Following the UK government’s earlier proposals to reform the data protection regime, the Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025. The DUAA amends the existing UK data protection framework—including the UK GDPR, the Data Protection Act 2018, and PECR—and forms part of the government’s wider strategy to create a more innovation-friendly and proportionate approach to data regulation in the UK.

Regulatory powers and enforcement landscape

The DUAA enhances the ICO’s toolkit in several notable respects:

  • Ability to demand controllers or processors to produce reports on specified matters (s. 98).
  • Power to compel representatives of controllers or processors to attend an interview with the ICO (s.100).
  • PECR fines rise to £17.5 million or 4 % of global annual turnover (whichever is higher), aligning maximum exposure with UK GDPR penalty tiers (schedule 13).

New or heightened obligations

  • Complaints handling (s. 103)
    • Organisations must facilitate data-subject complaints (e.g., through an electronic form), acknowledge within 30 days and respond without undue delay. This obligation underscores the need for refreshed internal workflows and record-keeping.
  • Children’s data (s. 81)
  • Providers of online services “likely to be used by children” must explicitly consider children’s privacy needs. 

Reducing compliance friction

  • Compatibility presumptions (s. 71)
  • Re-use of data for archiving in the public interest, scientific or historical research, and certain other purposes is presumed compatible with original collection, eliminating the need for additional compatibility analyses.
  • Subject access requests (SARs)
  • The “reasonable and proportionate search” standard is codified, limiting the scope of searches and reducing the burden of “industrial scale” SARs. Controllers are allowed to stop the clock to clarify a request if they hold large amounts of data about the requestor.
  • “Soft opt-in” extended to charities (s. 114)
  • Charitable organisations can send electronic marketing to supporters under conditions analogous to those available to commercial entities.
  • Recognised legitimate interests (schedule 4 and s. 70)
  • For specific activities (mainly available to public authorities), the balancing test against data-subject rights is removed, streamlining assessments.
  • The DUAA also provides a list of processing activities that may be able to rely on legitimate interests, which include (i) processing that is necessary for direct marketing; (ii) intra group transmissions of personal data for administrative purposes; and (iii) processing that is necessary for the purposes of ensuring the security of network and information systems. These activities still require a balancing test (s. 70).
  • Adequacy decisions by the UK (schedule 7)
  • Standards applied in the UK adequacy decisions will be a level of protection “not materially lower” in third countries instead of “essentially equivalent”.

Facilitating innovation

  • Automated decision-making (ADM) (s. 80)
  • Organisations may rely on any lawful basis, not solely consent or contractual necessity, to make significant automated decisions about individuals, provided appropriate safeguards remain in place.
  • Cookies and tracking technologies (schedule 12)
  • Certain analytics and functionality cookies can be set without obtaining prior consent, easing friction for digital services that rely on performance insights. The list of strictly necessary cookies now includes cookies to protect information provided in connection to the provision of the services requested, the security of the device used to access the services requested, to prevent or detect fraud or technical fault, or to authenticate the identity of the user. The new Bill allows consent to cookies to be provided via browser settings.
  • Research provisions
  • Broader “scientific research” concept now expressly includes commercial R&D (s. 67).
  • Individuals may provide “broad consent” for future research projects (s. 68).
  • Privacy notices may be omitted where providing them would be a disproportionate effort, so long as alternative safeguards are adopted and information is publicly available (s. 77).

The ICO will update its guidance for organisations as the DUAA reforms take effect.