The Data (Use And Access) Act – What's Changed In UK Data Protection Law?

The UK's Data (Use and Access) Act 2025 (DUA Act) reforms the UK GDPR and Privacy and Electronic Communications Regulations (PECR), and sets up frameworks for sharing of business and customer data, and digital identity verification. While the Act was passed in 2025, much of it has been or is being brought in under secondary legislation. We look at what changes when. 

UK GDPR  

The DUA Act makes a number of changes to the UK GDPR: 

• Scientific research becomes a defined term based on what was previously in the recitals. The DUA Act also modifies the definition of consent to scientific research data processing and simplifies appropriate safeguard requirements for the RAS purposes (scientific or historical research, archiving in the public interest, or statistical purposes). 

• The Act introduces the concept of recognised legitimate interests for which there is no need to carry out a Legitimate Interest Assessment. There are currently five recognised legitimate interests covering crime prevention, public security, national security or defence, safeguarding, emergencies or sharing personal information to help other organisations perform their public tasks or official functions. 

• There are changes to the purpose limitation and clarification of what constitutes further processing. 

• Rules on automated decision-making (ADM) are amended to deliberately enable ADM involving personal data to be more flexible under the UK GDPR than under the EU GDPR – essentially the stricter regime would only apply to processing involving special category data.  

• The Secretary of State has the power to approve third countries for data export purposes and the Act introduces a new a data protection test to assess whether the third country or international organisation has a standard of data protection not materially lower than that in the UK 

• Timelines for responding to DSARs are further clarified as is when a controller may require further information from the data subject. 

• All controllers are required to have complaints handling procedures in place in accordance with DUA Act requirements by 19 June 2026. This includes providing a means of complaint, acknowledging complaints within 30 days of receipt, taking steps to respond without undue delay and telling people the outcome without undue delay. 

• There are a number of changes to the role of the ICO which will become the Information Commission governed by a Board. 

• The Secretary of State has powers to make changes to the types of data classed as special category data under secondary legislation. 

PECR 

Changes include: 

• New exceptions to the requirement to obtain consent to cookies for analytics and content optimisation although transparency and opt-out requirements remain. 

• Breach reporting timelines under PECR and fines for non-compliance change to mirror those under the UK GDPR. 

Data sharing 

the DUA Act covers issues similar to those in the EU's Data Act, Data Governance Act and European Health Data Space, in ambition. Among other things it: 

• Gives powers to the Secretary of State to make provisions on access to customer and business data. This has the potential to replicate elements of the Data Act and Data Governance Act at EU level, but is not limited to IoT (as the data sharing elements of the Data Act are) or public sector data (as the Data Governance Act is). The Act provides a very broad canvas for the government, but the focus seems to be on creating open public databases of 'smart data', including on a sectoral basis, to encourage innovation and competition 

• Creates a framework for trusted identity verification services 

• Provides for a national register of underground services like power, water and utility pipes and cables 

• Sets out new provisions on birth and death registers 

• Makes some changes to law enforcement data access and retentions

• Provides for uniform information standards concerning information technology for the provision of health and adult social care in England - this is the part of the legislation which will allow for single medical records, accessible across all health and social care services – the aspect of the Act which the government is particularly highlighting 

• Introduces provisions around access by researchers to certain data relating to online safety issues. 

What happens when? 

Secondary legislation has already been passed which brought in the majority of changes to the UK GDPR and PECR from 5 February 2026. The rules on complaints procedures will apply from 19 June 2026. 

Part 1 of the DUA Act which covers access to customer data and business data in relation to smart data schemes has also been brought into force, however, this still requires a framework to be introduced under further secondary legislation. 

Regulations have also been tabled to pave the way for the new Information Commission with the transition taking place following the appointment of the new Board. 

Guidance 

The ICO has been working to update or create new guidance as a result of the DUA Act and the changes it has made to the data privacy regime. Notably: 

• On 12 February 2026, the ICO published updated  guidance offering practical advice on how to comply with the requirement to have a complaints procedure in place which will apply from 19 June 2026. 

• On 27 February 2026, the ICO opened a consultation which closed on 5 May 2026 on  updates to its guidance on the Research, Archiving and Statistics provisions following the introduction of the DUA Act.  

• On 23 March 2026, the ICO published guidance on  recognised legitimate interest, which sets out when this can be used, what the recognised legitimate interest conditions are and what other considerations need to be taken into account. 

• On the same day, the ICO also published  guidance on compatibility and the reuse of personal information. This complements brief guidance on purpose limitation but goes into more detail to help controllers apply the rules on reuse and compatibility in practice.  

• On 31 March 2026, the ICO launched a  consultation on draft revised guidance on automated decision-making and profiling. In particular, it includes new content on how a controller can determine whether processing falls within Article 22A GDPR – ie that it is a solely automated decision which has significant effects; clarification on when using ADM has restrictions and what conditions must be satisfied before it can take place; and a new section on safeguards and data subject rights. The consultation closes on 29 May 2026. The ICO is also required to prepare a statutory Code of Practice on ADM. 

When the DUA Act came in, there were concerns about diverging from the EU data protection regime and at how that might impact the EU-UK adequacy decision. The EU did, however, renew the adequacy decision for six years until December 2031 and is, itself, currently looking to amend the GDPR under its Digital Omnibus proposal. The changes to the UK personal data regime were ultimately fairly nuanced with greater change perhaps likely to be around the sharing of non-personal data although many of the changes offer pragmatic clarifications. Nonetheless, the DUA Act does mean that the UK's personal data regime is slightly different to the EU's now and the differences are likely to grow once the EU passes the Digital Omnibus. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.