Data (Use and Access) Act 2025: five key changes for businesses

Insight

05.05.2026

The Data (Use and Access) Act 2025 (DUAA) became law on 19 June 2025, bringing important reforms to the UK's data protection regime, including changes to the powers and composition of the Information Commissioner's Office (ICO), the UK's information law regulator. Implementation of the DUAA is taking place in phases, with many provisions taking effect on 5 February 2026. A full list of key provisions coming into force can be found here.

This article focuses on new provisions under DUAA amending the UK GDPR (concerning the processing of personal data) that may be of particular interest to businesses. Our companion article with information on DUAA provisions amending the PEC Regulations (concerning direct marketing, particularly relevant to charities) is coming soon.

Recognised legitimate interest

The DUAA introduces a seventh lawful basis for processing personal data under Article 6(1) of the UK GDPR: "recognised legitimate interests" (RLI). The categories of processing that qualify as RLIs are set out in a new Annex 1 to the UK GDPR and include:

processing necessary for national security, public security and defence purposes;
processing necessary for the detection, investigation or prevention of crime;
responding to requests from bodies acting in the public interest, where the processing is for purposes laid down in law; and
processing necessary for the safeguarding of vulnerable individuals.

Crucially, where a controller relies on an RLI, it is not required to carry out a balancing test (ie a legitimate interests assessment weighing the controller’s interests against those of the data subject). Processing must still be necessary and must comply with the wider principles of the UK GDPR, including transparency and data minimisation.

The DUAA also codifies a non-exhaustive list of personal data processing activities that may qualify under the existing legitimate interests basis including direct marketing, intra-group sharing for internal administrative purposes, and ensuring the security of network and information systems. A full legitimate interests assessment continues to be required for these activities.

Businesses sharing personal data with the police or other public authorities in connection with crime prevention or safeguarding may now be able to rely on an RLI, removing the need for a balancing test before making the disclosure. Controllers should review their records of processing activities and privacy notices to identify where reliance on an RLI may simplify compliance. Unfortunately, though (for those seeking efficiencies in their compliance work) many commercial processing activities, a legitimate interests assessment will still be required; the RLI basis is narrow in scope.

ICO guidance on recognised legitimate interest can be found here.

Automated decision-making

The DUAA repeals Article 22 of the UK GDPR and replaces it with four new Articles 22A to 22D. This represents the most significant divergence between the UK GDPR and the EU GDPR introduced by the DUAA.

Under the previous regime, solely automated decision-making (ADM) that produced legal or similarly significant effects was prohibited unless one of a narrow list of conditions applied (such as explicit consent or contractual necessity). The DUAA fundamentally changes this position.

In practical terms, businesses may now rely on lawful bases such as legitimate interests for ADM that does not involve special category data (eg health information). Where ADM is used, organisations must still implement safeguards designed to protect individuals, including providing meaningful information about the decision, enabling individuals to make representations, and offering access to human intervention and the ability to challenge the outcome. This change is particularly significant for organisations using algorithmic systems in areas such as creditworthiness assessments, fraud detection, recruitment screening or dynamic pricing. The UK Government has described this ADM reform as enabling innovation while maintaining appropriate protections for individuals.

ICO guidance on automated decision making can be found here.

International data transfers

The DUAA introduces a new 'data protection test' for assessing whether personal data may lawfully be transferred to a third country (ie outside the United Kingdom). The three-step test for determining if there’s a restricted transfer, asks:

does the UK GDPR apply to the processing of personal data being transferred;
is the organisation initiating the transfer of personal information to an organisation outside the UK; and
is the transfer to a separate legal entity from the exporter?

The test replaces the EU-derived 'essential equivalence' standard with a requirement that the level of protection in the destination country is "not materially lower" than that afforded under UK law. The new test applies both to the Secretary of State when making adequacy determinations and to controllers and processors when they are relying on appropriate safeguards (such as 'standard contractual clauses' or the UK's 'international data transfer agreement') to provide a lawful basis for a restricted international data transfer.

Importantly, on 19 December 2025, the European Commission renewed the UK’s adequacy decision until 27 December 2031, indicating that the UK’s current legislative direction is not, for now, considered to undermine the overall level of data protection in the UK, as assessed from an EU perspective. Transfers of personal data from the EU to the UK may therefore continue under the existing adequacy framework for the time being.

Businesses that transfer personal data outside the UK should review their transfer mechanisms in light of the ICO’s updated guidance on international transfers published on 15 January 2026, which can be found here. The “not materially lower” standard may in practice offer slightly more flexibility than the EU’s 'essential equivalence' test, although the substantive difference remains to be tested.

Organisations using UK standard contractual clauses or international data transfer agreements should ensure that their transfer impact assessments (TIAs) apply the updated statutory test for TIAs carried out from now onwards (the ICO has also said that TIAs made under the previous assessment method do not need to be re-done, unless the nature or circumstances of the data transfers have changed).

Scientific research

The DUAA introduces a statutory definition of scientific research into the UK GDPR, clarifying that the term includes "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity". Importantly for businesses, the definition expressly encompasses commercial, privately funded, applied and technological research, rather than being limited to academic or public sector research.

This clarification is particularly relevant for organisations engaged in product development, data analytics or innovation activity relying on large datasets. By placing the definition of 'scientific research' on a statutory footing, the DUAA reduces uncertainty around when research‑related provisions may be relied upon, including relaxed requirements around purpose limitation and data retention. This change brings the law more closely into line with practical research and development activity in the private sector.

Life sciences, pharmaceutical, technology and other data-intensive businesses engaged in research and development activities should review whether their processing may now qualify for these expanded research flexibilities. Businesses should ensure that appropriate safeguards remain in place where reliance is placed on the research provisions.

Complaints procedure

An important operational change for businesses is the introduction of a mandatory internal data protection complaints procedure due to come into force on 19 June 2026.

Individuals will have an express statutory right to complain directly to an organisation if they believe their personal data has been processed unlawfully, before escalating the matter to the regulator.

Organisations must have processes in place to acknowledge complaints, conduct an appropriate investigation and inform the complainant of the outcome within prescribed timeframes. Controllers will be required to acknowledge complaints within 30 days and to respond in full without undue delay.

While this requirement is intended to resolve issues at an early stage and reduce regulatory escalation, it also means that businesses should expect an increase in formalised complaints that require careful handling. The ICO has indicated that the existence and quality of an organisation’s complaints handling process will be relevant to its regulatory approach, increasing the importance of embedding these procedures into wider governance frameworks.

What is next?

The DUAA’s reforms are being introduced on a rolling basis. The following changes are still to come:

19 June 2026: new complaints procedure as outlined above.
Later in 2026: ICO governance reforms and transition to the new 'Information Commission' structure. Updated ICO guidance is expected.

Farrer & Co is well versed in data protection legislation and its application for businesses. If you have any questions, please contact Alan Baker or your usual contact at the firm.

Many thanks to trainee solicitor Perihan Tur for her help writing this article.