The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations?
Latest updates - 19 June 2025
19 June 2025 - this guidance was published
At a glance
- The DUAA is a new Act of Parliament that updates some laws about digital information matters.
- It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights.
- Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.
- The changes will be phased in between June 2025 and June 2026.
In brief
- What data protection laws does the DUAA change?
- How might the DUAA help us to innovate?
- How might the DUAA make things easier for us?
- Are there any new requirements for us to meet?
- What help can we expect from the ICO?
- What can we do now to prepare for these changes?
- What other laws does the DUAA change?
What data protection laws does the DUAA change?
The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
How might the DUAA help us to innovate?
The DUAA might help you to innovate in the following ways:
- Research provisions: it makes it clearer when you can use personal information for the purposes of scientific research, including commercial scientific research. It clarifies that people can give ‘broad consent’ to an area of scientific research.
- Privacy notices: it allows you to re-use people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort. So long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.
- Automated decision-making: it opens up the full range of reasons, or ‘lawful bases’, that you can rely on when you use people’s personal information to make significant automated decisions about them. So long as you continue to apply appropriate safeguards. This potentially includes allowing you to rely on the legitimate interests lawful basis for this type of processing. This doesn’t apply to special category data which is more protected.
- Cookie rules: it allows you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website.
How might the DUAA make things easier for us?
- New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use, against the benefits arising from that use. For example, when protecting public security.
- Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.
- Assumption of compatibility: it allows you to assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test. This includes disclosing personal information for the purposes of archiving in the public interest, even if you originally only got consent for a different purpose.
- ‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object.
- Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.
- Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information. For example:
- it clarifies that direct marketing can be a legitimate interest; and
- it rewords the test you need to apply when transferring personal information outside the UK.
Are there any new requirements for us to meet?
- Children and online services: if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to our Age appropriate design code (AADC).
- Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.
What help can we expect from the ICO?
We’ll update our guidance ‘for organisations’ over time, and as the changes come into effect. You can find more details about what we’re working on in Our plans for new and updated guidance.
Updating all our guidance will take some time though, so until then we’ve produced a more detailed summary of all the data protection changes that might affect you. We’ve written this for data protection experts, including those people within your organisation who are responsible for making any changes you decide to make.
Government has committed in Parliament to asking us to produce codes of practice on ‘edtech’ and ‘artificial intelligence’. We’ll make sure these meet your needs by developing impact assessments, consulting with relevant organisations and using panels.
The DUAA also makes some changes to the ICO to help us regulate more effectively:
- it changes our structure;
- it gives us some new powers to assist us in our investigations; and
- it gives us some new duties and reporting requirements to enhance our transparency and accountability for how we work.
These changes will enable us to continue to operate as a trusted, fair and independent regulator with a stronger and modernised structure. We’ll continue to offer you advice and services, and to focus on ensuring regulatory certainty, reducing regulatory burdens and encouraging innovation and growth.
What can we do now to prepare for these changes?
DUAA preparation checklist
☐ Familiarise yourselves with the changes that the DUAA makes to data protection law using this guidance. Read our detailed summary, if you want more information.
☐ If you provide an online service that children are likely to use, make sure you are doing enough to satisfy the new explicit requirement to consider their needs. You should be on track if you already conform to our AADC.
☐ Start thinking about how you can help people to make complaints.
☐ Review the changes that support innovation and make things easier and consider whether you want to take the opportunity to do anything differently or streamline your processes.
☐ Sign up to the ICO newsletter and e-shots, so you’ll know when we’ve updated our guidance.
What other laws does the DUAA change?
The DUAA also changes some other laws we don’t regulate. You can find more information about these changes on the GOV.UK website.