What is the DUAA? A short Guide to the Data Use and Access Act 2025 for UK Organisations
As someone who has spent years helping organisations interpret data protection obligations, I can say with confidence that the Data Use and Access Act 2025 (DUAA) is one of the most consequential pieces of legislation for UK data law in recent memory. Unlike earlier reforms, which often felt technical and incremental, the DUAA attempts something much bolder: it reshapes the way we think about data governance, operational compliance, and the balance between innovation and privacy.
In practice, this means that organisations cannot simply tick boxes. They must understand the spirit of the law, anticipate real-world challenges, and build processes that genuinely protect individuals while enabling the responsible use of data. In the sections that follow, I aim to explore the DUAA’s key reforms, sharing insights from experience, potential pitfalls, and the practical implications for compliance teams.
1. Recognised Legitimate Interests: Clarity Where It Matters
One of the first things I notice when reviewing the DUAA is its approach to legitimate interests. Historically, this was one of the most challenging areas for organisations. The old UK GDPR required a careful balancing test: you had to weigh the necessity of processing against the potential impact on individuals’ rights. In practice, many organisations overcomplicated this, fearing that regulators might challenge any misstep.
The DUAA introduces the concept of recognised legitimate interests, providing a pre-defined set of circumstances where the balancing test is not strictly required. Examples include safeguarding, emergency response, cybersecurity, and crime prevention.
In my experience, this is liberating. It doesn’t remove the responsibility to act proportionately or document decisions, but it acknowledges that certain types of processing are inherently justified. For compliance teams, this is a chance to simplify documentation, while still demonstrating careful judgment.
However, it’s worth noting that the DUAA doesn’t give carte blanche. Organisations that stretch these recognised interests too far risk scrutiny – for example, treating marketing activities as a “safeguarding measure” would almost certainly fail.
2. Automated Decision-Making: Practical Flexibility Without Losing Accountability
Automated decision-making (ADM) is another area the DUAA addresses thoughtfully. In the previous regime, ADM restrictions were rigid, particularly where decisions had “legal or similarly significant effects.” This was understandable, but as machine learning and AI systems became integral to business operations, the rules sometimes felt disconnected from operational reality.
The DUAA softens these restrictions. It allows ADM in more scenarios, provided there is meaningful human oversight and transparency. In my advisory work, I’ve seen banks, insurers, and tech firms wrestling with exactly this tension. The challenge is clear: how do you benefit from automation while safeguarding individuals’ rights?
Consider a UK fintech firm using AI for loan approvals. Under the DUAA, the company can continue using its scoring system, as long as there’s a human review mechanism and the applicant can challenge the decision. The law recognises innovation but keeps accountability front and centre.
3. Subject Access Requests: Reasonable and Proportionate is the New Standard
If there is one practical headache that compliance teams universally complain about, it’s Subject Access Requests (SARs). Under the old framework, organisations were often required to trawl through every system, sometimes producing hundreds of thousands of pages, with little clarity on boundaries.
The DUAA introduces a reasonable and proportionate search requirement, allowing organisations to “stop the clock” if clarification from the requester is needed, and to charge a reasonable fee for manifestly unfounded or excessive requests. In practice, this means teams can focus on relevant data, document decisions, and avoid being overwhelmed by fishing expeditions disguised as SARs.
For organisations, this is a relief – but it comes with a warning. “Reasonable” is context-dependent. A SAR from a vulnerable individual or a regulatory investigation must still be treated carefully. Organisations cannot simply ignore requests or shortcut due diligence; the DUAA encourages thoughtful, balanced responses.
4. Children’s Data Protection: Embedding Responsibility in Design
The DUAA reinforces the UK’s commitment to protecting children online. While previous codes, like the Children’s Code, set standards for services targeting minors, the DUAA goes further: it mandates that services anticipate, rather than react to, child interaction.
I often advise clients that this is not a theoretical exercise. Platforms must build protection into the design of digital services – age-appropriate content, simplified consent mechanisms, and clear reporting pathways. It is no longer sufficient to simply respond to misuse; the law expects anticipation, mitigation, and ethical foresight.
5. Scientific Research: Broad Consent for Iterative Innovation
Here’s where the DUAA gets particularly interesting. Scientific and commercial research rarely proceeds linearly; projects evolve, hypotheses shift, and data may be repurposed. Previously, consent had to be project-specific, creating administrative bottlenecks and, at times, ethical dilemmas when research changed direction.
The DUAA recognises this reality by allowing broad consent mechanisms, provided safeguards are in place. Data must still be pseudonymised or anonymised where appropriate, participants can withdraw consent, and ethical review boards should remain involved.
Imagine a biotechnology firm tracking patients over several years to develop personalised therapies. Previously, any change in study focus would require re-consenting participants, risking drop-offs and delays. The DUAA streamlines this without sacrificing rights: broad consent is now a legally supported approach, as long as transparency and proportionality are maintained.
Similarly, AI research teams can refine models using datasets collected for prior purposes, so long as privacy safeguards are implemented. This balances innovation with accountability – a recurring theme of the DUAA.
6. International Data Transfers: A Risk-Based Approach
One of the most practical and sometimes frustrating aspects of data protection has always been cross-border transfers. The Schrems II ruling left many UK organisations scrambling to reassess their contractual frameworks and technical safeguards. The DUAA introduces a risk-based standard, requiring that protections in the receiving country are not materially lower than UK standards.
In practice, this is a significant shift. Organisations no longer have to chase perfect equivalence – something that was almost impossible in countries with different regulatory cultures. However, this does not mean “anything goes.” Companies must document their assessment of risk, demonstrate contractual safeguards, and ensure technical measures such as encryption and pseudonymisation are applied where necessary.
Consider a hypothetical UK health-tech start-up collaborating with a research lab in Canada. The DUAA allows them to transfer pseudonymised patient datasets for analysis, provided the receiving lab meets the risk-based standards. They must also have a clear internal audit trail, in case regulators ask how they ensured the data was adequately protected.
For practitioners, this encourages a risk-management mindset rather than blind compliance. It also opens space for innovation: UK firms can operate globally without constant legal anxiety, while still upholding high privacy standards.
7. Statutory Right to Complain: Accountability Embedded in Law
The DUAA formalises a statutory right for individuals to lodge complaints directly with organisations, which may seem like a small adjustment, but it has substantial implications. Previously, complaints handling was inconsistent: some companies had robust processes, others barely acknowledged inquiries, and the ICO often became the default first point of contact.
Now, organisations must provide:
Accessible complaint channels
Acknowledgment within 30 days
Substantive responses within a reasonable period
In practice, this means developing clear complaints policies, training staff, and incorporating complaint-handling into governance structures. From a legal perspective, the statutory requirement strengthens the organisation’s accountability and can serve as evidence of good governance in case of disputes.
For individuals, this change improves transparency and trust. Complaints can no longer be treated as informal or optional; they are now recognised as core instruments of accountability.
in practice – If a UK fintech firm receives a complaint from a customer about automated loan rejection. Under the DUAA, the firm must acknowledge the complaint, review the decision, and respond substantively. The process cannot be outsourced entirely to AI without human oversight – accountability is non-negotiable.
8. Cookies and Low-Risk Tracking: Pragmatic Consent
The DUAA introduces a practical approach to cookies and low-risk tracking technologies. While consent remains a cornerstone, the Act distinguishes between:
Essential cookies, necessary for service functionality, and
Low-risk cookies, such as anonymous analytics or non-intrusive performance trackers
This distinction removes unnecessary friction for website operators while maintaining transparency for users. For instance, a UK e-commerce company can now use aggregated analytics to improve checkout flow without needing explicit consent for each session, provided users are informed and can opt out.
The broader principle is proportionality. The DUAA acknowledges that privacy protection does not have to impede innovation or day-to-day operations. It encourages organisations to focus on meaningful protection, not box-ticking exercises.
9. ICO Reform: From Regulator to Strategic Commission
One of the subtler but most significant changes in the DUAA is the transformation of the ICO into a board-led Information Commission. This is not merely cosmetic; it changes how decisions are made, introduces strategic oversight, and aligns the regulator with best governance practices seen internationally.
The Commission is tasked with balancing:
Privacy rights protection
Innovation support
Competition and market fairness
National strategic interests
From a practical standpoint, this signals that regulators are not just enforcers but also guides. Organisations can expect clearer strategic priorities and better insight into enforcement thinking. For example, a company implementing a new AI-driven data analytics platform can now anticipate the regulator’s considerations more accurately, aligning design and compliance efforts proactively.
10. PECR and Enforcement: Raising the Stakes
The DUAA brings substantial changes to enforcement under the Privacy and Electronic Communications Regulations (PECR), aligning penalties with UK GDPR levels. Maximum fines can now reach 4% of global turnover or £17.5 million.
This is no small adjustment. It signals the regulator’s commitment to ensuring that digital marketing, electronic communications, and online tracking are taken seriously. Organisations can no longer treat PECR as an afterthought.
For compliance teams, this means: auditing email and SMS marketing lists, reviewing website cookie banners, and embedding consent and transparency processes into everyday operations. Ignoring these obligations is no longer just a regulatory risk; it is a material business risk.
11. Law Enforcement and Intelligence Data: Harmonisation Across Sectors
The DUAA also aligns law enforcement and intelligence data frameworks with broader privacy reforms. While private-sector organisations may rarely interact directly with these provisions, consistency across sectors matters for systemic integrity.
For contractors and vendors handling government or police data, this harmonisation affects:
Automated decision-making
Risk assessments for data transfers
Complaint handling and accountability
In practice, this creates a predictable, legally coherent environment. A company providing cloud services to a public-sector client, for instance, must ensure its privacy and security measures meet the DUAA’s standard, even when handling sensitive law enforcement datasets.
12. Smart Data Schemes and Digital Verification Services
The DUAA lays the groundwork for smart data initiatives and digital verification services, signalling a forward-looking vision for UK data infrastructure. Inspired by Open Banking, these schemes will enable secure, interoperable systems for identity verification, financial data sharing, and public-sector registers.
Organisations participating in these schemes will need to:
Integrate privacy by design principles
Ensure strong security and audit capabilities
Align operational processes with DUAA governance expectations
For example, a fintech company integrating smart data APIs must manage consent, access, and reporting in line with DUAA requirements – not just for legal compliance, but to build trust with users and regulators alike.
13. Phased Implementation: Preparing for the DUAA
Finally, the DUAA’s reforms will be implemented in stages over months, requiring proactive preparation. Organisations should consider:
Reviewing lawful bases for all processing
Updating privacy notices to reflect new rights and procedures
Auditing automated decision-making workflows
Documenting international transfers and risk assessments
Enhancing SAR and complaint-handling mechanisms
Training staff to interpret and apply DUAA requirements
Those who treat this as an opportunity – rather than a bureaucratic burden – will gain a competitive advantage. Compliance is no longer just about avoiding fines; it’s about demonstrating trustworthiness, accountability, and operational maturity, values increasingly critical in the UK’s regulatory environment.
Keeping up with the DUAA and all the latest privacy requirements is no small task, and one slip could have serious consequences. At LexDex Solutions, we work alongside organisations to make data protection practical, manageable, and genuinely effective. From auditing your current systems to drafting policies that stand up under scrutiny, we ensure compliance is more than just a box-ticking exercise. Get in touch today about our Data Privacy Services and see how simple, confident privacy management can be.