Blog

Speak to a specialist solicitor at our law firm in North Yorkshire. 

Get in touch

Services
People
News and Events
Other
Blogs

What the Data (Use and Access) Act 2025 means for your business

  • Posted

The Data (Use and Access) Act 2025 (DUAA) is a new law introduced by the Government, aimed at making it easier for most businesses to navigate the labyrinth of obligations relating to data collection, storage and use. The changes introduced by the Act will be phased in until June 2026 when businesses will need to be compliant with its provisions.

After the introduction of UK GDPR, yet another law relating to data protection may seem to add to, rather than reduce, the burden on a business. However, the new law aims to make things easier for organisations, whilst still protecting people and their rights.

In this blog we provide an overview of the key provisions businesses should be aware of and outline a brief list of actions that may be prudent to take between now and June 2026.

Does it replace other data protection laws?

The short answer is no. The DUAA does not replace the UK GDPR or the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations, but rather amends certain areas. The DUAA seeks to make data protection obligations less onerous in certain circumstances, for example, data access and sharing, use of cloud services, use of cookies, and simplifying the subject access request and complaints processes.

Data access and sharing

Perhaps the most relevant to many businesses is that it will now be easier to make decisions around data collection and usage. As an example, you can now rely on the ‘legitimate interest’ legal basis to collect data for use in direct marketing. This opens up the number of situations in which you can gather data and reduces the burden of obtaining consent where legitimate interest can be relied upon. However, this is not intended to serve as a carte blanche and businesses do need to ensure processing is necessary and proportionate.

Additionally, a broader basis for consent will allow businesses to share data with public bodies. For example, if the police needed access to data you had gathered for research purposes, the DUAA now allows you to share this without needing specific consent from your customer or client base.

Cloud-based data storage and processing

This lighter approach also makes it easier for businesses to store and process data that is held in the cloud. While the obligation to have data processing agreements in place remains, as does enhanced steps for sensitive data, businesses can now confidently justify using the cloud for activities like customer relationship management and other analytic operations.

We recommend carrying out a review of any cloud-based services you may use or need for your business as there are also changes in the DUAA relating to cloud services offering identity verification or digital wallets or even the integration of automated tools such as AI.

It is worth noting that the DUAA seeks to expand the Information Commissioner’s powers for enforcement and so it will be even more important to ensure cloud service provider use is covered diligently in any compliance, especially since many cloud-related breaches involve cookies, tracking, or email marketing tools.

Consent for use of cookies

The DUAA now allows websites to use non-intrusive cookies to help businesses improve their website functionality without the need for users to explicitly consent to or approve the use of these types of cookies. Non-intrusive cookies, for example, would include data that can be used by businesses for statistical analysis.

However, on the other hand, the DUAA increases the fines for companies using unlawful marketing or improper use of cookies. It is, therefore, prudent that you seek legal advice to ensure your marketing strategies and website cookie usage is and remains compliant.

Complaints made easier

The new Act reduces your obligation to investigate any subject access request ‘rigorously’ and a ‘reasonable and proportionate’ search would suffice.

Businesses are now required to supply or have an electronic complaint form available to users in case they wish to raise complaints about personal data usage. The standardisation of this will make it easier for businesses to manage incoming complaints without the risk of emails going into junk folders or not being received and timelines being breached.

‘Special category’ obligations not affected

So far, we have discussed key areas where there has been a relaxation of the data handling obligations. However, special category data (such as information about racial or ethnic origin, political biases, health data, or other unique identification data) is outside the scope of the relaxations. Therefore, if your business deals with special category data, you may not benefit as much from the changes within the DUAA. Our experienced team can assist in advising whether any data you currently handle would fall under the umbrella of ‘special category’ data.

For the large part, data handling obligations with respect to children or online services provided to children are also not affected but there may be applicable provisions that your business may need to take action on.

This is where we would recommend a full data protection audit being undertaken, followed by a plan of action steps to be implemented in order to ensure your business can avail of the provisions in the DUAA, while also still remaining compliant with the other data protection laws and regulations.

Steps to take now

If your business collects, stores, or processes personal data, the following steps are recommended as a starting point:

  • undertake a review of your current processes, including any required due diligence with cloud service providers you may use;
  • assess those processes against the provisions of the DUAA;
  • where applicable, update internal processes as well as documentation, such as: legal bases used, privacy notices, cookies banners;
  • upload an electronic complaints form to your website; and
  • organise staff training so new processes can be followed seamlessly.

The above is not an exhaustive list and each business will have a different level of data protection protocols it needs to follow and be aware of.

This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.