Print article
Authors
Authors
The next phase of the Data (Use and Access) Act 2025 (DUAA) came into force on 5 February 2025, marking a major milestone in the reform of the UK’s data protection framework. DUAA introduces some of the most significant changes since GDPR was adopted in 2018, aiming to simplify compliance, modernise rules, and support responsible innovation. It also introduces new obligations on UK businesses.
Below, we outline the key changes that now apply and what organisations should be doing to prepare.
1. New lawful basis: recognised legitimate interests
Organisations can now rely on a new lawful basis for processing personal data without undertaking the traditional balancing test and legitimate interests assessment but only for specific purposes such as safeguarding national security, preventing crime, responding to emergencies, safeguarding vulnerable people, or assisting public bodies.
For all other processing, legitimate interest assessments (LIAs) are still needed though DUAA introduces a non-exhaustive list of activities that may qualify, such as direct marketing, intra-group administrative data sharing and information security measures.
2. More flexible cookie rules – but higher fines for non-compliance
Consent is no longer required for certain low‑risk cookie uses, such as analytics used solely to improve website service performance, functional cookies to enhance user experience or security/fraud prevention cookies. Controllers must still provide clear information about cookies and a prominent opt-out mechanism. Cookies used for profiling and advertising will still require consent.
The new rules align with the ICO’s 2025 cookies enforcement focus, reminding controllers to ensure that users are provided with clear, unambiguous, and meaningful choices about how their data is tracked. The ICO is expected to continue to focus on the use of cookies and will expand its focus beyond websites to apps and connected TVs.
Potential fines for cookie violations are now aligned with fines under UK GDPR (see below).
3. DSARs and complaints handling
DUAA brings into law earlier ICO guidance confirming that controllers may “stop the clock” while awaiting further information from the individual in order to identify the information or processing activity to which a DSAR relates.
Although the statutory complaints procedure will not come into force until 19 June 2026, organisations should now begin preparing by updating privacy notices to explain how complaints can be made, creating an electronic complaints form and ensuring that they can acknowledge complaints within 30 days.
4. Relaxed rules on automated decision making (ADM)
The new ADM rules simplify previous restrictions, which were considered too complex for organisations to navigate and hindered responsible use of ADM which might otherwise enhance efficiency.
The new rules allow solely automated significant decisions involving special category data only where:
- the individual has given explicit consent;
- the decision is necessary for entering into or performing a contract between the individual and a controller;
- the decision is required or authorised by law; or
- the decision is necessary for reasons of substantial public interest.
The new rules also specify safeguards which must be implemented by a controller making significant decisions based entirely on automated processing of personal data.
The safeguards include providing individuals with information, enabling individuals to make representations, enabling individuals to obtain human intervention, and enabling individuals to contest significant decisions.
5. Strengthening protection for children
Organisations which provide online services likely to be accessed by children must consider children’s higher protection matters by design and default of the services which includes:
- how children can best be protected and supported when using the service;
- the fact that children merit specific protection with regard to their personal data, because they may be less aware of the risks and consequences associated with processing of personal data and their rights in relation to such processing and
- the fact that children have different needs at different ages and stages of development.
These changes align with the ICO’s Children’s Code. The ICO has provided updated guidance on data protection by design and default to reflect considerations in product design governance, age assurance mechanisms and data protection impact assessments.
6. Enhanced ICO powers and new guidance
The ICO can now compel witness attendance, request technical reports and issue significant fines under the Privacy and Electronic Communications Regulations 2003 (PECR) of up to £17.5 million or 4% of global turnover, whichever is higher (aligning those fines with those possible under the UK GDPR, and a significant increase from fines of £500,000 possible under PECR previously).
The ICO has published updated guidance on default design, DSARs and law‑enforcement codes, with further consultations planned.
7. Recommended action points for organisations
- Assess whether any processing activities now fall within the recognised legitimate interests
- Update LIAs where required, consider internal data protection governance and the non-exhaustive list of legitimate interests examples set out in DUAA.
- Review all cookies practices, ensure prominent information and opt-outs. Consider using a reputable cookie consent management platform.
- Update DSAR procedures to incorporate “stop-the-clock” mechanics.
- Prepare a complaints-handling framework ahead of commencement of the new requirements.
- Evaluate use cases for automated decision making and ensure appropriate safeguards are implemented, update the privacy notice accordingly.
- Reassess whether your services may be accessed by children and apply Children’s Code-aligned protections. Consider use of age assurance mechanisms and data-minimisation practices.
- Review direct marketing practices to ensure they are PECR-compliant in light of increased fines.
- Update policies, privacy notices, DPIAs, and Records of Processing Activities as needed.
- Make use of ICO guidance.
Anne Todd, Emily Aggett and our wider team of expert data protection and privacy advisors are on hand to assist you with any queries relating to the new rules.