

If your business sends emails, runs SMS campaigns or retargets users, this part’s for you.

The DUA Act strengthens the framework around direct marketing, ensuring that businesses engage with customers responsibly while maintaining transparency and respect for privacy.

Key updates include:

  • A refined definition of electronic marketing, covering everything from promotional emails and SMS to push notifications and social media ads
  • Stricter consent rules, replacing the broad ‘soft opt-in’ model with clear requirements for affirmative, informed user consent
  • Clearer expectations for businesses to provide unambiguous opt-out mechanisms, and to honour opt-out requests without delay
  • The need to identify a strong lawful basis for using personal data for marketing usually requires consent or recognised legitimate interests, depending on the context.
  • Greater emphasis on maintaining appropriate safeguards when processing data for profiling or audience segmentation

For businesses using third-party data, the Act reinforces the importance of verifying the source and ensuring the original data collection was compliant. Marketing teams must work closely with legal and compliance teams to reassess their campaigns and ensure every message is sent within the scope of the new rules.

If you’re running automated marketing systems, it’s also worth reviewing how automated decision-making plays a role in your strategy and whether it falls under the DUA Act’s enhanced obligations.

Changes to Cookie Consent Requirements

The DUA Act also introduces new rules around cookie consent and online tracking tools. These updates aim to reduce unnecessary consent prompts, especially where the data collected does not identify individuals or is used solely for functionality or security purposes.

Key updates include:

  • Simplified consent for low-risk cookies, such as those used for load balancing or basic analytics that don’t profile individuals
  • Greater clarity on when consent is required for advertising or tracking cookies
  • Stronger requirements for transparency, organisations must clearly explain cookie use and allow easy opt-outs

While this may reduce the frequency of pop-ups, organisations still need to assess whether cookies fall under the Electronic Communications Regulations and maintain appropriate safeguards where personal data is involved.

If your business relies on website tracking or third-party cookies, it’s essential to revisit your cookie policy and ensure it aligns with the updated regulations.

Why This Matters to UK Businesses

The DUA Act gives UK businesses more flexibility while reinforcing user protections. That’s a tricky balance to strike, but it’s essential.

If you:

  • Handle customer data
  • Use automated systems
  • Run digital verification services
  • Share data with public bodies or partners

…then these changes will affect how you operate.

What You Should Do Next

To stay compliant:

  • Review your policies on processing personal data
  • Audit your automated decision-making processes
  • Check how you respond to subject access requests
  • Make sure you’re aligned with updated data protection law provisions

The Information Commissioner’s Office will continue to publish guidance and updates, so stay connected to official resources.

Where This Leaves You

The Data Use and Access Act 2025 marks a shift in how the UK handles data. It’s about enabling innovation while protecting rights.

There’s a lot packed into the Act, from digital verification services to smart data schemes, and changes to data protection practices across the board.

At Digital Legal Forum, we’ll keep helping you make sense of legislation, whether you’re updating your contracts or navigating compliance.

Stay informed. Stay compliant.

Need help reviewing your legal templates under the DUA Act? Head to digitallegalforum.net for practical support, downloads, and up-to-date guidance.

More From The Blog

Explore
July 17th, 2025

Working on a Self-Employed Basis

Correctly classifying whether someone is an employee or is self-employed is critical for UK small businesses. This classification determines legal rights, tax responsibilities, and day-to-day control.
Read more
July 17th, 2025

Warranty FAQ for UK Businesses

Whether you're using a contract draft for the first time or reviewing one supplied by a client or vendor, understanding legal terms like "wa...
Read more
May 21st, 2025

Employee vs Contractor: Rights & Benefits Compared

In the United Kingdom, a worker's status has a direct implication on their entitlements, obligations, and treatment under employment law. G...
Read more