UK’s Data (Use and Access) Act (DUAA) 2026 — What Organisations Must Know
Act%20(1).png)
The Data (Use and Access) Act 2025 (DUAA) is the UK’s latest data protection law, gaining Royal Assent on 19 June 2025 (and often referred to as a 2025 Act) and largely coming into effect by 2026. It started as a data reform bill and is now statute (citation: c.18). DUAA does not replace existing laws; it amends the UK GDPR, UK Data Protection Act 2018 (DPA 2018), and UK e-privacy rules. The long title confirms DUAA covers customer data access, electronic communications, and much more. DUAA’s provisions update how personal data can be used, with a particular focus on promoting innovation and easing burdens on organizations.
DUAA originated in Parliament as a data bill in 2024-25 and became law mid-2025. It encompasses many technical changes, including modernizing data sharing for services (e.g., digital verification, open banking as “Smart Data” schemes). Although it passed in 2025, many provisions are set to be commenced in stages over 2025–2026. In other words, businesses should watch for commencement orders detailing exact start dates. Importantly, DUAA is an update to UK data law, not a wholesale overhaul. It leaves the core GDPR-based framework intact, tweaking specific areas to make data handling more flexible and clear.
The new Data Protection Act aims to encourage data-driven innovation and economic growth while preserving individuals’ rights. It does this by relaxing or clarifying certain rules so organizations can use data more effectively.
For example, the DUAA explicitly supports scientific and commercial research by allowing broad consent and easing notice requirements. It also modernizes governance: giving the ICO new powers and restructuring it as the Information Commission, plus requiring clearer procedures for complaints.
The overall spirit is to make things “easier for organisations” – for instance, by enabling more permissive data sharing and removing some redundant legal hurdles. Yet it maintains high data protection standards, ensuring responsible use with appropriate safeguards and accountability.
DUAA’s provisions touch many aspects of data law. The most significant changes affecting businesses include:
DUAA creates a new “recognised legitimate interests” basis for processing personal data. This means that for certain socially valuable purposes (e.g., crime prevention, safeguarding, emergencies), organizations no longer need to perform a detailed balancing test against individuals’ interests. If processing is necessary for one of these specified purposes, you can proceed on this new basis without the usual balancing exercise. This lightens compliance overhead in those cases, though businesses must still document the use of this basis and apply general necessity and proportionality standards.
Under DUAA, the framework for automated decisions with legal/similar effects (e.g., automated profiling) becomes more permissive. Organizations may rely on a wider range of lawful bases (including legitimate interests) to make significant automated decisions, provided they implement strict safeguards (such as providing information, allowing challenge, and human intervention). (Special category data is still subject to extra protection.) This opens up new uses of AI/automation for services, but it obliges firms to ensure transparency and an option for human review.
The DUAA clarifies and relaxes DSAR response duties. Notably, it introduces a “stop-the-clock” provision: if you need more information from the requester (for example, to verify identity or clarify the scope), you can pause the one-month response deadline until that information is provided. Once clarified, the clock resumes. DUAA also codifies that searches for personal data only need to be “reasonable and proportionate.”
DUAA explicitly redefines “research” in data protection law to include commercial scientific research. It allows researchers to obtain broad consent for a general field of research, rather than requiring fully specific purpose wording. This formalizes practices often needed in R&D (e.g., drug or AI research) and lowers barriers. DUAA also permits reusing personal data for research without fresh notice in cases where giving notice would be disproportionate, as long as other protections are in place.
The DUAA relaxes some cookie and tracking consent requirements. It explicitly lets organizations set certain low-risk cookies (e.g., simple analytics or functionality cookies) without needing express consent. This mirrors changes in Europe (Digital Privacy legislation) and acknowledges that basic cookies for site improvement can be exempt if users can easily opt out. However, high-risk tracking (e.g., targeted ads) will still require consent under PECR. In practice, expect updates to cookie banners and consent management systems.
Beyond these areas, DUAA also facilitates broader data sharing initiatives. It supports new Smart Data projects (like Open Banking expansions) and digital identity systems by aligning data protection rules with these schemes.
DUAA offers UK businesses greater flexibility and innovation, but also new compliance tasks.
For many services and research projects, DUAA removes friction. The new recognised legitimate interests basis means projects (like developing security systems or health tech) can proceed without a lengthy balancing test, reducing delays. The explicit recognition of broad consent for research and expanded ADM options enables firms to use data in creative ways (subject to transparency). Even marketing is slightly eased: charities, for example, can use a “soft opt-in” to mail supporters unless they object.
On the flip side, organisations must update governance to match DUAA. New requirements include formal complaint-handling processes: you must help people submit data protection complaints (e.g., with an online form), acknowledge them within 30 days, and respond “without undue delay”. If you offer an online service likely to be used by children, you must explicitly consider their interests (following the Age Appropriate Design Code). Privacy notices and policies will need revision to mention the new lawful bases (legitimate interests, broad consent, etc.) and research provisions.
Key DUAA measures are phased in between mid-2025 and mid-2026. Some initial changes (e.g., provisions on data complaints) began in August 2025, while others (like cookie rule changes or new lawful bases) will follow via commencement regulations. Organisations should closely monitor official guidance (the ICO is updating its resources) to see when each change takes effect. Early awareness is crucial: even though a firm deadline may not be immediate for small entities, starting compliance planning now avoids surprises. (For reference, the government’s DUAA factsheet notes that implementation dates will be published on GOV.UK as they are set.)
The DUAA’s changes are positive but bring challenges:
With added flexibility comes the risk of misapplying the law. For example, relying on the new legitimate interests basis without ensuring an appropriate context or relying on cookie exemptions without proper user notice could invite regulatory scrutiny. Organizations must clearly document when and how they use the new lawful bases to avoid accidental compliance gaps.
Some businesses, especially small ones, may lack experience implementing the new rules. For instance, updating DSAR processes and training staff on the “stop-the-clock” mechanism could be a logistical hurdle. Similarly, adapting privacy notices and cookie banners for DUAA’s relaxed requirements requires coordination across legal and IT teams. Companies will need to allocate resources to these transitions.
The DUAA gives the ICO (now the Information Commissioner) additional powers and responsibilities. Failing to handle the new complaint procedures or to treat children’s data appropriately can lead to enforcement actions. In fact, Morgan Lewis notes that the DUAA introduces new nuances demanding “close legal scrutiny” by in-house counsel and privacy teams. Essentially, while DUAA is an opportunity, it’s also a prompt to step up data governance to satisfy regulators.
The very innovations DUAA aims to enable (e.g., broader data sharing) must still respect privacy. For example, automating decisions more broadly can speed operations but also heighten privacy risks if safeguards are weak. Organizations must carefully balance DUAA’s ease-of-use provisions with the enduring principles of data minimization and security.
Organizations can follow these steps and prepare for DUAA:
The first step would be to map out all personal data flows in your organization. Identify what data you hold, why, and where it goes. This data inventory will highlight which new provisions apply. For example, if you conduct research, note where broad consent could be used; if you rely on legitimate interests, document those purposes. Also, ensure you apply data minimization principles everywhere – only collect and keep data that you truly need for each purpose.
Your privacy notices and cookie banners must be refreshed to reflect DUAA. Clearly describe any new lawful bases you will use (e.g., “recognized legitimate interests”) and explain the research/consent options. Update cookie notices so that analytics/service cookies clearly fall into the DUAA’s relaxed category – still giving an easy opt-out for users.
Re-train your privacy team on the “stop the clock” provision. For instance, when a DSAR arrives, you may now ask the requester for clarification or identity proof before committing to a full search. Ensure your DSAR workflow has a step to pause and resume the deadline accordingly. Also, document clearly what counts as “reasonable and proportionate” searches under DUAA, so your team knows when broad hunts are unnecessary.
Any third parties or subprocessors should also comply with DUAA. Check existing contracts to ensure obligations cover the new requirements (e.g., handling of data subject rights, complaint procedures). Conduct thorough vendor risk management. Vet vendors for their ability to handle DSARs, data breaches, and the new lawful bases. Update data-sharing agreements to allow new forms of transfers (for example, you may rely on legitimate interests for sharing data with partners). In all cases, insist on contractual terms that match DUAA’s standards, including any cross-border data transfer changes.
Your team plays a vital role in complying with data protection laws. They are the ones who will collect or handle the data. Thus, it is essential to educate them about the DUAA changes. For example, marketing should understand the new “soft opt-in” rule for charities, IT should be aware of the cookie exemptions, and customer service should be ready for the complaint-handling requirements. Regular training ensures everyone knows their role in implementing these new processes.
Many organizations find it helpful to get specialized guidance. A data privacy consultancy or DPO (Data Protection Officer) service can perform a DUAA gap analysis and advise on a detailed implementation plan. Our DPO Consulting’s UK GDPR compliance services can help integrate DUAA changes into your existing GDPR framework. Our experts can streamline your transition, ensuring your policies, processes, and documentation align with the new law.
You might wonder “how does the data protection act affect businesses.” The answer is, while DUAA creates new compliance work, it also offers strategic advantages. By aligning UK data law with innovation goals, DUAA lets organisations create new products and services. For example, easier data use in research can accelerate the development of medical or AI technologies. Stronger data sharing provisions support collaborative projects (like smart infrastructure or open finance). Moreover, by clarifying rules (e.g., writing requirements more clearly), the DUAA reduces legal uncertainty. A forward-looking organization can use this as an opportunity to build customer trust and a competitive advantage. Demonstrating that you responsibly handle data, under the modernized DUAA framework, can enhance your brand image.
The DUAA represents the UK’s first major data reform since Brexit. It will act as a modernized and new data protection law, making it more flexible for businesses while still upholding core privacy rights. To navigate DUAA effectively, organizations should proactively update their data protection programs now, rather than waiting for enforcement. This includes reviewing policies, processes, and contracts in line with the new provisions.
Get in touch with our experts to know more about how we can help you!
No. The DUAA amends the UK GDPR (and the UK Data Protection Act 2018 and PECR) but does not replace them. The existing GDPR framework remains in place. DUAA simply updates certain rules within that framework to simplify processes and enable new uses of data.
DUAA adds a new lawful basis for specific purposes (e.g., public security, crime prevention, safeguarding, emergencies). For processing that falls under these “recognized legitimate interests,” you no longer need to balance your business interest against individuals’ interests or obtain consent. You still must meet a necessity requirement, but DUAA removes the detailed balancing test for these designated cases
Yes. Nothing in DUAA forces you to abandon consent as a lawful basis. You can continue to use consent where it’s valid. In fact, DUAA even codifies “broad consent” for research in law, giving more flexibility for research scenarios. Just be sure your consent mechanisms and privacy notices are updated to mention DUAA’s changes (for example, that research projects may rely on broad consent in the future).
DUAA relaxes some cookie rules. Specifically, it allows certain low-risk cookies (like basic analytics or functional cookies) to be set without prior opt-in consent. You must still be transparent (e.g., via a notice or opt-out option), but the user does not have to give active consent for those exempted cookies. High-risk tracking cookies (for marketing, etc.) still require consent under PECR as before.
DUAA’s provisions are being phased in. Some parts began in late 2025, and others will follow up through 2026. The government will issue commencement regulations specifying exact dates for each change. Until then, organisations should prepare, but know that not every requirement is immediate. You can track announcements on GOV.UK or ICO guidance.
DUAA applies to all data controllers, but many obligations come in stages. Small businesses should start planning for the changes now (e.g., reviewing DSAR workflows and privacy notices), but may have more time before enforcement. The phased rollout means that some requirements (like formal complaint handling) kicked in earlier, while others (like cookie rule relaxations) may be later. In any case, familiarise yourself with the key changes and integrate them into your ongoing compliance efforts as your resources allow.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.svg)
.png)
