The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations?

At a glance

The DUAA is a new Act of Parliament that updates some laws about digital information matters.
It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights.
Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.
The changes will be phased in between June 2025 and June 2026.

In brief

What data protection laws does the DUAA change?
How might the DUAA help us to innovate?
How might the DUAA make things easier for us?
Are there any new requirements for us to meet?
What help can we expect from the ICO?
ICO new powers
What other laws does the DUAA change?

What data protection laws does the DUAA change?

The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).

How might the DUAA help us to innovate?

The DUAA might help you to innovate in the following ways:

Research provisions: it makes it clearer when you can use personal information for the purposes of scientific research, including commercial scientific research. It clarifies that people can give ‘broad consent’ to an area of scientific research. We’ve consulted on updates to our guidance on the Research, Archiving and Statistics (RAS) Provisions.
Privacy notices: it allows you to re-use people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort. So long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.
Automated decision-making: it opens up the full range of reasons, or ‘lawful bases’, that you can rely on when you use people’s personal information to make significant automated decisions about them. So long as you continue to apply appropriate safeguards. This potentially includes allowing you to rely on the legitimate interests lawful basis for this type of processing. This doesn’t apply to special category data which is more protected. We’ve consulted on draft guidance about automated decision-making, including profiling.
Cookie rules: it allows you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website. We’ve published updated guidance on the use of storage and access technologies.

How might the DUAA make things easier for us?

The DUAA might make things easier for you in the following ways:

New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use, against the benefits arising from that use. For example, when protecting public security. The new in brief and detailed guidance on recognised legitimate interest are available on our website.
Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision. Our new guidance on requesting personal information for public tasks or official functions is available on our website.
Assumption of compatibility: it allows you to assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test. This includes disclosing personal information for the purposes of archiving in the public interest, even if you originally only got consent for a different purpose. Further details are available in the new guidance on compatibility and the reuse of personal information.
‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object. Our new guidance on direct marketing using electronic mail is available on our website.
Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information. Our updated right of access guidance reflects these changes.
Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information. For example:
- it clarifies that direct marketing can be a legitimate interest; and
- it rewords the test you need to apply when transferring personal information outside the UK.

Are there any new requirements for us to meet?

Children and online services: if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to our Age appropriate design code (AADC). We updated our guidance on data protection by design and default to reflect these changes.
Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’. We’ve published data protection complaints guidance to support all organisations.

What help can we expect from the ICO?

We’re working hard to make sure organisations understand what has changed and what it means in practice. Over the last year, we’ve published new and updated guidance for organisations, particularly in areas most impacted by the DUAA.

We’ll continue updating our guidance ‘for organisations’ over time, prioritising the areas of greatest impact. You can find more details about what we’re working on in Our plans for new and updated guidance.

We’ve produced a more detailed summary of all the data protection changes that might affect you. We’ve written this for data protection experts, including those people within your organisation who are responsible for making any changes you decide to make.

The DUAA also makes some changes to the ICO to help us regulate more effectively:

it changes our structure;
it gives us some new powers to assist us in our investigations; and
it gives us some new duties and reporting requirements to enhance our transparency and accountability for how we work.

These changes will enable us to continue to operate as a trusted, fair and independent regulator with a stronger and modernised structure. We’ll continue to offer you advice and services, and to focus on ensuring regulatory certainty, reducing regulatory burdens and encouraging innovation and growth.

ICO new powers

Among the new powers that DUAA provides us with is the ability to compel a witness to attend an interview and to request reports of approved persons.

Our new draft enforcement procedural guidance sets out the process we will follow when carrying out investigations, taking enforcement action, and exercising some of our other duties. We will be publishing the final guidance in due course.

Our aim is to give businesses certainty about what to expect by publishing guidance before we begin using them. However, the law has commenced and we can, and will, use these powers where necessary for the most serious cases.

What other laws does the DUAA change?

The DUAA also changes some other laws we don’t regulate. You can find more information about these changes on the GOV.UK website.