Understanding the Data Use and Access Act 2025 (DUAA)
What is DUAA?
- A major update to UK data protection law, amending UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
- Designed to simplify compliance, reduce administrative burden, and enable innovation while maintaining strong privacy protections.
How Does It Affect Micro & Small Companies?
- Introduces “Recognised Legitimate Interests” for certain processing (e.g., direct marketing, fraud prevention) without a balancing test.
- Eases cookie consent rules for analytics and functionality cookies.
- Expands flexibility for automated decision-making and scientific research use of data.
What to Look Out For
- New Complaints Handling Rules: Companies must implement clear processes for data subject complaints.
- DSAR Changes: “Reasonable and proportionate” searches allowed; ability to pause response clock for clarification.
- Higher Penalties: PECR fines now match GDPR—up to £17.5M or 4% of global turnover.
Processes & Procedures to Review
- Privacy Notices & Policies: Update to reflect new lawful bases and cookie rules.
- Direct Marketing Practices: Ensure opt-outs and consent mechanisms comply with DUAA and PECR.
- Data Sharing Agreements: Review contracts for international transfers under new adequacy test.
- Automated Decision-Making: Add transparency and human review safeguards.
Role of a DPO
- Oversee compliance with DUAA alongside GDPR obligations.
- Conduct risk assessments for AI and automated decision-making.
- Train staff on new DSAR handling and complaint processes.
- Act as liaison with the Information Commission (new regulator replacing ICO).
Real Examples of Issues Companies Could Face
- Marketing Breaches: Sending unsolicited emails without updated opt-out processes could trigger fines.
- Cookie Non-Compliance: Failing to update cookie banners for analytics exemptions may lead to enforcement.
- DSAR Mishandling: Ignoring the new “reasonable search” standard could result in complaints and audits.
- AI Misuse: Using automated profiling in recruitment without transparency could lead to discrimination claims.