THSP symbol

Changes to GDPR: The Data (Use and Access) Act 2025: What It Means for Your Business

The Data (Use and Access) Act 2025 (DUAA 2025) became law on 19 June 2025.

It doesn’t replace existing data laws (like UK GDPR, the Data Protection Act 2018, or PECR) but updates them to make data use easier for businesses while keeping protections in place for individuals. Most changes will come into force by June 2026.

The Key Changes (In Plain English)

Here’s what you need to know:

  1. Automated Decisions
    • Computers can make decisions (e.g. in hiring or credit checks), but:
      • People must be told when it happens
      • They must be able to challenge it or ask for human review
  2. Subject Access Requests (DSARs)
    • If someone asks to see their data, businesses can:
      • Pause the deadline if waiting for more info
      • Only carry out “reasonable” searches
      • Ask a court to check withheld information
  3. Children’s Data
    • Services likely to be used by children must build in stronger privacy protections by default.
  4. Research
    • Research rules are clearer. Consent can now cover future, related research projects.
  5. Legitimate Interests
    • Businesses can rely on new “built-in” lawful reasons to use data, such as:
      • Fraud prevention
      • Safeguarding
      • Emergencies
      • Direct marketing
      • Internal admin and IT security
  6. International Data Sharing
    • Easier rules for transferring data abroad, with clearer checks for which countries are considered safe.
  7. Complaints
    • You must offer an easy electronic way for people to complain about data use.
  8. Cookies & Tracking
    • Some cookies no longer need consent (e.g. those for fraud detection, authentication, or basic analytics), but users must still be told and given a way to opt out.

Why These Changes?

The government says DUAA 2025 will:

  • Cut down red tape for businesses
  • Support innovation and research
  • Keep the UK aligned with EU data standards (important for trade)

What You Should Do

  • Review your privacy policies – make sure they cover the new rules.
  • Update complaint channels – provide a clear, simple way for people to raise issues.
  • Check cookie banners – you may not need consent for some cookies but must still be transparent.
  • Train staff – ensure teams understand DSAR changes and children’s data protections.

DUAA 2025 is about simplifying data use, not adding extra burdens. Most businesses won’t need major changes, but it’s worth reviewing your processes now so you’re ready before the law is fully in force by June 2026.