Data (Use and Access) Bill receives Royal Assent

July 2025

James Hutchinson and Jonathan Booton

The Data (Use and Access) Bill received Royal Assent on 19 June 2025 and is now the Data (Use and Access) Act (DUA Act). The DUA Act introduces amendments to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR). It builds on existing laws to reduce certain requirements on organisations while preserving the core privacy safeguards imposed under UK GDPR and PECR.

The DUA Act provides the Information Commissioner Office (ICO) with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR.

Changes the DUA Act introduces

Changes to data protection law will be undertaken in stages and exact dates for the measures are not yet known. We have summarised some of the key changes below.

The National Underground Assets Register (NUAR)

The NUAR is transitioning to a statutory footing in England, Wales and Northern Ireland, following the implementation of the DUA Act. This means that asset owners will be legally required to share data digitally through the NUAR, rather than responding to individual requests. The transition to a statutory register is expected to improve safety, efficiency and reduce the number of accidental utility strikes. Going forward those organisations involved in the management or maintenance of underground assets may be required to provide accurate, timely data on their infrastructure and ensure that it is portable.

Automated decision-making

This narrows the scope of the current position under the UK GDPR and creates a more flexible framework for organisations to make decisions using solely automated processing, provided they have implemented certain safeguards. Unless special category data is involved, automatic decision-making will no longer be subject to the more severe restrictions imposed by the UK GDPR.

Subject access requests

This formalises the ICO’s guidance that organisations need to make reasonable and proportionate searches when responding to requests. It also allows organisations to ‘stop the clock’ when responding to a requester if they need more information. Once the information has been provided the response time resumes.

Scientific research

The DUA Act provides clarity around when organisations can use personal data for the purposes of scientific research, including commercial scientific research. It clarifies that people can give ‘broad consent’ to an area of scientific research. It allows organisations to re-use personal data for scientific research without giving the data subject a privacy notice if that would involve a disproportionate effort. However, the organisation must protect the data subject’s rights in other ways and still explain what they are doing by publishing the notice on their website.

Recognised legitimate interests

The DUA Act will introduce a list of recognised legitimate interests which can be updated and changed over time. The purpose is to make it easier for organisations to rely on legitimate interest grounds for data processing.

International data transfers

The DUA Act simplifies the rules and provides necessary clarification for transferring personal data internationally. It introduces a risk-based approach leaving it to data controllers and processors to determine whether the standard of protection in the third party’s country is “materially lower than the standard of protection provided” in the UK.

Cookies

The DUA Act allows the use of ‘cookies’ without explicit consent in certain, low-risk situations. For example, using them to collect information for statistical purposes and improve the functionality of an organisation’s website.

Complaints

The DUA Act introduces new rules in relation to the processes that controllers must adopt when handling complaints. Data subjects must complain directly to the controller before going to the ICO. Controllers must have a complaints process (such as an electronic form) and must acknowledge complaints within 30 days.

Smart data

A new framework will be created for smart data schemes. The schemes should allow for the sharing of customer data between organisations and third partes and promote innovation, competition and consumer empowerment and will apply to traders of goods, services and digital content. The intention is to expand on the principles of open banking, targeting areas such as energy and telecoms to assist with data portability. The precise details for the schemes will be set out in additional legislation and organisations will need to wait until the regulations have been published to understand how they will work.

Digital verification services

Under the DUA Act, the Government will set up a new framework for digital identities with the aim of enhanced trust and greater certainty around digital verification services.

Implications for organisations and next steps

The introduction of the DUA Act has important implications for organisations, particularly those involved in data driven innovation, research and partnerships with the public sector. However, they should not need to make substantial changes to existing data protection compliance frameworks. Currently, many of the key changes rely on secondary legislation to be implemented before organisations can really understand the implications. Organisations should therefore familiarise themselves with the changes to ensure that existing governance and frameworks will comply with data protection laws and consider where they can take advantage of changes or amendments. For instance, automated decision making, particularly given the increase in AI tools that can facilitate innovation.

Next steps:

Monitor implementation

Keep up to date with the implementation of secondary legislation and the impacts on the organisation.

Review and update policies

Organisations should reflect on new lawful legitimate interests, cookie rules and compliance processes.

Train staff

Ensure staff are aware of changes around automated decisions, data subject access request handling and data sharing in relation to international data transfers.

Prepare for NUAR and smart data

Identify systems that may need interoperability, portability or secure identity verification. However, as this is reliant on secondary legislation, it does not require immediate action.

How we can help

To learn more about how we can help your organisation navigate the changes resulting from the introduction of the DUA Act and assist with any of the above areas, please contact: