The Data (Use and Access) Act 2025 is a major update to UK data protection law designed to make data sharing safer, simpler, and more innovative. Rather than scrapping existing privacy laws, DUAA adds new tools and legal clarity to how organizations use personal data, creating new opportunities but also keeping individual rights protected.

What DUAA Introduces

  • New rules around automated decision-making (ADM): Organizations can use ADM in more situations, but they must ensure people are informed, can challenge decisions, and have human oversight when needed.
  • Clearer Subject Access Request (SAR) rules: Organizations now have a “stop the clock” option when awaiting necessary details from someone who’s asked for their data, ensuring responses are both timely and fair.
  • Expanded protection for children’s online data: Online services likely to be used by children must build in design features that protect young users' rights from the start.
  • Recognition of “legitimate interests”: Permits certain data uses (e.g., crime prevention, public safety, emergencies) so long as organizations can demonstrate appropriate safeguards.
  • Easier rules for international data transfers: Making it clearer how organizations can lawfully send data outside the UK.
  • Simplified complaints process: Individuals must be told how they can challenge how their data is used, and organizations should make complaints accessible (e.g., through electronic forms) and respond without undue delay.

Why DUAA Matters for Businesses

DUAA is especially important for sectors that rely heavily on data, such as defense, healthcare, finance, and technology. For instance:

  • A defense contractor using machine learning or biometric tools will need to understand how the changes to automated decision-making affect projects involving sensitive or classified data.
  • In healthcare, companies handling medical records will have to adapt their subject access processes and ensure that children’s data protections are built into any public-facing digital service.
  • Financial institutions using international data (e.g., cross-border banking, fintech) will need to revisit their data transfer agreements and make sure legitimate interests are properly documented and legally defensible.

How to Prepare for DUAA

  • Begin by mapping out all the ways your organization uses data, such as through research, automated decisions, third-party sharing, etc., and identify which new DUAA obligations apply.
  • Update your privacy notices, consent forms, and policies, especially around ADM, children’s data, and data transfers.
  • Implement transparent complaint-handling procedures and ensure your teams know how to respond.
  • Review your SAR processes to ensure searches are reasonable and you know when you can pause the deadline while you wait for extra information from requesters.