The UK Data Use and Access Act 2025 is one of the most significant updates to UK data protection law since the UK GDPR. It does not replace the UK GDPR or the Data Protection Act 2018. Instead, it amends the existing framework and introduces several practical changes that organisations need to prepare for.
The most urgent change is the new statutory requirement to have a data protection complaints process in place by 19 June 2026. This applies to all organisations that process personal data, with no exemption for small businesses.
For many companies, this means that data protection compliance can no longer sit only in privacy notices, policies or internal registers. Businesses will need clear procedures, assigned responsibility, documented timelines and evidence that complaints are handled properly.
Below are the key changes introduced by the Act and the DUAA compliance checklist with practical steps your business should take.
The UK Data (Use and Access) Act 2025 introduces practical changes that businesses should prepare for now. Start with the mandatory complaints process, then update your wider privacy governance step by step.
The first and most urgent obligation under the new framework is the requirement to have a formal data protection complaints process in place by 19 June 2026.
This applies to every organisation that processes personal data. The ICO has confirmed that there are no exemptions, including for small businesses.
In practice, organisations must be able to:
This means businesses should not wait until a complaint is received before deciding how to handle it. A written process should already be in place, with a responsible person or team assigned to manage complaints.
At a minimum, organisations should prepare a complaints procedure, make it visible to customers, and maintain a log showing when each complaint was received, acknowledged, investigated and closed.
For businesses in higher-risk sectors such as healthcare, financial services, technology and retail, this should be treated as an immediate compliance priority.
The Act introduces helpful clarification around subject access requests. Organisations can now pause the one-month response deadline while waiting for an individual to clarify their request.
This is particularly useful where a request is broad, unclear or difficult to process without further information. The deadline resumes once the organisation receives the clarification it needs.
The Act also confirms that organisations are only required to carry out searches that are reasonable and proportionate.
Businesses should update their SAR procedures to reflect this change. In practice, this means documenting when clarification was requested, when the clock was paused, when the response period restarted and what search steps were taken.
Staff who handle SARs should also be trained on the new standard, especially on how to assess whether a search is reasonable and proportionate.
The Act creates a more permissive framework for solely automated decision-making. Instead of a broad prohibition, organisations may have more flexibility to use automated systems, provided appropriate safeguards are in place.
This is particularly relevant for businesses using AI or algorithmic tools in areas such as recruitment, credit scoring, insurance pricing, fraud detection or customer profiling.
However, this does not mean automated decision-making is risk-free. Where decisions have legal or similarly significant effects on individuals, organisations must be able to explain the decision-making process and give individuals meaningful rights.
Businesses should map where automated or AI-driven decisions are being used, identify which decisions may significantly affect individuals, and document the safeguards in place.
These safeguards should include informing individuals about significant automated decisions, allowing them to challenge outcomes, enabling them to make representations and offering access to human intervention where required.
The Act introduces a new list of “recognised legitimate interests” under the UK GDPR. These are specific types of processing where organisations may rely on legitimate interests without carrying out a full Legitimate Interests Assessment.
Examples include certain processing for crime prevention, safeguarding and emergency response.
This is a useful simplification, but it should not be treated as a blanket exemption. The processing must still be necessary, and organisations should still record why the recognised legitimate interest applies.
Businesses should review their existing legitimate interests processing and identify whether any activities fall within the new recognised categories.
Where they do, the organisation may be able to simplify its documentation. Where they do not, a full Legitimate Interests Assessment will still be needed.
In either case, the decision should be recorded in the organisation’s records of processing activities and reflected in the privacy notice where necessary.
The Act also clarifies when personal data collected for one purpose may be reused for another purpose.
This matters because many businesses collect data for one reason and later want to use it for another. For example, customer data collected to provide a service may later be considered for analytics, fraud prevention, product development or internal reporting.
The new rules provide more structure around when this type of further processing is permitted, including in certain public interest situations such as crime prevention.
Businesses should review activities where personal data is reused for secondary purposes. For each activity, they should assess whether the new use is compatible with the original purpose or whether a separate lawful basis is required.
This assessment should be documented, especially where the further use could affect individuals’ expectations or rights.
The Act provides clearer rules for research processing and expressly recognises that scientific research can include commercial research.
This is important for businesses involved in areas such as pharmaceuticals, health technology, analytics, product testing, AI development or market research.
The Act also gives more formal recognition to broad consent in research contexts. This means that, in appropriate cases, individuals may consent to an area of research rather than a narrowly defined individual study.
Businesses using personal data for research should review whether their activities fall within the updated research provisions.
They should also check whether their consent wording, transparency information and internal documentation are still appropriate.
For organisations that previously avoided certain commercial research activities because of uncertainty, the new rules may provide more legal clarity — but they do not remove the need for good governance.
The Act introduces an explicit duty for services likely to be accessed by children to consider children’s higher protection needs when designing data processing activities.
This includes children’s safety, their lower awareness of data protection risks and the different needs of children at different ages.
This requirement is especially relevant for online services, apps, platforms, games, educational tools and any digital service that children are likely to access.
Businesses should identify whether any of their services are likely to be accessed by children. If they are, the organisation should carry out a privacy-by-design review and document how children’s interests have been considered.
This should not be treated as a one-time legal exercise. It should be built into product design, UX decisions, default settings, age-appropriate transparency and risk assessments.
The Act introduces a clearer standard for assessing international data transfers. The key test is whether the level of protection in the recipient country is “not materially lower” than the protection under UK law.
Organisations must apply this test reasonably and proportionately.
This affects transfer mechanisms such as standard contractual clauses and transfer impact assessments.
Businesses should refresh their transfer impact assessments and document how the new standard has been applied. They should also review existing transfer schedules, vendor relationships and international data flows.
The Act also removes the fixed four-year review cycle for adequacy decisions and replaces it with ongoing monitoring. This means transfer governance should become a continuous process rather than a calendar-based exercise only.
The Act strengthens the ICO’s enforcement powers.
The regulator will have new powers to require organisations to commission and pay for independent technical reports during investigations. It will also be able to compel individuals to attend formal interviews, with consequences for false statements.
This means that poor documentation, weak accountability records or an inability to explain compliance decisions may create greater regulatory risk.
Businesses should make sure that key privacy documentation is up to date and easy to access. This includes DPIAs, ROPAs, breach logs, LIAs, transfer assessments, SAR records and complaints logs.
The practical message is simple: if the ICO asks questions, the organisation should be able to show what decisions were made, why they were made and who was responsible.
The Act also creates a framework for certified Digital Verification Services and enables new Smart Data schemes.
Digital Verification Services may be relevant for organisations involved in identity verification, age assurance, onboarding, KYC checks or trust services.
Smart Data schemes may become important in sectors such as finance, energy, telecoms and other markets where consumers may be able to direct how their data is shared between providers.
These areas may not require immediate action for every business, but they are worth monitoring.
Businesses operating in affected sectors should follow updates from the UK government, regulators and industry bodies to understand whether new data-sharing obligations or opportunities may apply to them.
The Data (Use and Access) Act 2025 does not require businesses to rebuild their privacy programmes from scratch. However, it does require organisations to update several important processes and prepare for more active regulatory scrutiny.
The most urgent priority is the new complaints handling requirement, which must be in place by 19 June 2026.
After that, organisations should review their SAR procedures, automated decision-making safeguards, legitimate interests assessments, data reuse practices, transfer impact assessments and accountability documentation.
For businesses that already maintain structured privacy processes, these changes should be manageable. For those relying on informal practices, the Act is a clear reminder that privacy compliance needs to be operational, documented and ready to evidence.
Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range […]
The change to the App Store Review Guidelines specifies that developers must include the Privacy Policy link in the App […]
