The Data (Use and Access) Act 2025 (“DUAA”, “the Act”) received Royal Assent on 19 June 2025. The Act comprises three core pillars –

  1. Reforming the UK GDPR framework
  2. Establishing new mechanisms for customer and data sharing
  3. Creating a digital identity verification framework

The act includes various provisions including those which will enable the growth of digital verification services, Smart Data schemes, and changes to the UK’s data protection and privacy legislation.

The UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and Privacy and Electronic Communications (EC Directive) Regulations 2003 will not be replaced by the DUAA, however it will make changes which will make the rules simpler for organisations with a focus on responsible data-sharing and high standards.

The DUAA has made changes to data protection law that affect organisations holding personal information.

The changes introduced through the act include –

  • Automated Decision Making – this means that organisations can now make decisions based on automated processing with legal effects on individuals, but safeguards must be implemented
  • Subject Access Rights – timescales will be specified for organisations to respond to Subject Access Requests, with a “stop the clock” rule meaning pauses can be allowed for additional information to be obtained
  • Children’s Data Protection – online services will be required to protect children’s data, enhancing privacy for minors
  • Legitimate Interests – the legal basis for processing personal data will be expanded, allowing legitimate interests to be relied on by organisations for certain purposes
  • International Data Transfers – frameworks for smart data schemes are established as part of the act, clarifying the rules for transferring personal data internationally

Practical Steps

  • Review internal policies to ensure they are compliant with the updated legislation
  • Ensure DSAR guideless and processes include the revised timescales and required record keeping
  • Consider if privacy notices, cookie banners and complaints processes are complaint

 

Further Reading

The ICO have published guidelines which detail each of the changes, which can be accessed here – The Data Use and Access Act 2025 (DUAA) – summary of the changes to data protection law | ICO

Gov.UK information can be accessed here – Data (Use and Access) Act 2025: data protection and privacy changes – GOV.UK

Please contact us on team@hrprime.co.uk if you would like to discuss any aspect of this blog, or HR support of any nature.