What the New UK Data Law Means for Your Business: DUAA 2025 Explained
Posted on August 7, 2025 by Kayleigh Wilkinson
Since the launch of the Data Use and Access Act 2025 (DUAA), there has been some confusion around what organisations need to be aware of. As a security-focused managed service provider, we want to help ensure businesses are up to speed with the latest changes in UK data protection law.
Importantly, the DUAA does not replace the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. Instead, it introduces targeted reforms designed to modernise and simplify the UK’s data protection regime. By refining specific legal requirements, particularly around automated decision-making, cookies, and lawful bases for processing, the DUAA aims to reduce compliance burdens while upholding strong standards for privacy and data security.
The DUAA introduces significant updates to how personal data can be used, shared, and safeguarded across sectors. Understanding these changes is essential for organisations that handle personal data in any capacity. Below is a summary of the key reforms, based on guidance from the Information Commissioner’s Office (ICO):
Automated decision-making: The DUAA permits organisations to rely on a broader range of lawful bases, including legitimate interests, when making significant automated decisions involving personal data. However, this does not extend to special category data, which continues to receive heightened protection. Appropriate safeguards remain essential.
Cookie rules: The new rules allow certain non-intrusive cookies to be set without user consent, particularly those used for statistical analysis or improving website functionality. Consent is still required for cookies used for tracking or profiling.
Recognised legitimate interests: When processing personal data under a designated ‘recognised legitimate interest’, organisations are not required to conduct the usual balancing test weighing individual rights against organisational benefit. An example includes data use for public security.
Soft opt-in for charities: Charities may now send electronic marketing communications to individuals who have expressed interest in or supported their work, provided they are given the opportunity to opt out. This approach aligns charities more closely with rules that already apply to commercial organisations.
Subject access requests (SARs): The law clarifies that organisations are only required to conduct reasonable and proportionate searches when responding to SARs. This aims to reduce undue burden while ensuring individuals’ rights are respected.
Handling data protection complaints: Organisations must provide accessible methods, such as electronic forms, for individuals wishing to lodge complaints. Acknowledgements must be issued within 30 days, and full responses provided without undue delay.
If your organisation handles personal data, whether relating to customers, employees, or marketing, these changes are relevant. You may need to review your data processing practices, update privacy notices, and ensure staff are trained on the new requirements.
For official guidance and detailed summaries, we recommend visiting:
Need help navigating the DUAA?
If you are unsure how these changes apply to your organisation, or if you need support reviewing your policies and processes, our team is here to help. Get in touch today to discuss your readiness for the DUAA 2025.
How can we help you?
We’d love to talk to you about your specific IT needs, and we’d be happy to offer a no obligation assessment of your current IT set up. Whether you are at a point of organisational change, unsure about security, or just want to sanity check your current IT arrangements, we’re here to help.
