Data Protection:

Data (Use and Access) Act 2025

The (Data Use and Access) Act 2025 (“DUA Act”) came into force in August 2025 and is a legislative change intended to simplify data protection laws such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). Although the changes do not overhaul the current data protection legislation significantly in the main, the changes affect how individual’s personal data will be processed.

Changes made by the DUA Act:

1) Digital Verification Services (“DVS”)

The Secretary of State must publish a framework concerning the provision of Digital Verification Services. This could prove to have a major impact on how individuals and business interact with services, such as use of electronic signatures and right to work checks. The main intention of the DVS framework, is to enable data controllers and processors to reduce the amount of personal data they hold (for example of digital signatures), reducing risks of data leaks, and to ensure that providers of DVS are compliant with current data protection regulations.

2) Responding to Data Subject Access Requests

The rules for responding to subject access requests have been amended so data controllers only need to carry out “reasonable and proportionate” searches within “one calendar month” in order to comply with any such requests. This means you do not have to be completely exhaustive in your reviews of data held to the nth degree.

3) Complaints

Under the DUA Act, organisations must establish straightforward and accessible complaints processes, including the introduction of a specific complaints form and a clear requirement to respond within 30 days. These are typically in place in schools and academies in any case.

4) Collection of Cookies

The DUA Act introduces a number of exemptions to accessing information in a data subject’s computer, by way of cookies. This means data can be accessed without the user's consent for improving the functionality and appearance of a website or collecting data for statistical purposes (depending on the user’s preferences). However, the website operator must give the user the option to object to data being accessed this way.

5) Increased fines and powers

A key change to note, is the increase to the fines that could be imposed following breaches of the Privacy and Electronic Communications Regulations (PECR). Fines have been raised to £17.5m or 4% of an organisation’s annual turnover (whichever is higher) for serious breaches. This brings the PECR fines in line with the current UK GDPR levels. In addition, regulators are granted enhanced powers to conduct audits and inspections, including the ability to require organisations to provide evidence of compliance with data subject access requests, legitimate interests assessments, and data sharing protocols.

6) Recognised legitimate interests

There has also been clarification when processing data is necessary for the performance of a task carried out in the public interest as a ‘recognised legitimate interests’ lawful basis. This will remove the need for some organisations to carry out legitimate interest assessments. UK GDPR has traditionally been fairly vague with its guidance on this issue, however, the DUA Act has included a non-exhaustive list of circumstances where certain organisations, such as the NHS or law enforcement, can lawfully process data in the public interest. These include safeguarding vulnerable victims and fraud prevention.

For processing activities not on the recognised list, organisations must continue to conduct a balancing test to ensure that their interests do not override the rights and freedoms of data subjects. The DUA Act provides more structured guidance on how to conduct and document this assessment.

7) International data transfers

The Secretary of State is required to introduce new regulations which will determine when the transfer of personal data abroad will be lawful. Although these regulations have not been introduced at this time, the DUA Act includes key considerations regarding the circumstances of the overseas country when deciding if a transfer of data is lawful. These include:

• Relevant international obligations;

• Data protection regulations;

• The rule of law; and

• Human rights.

8) Children and online services

If you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO's age-appropriate design code (AADC). Handsam advises clients to check that any third party software it utilises has made adjustments to comply with this requirement, as previously, under the code, it was not mandatory.

For full details of the implications of the new Act see the ICO's guidance here: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/

Next steps

Clients should now start to review their internal policies and procedures to ensure they will be compliant with the Act. For example:

• Review your privacy and cookie policies;

• Undertake a full review of internal policies and training requirements and update these, as relevant to comply with the new rules;

• Review any third party software you utilise to ensure it has made adjustments to comply with the new act's requirements;

• Make sure any responses to subject access requests are 'reasonable and proportionate'; and

• Keep an eye out for new regulations relating to overseas data transfers.

If you are an existing data protection client and require any advice in relation to data protection, or how the new legislative changes will affect your business, please contact the Handsam client support team via info@handsam.co.uk.

Please also contact us if you would like a quotation to join our Data Protection Service.