What business should know about The Data (Use and Access) Act 2025

The Government recently announced changes to its GDPR rules. Here’s what it could mean for you and your clients.

Many businesses will remember the last-minute scramble to comply with GDPR rules in 2018: sending multiple ‘Please stay with us’ emails, putting cookie consent banners on their websites, or fretting about customers suddenly unsubscribing from mailing lists.

These GDPR regulations have now been updated with the Data (Use and Access) Act (DUAA) 2025, which became law in June.

The refreshed legislation aims to reduce red tape around data use, with the Government estimating it could inject £10bn into the UK economy. These updates will be much easier for businesses to follow than the existing GDPR regulations, too.

The Government has also claimed the DUAA will encourage innovation. Many businesses feel that the 2018 Data Protection Act and GDPR narrowed their marketing reach because customers have increased powers to opt-out. The DUAA may relax these restrictions.

What does this mean for business?

Although GDPR impacted nearly all organisations in 2018, the DUAA isn’t a radical makeover. As Louise Brooks, head of consultancy at data privacy experts DQM GRC says, “From a data protection perspective, these are tweaks to the legislation, rather than seismic changes.”

Businesses won’t need to drastically overhaul operations, but they may wish to rethink aspects of their marketing and data strategies.

What are the main updates?

Cookie consent rules are changing

The big change for businesses is that they’ll no longer need to get consent from website visitors for essential cookies when used for ‘low risk’ reasons such as security, basic analytics or to improve website functionality.

Essential cookies are the ones that keep you logged into a website or remember your preferences, such as language/items saved in a shopping cart.

“This will be amazing for companies who want to understand how people engage with their website but [until now] have felt hamstrung because they’re not getting the consent options to release this info,” says Brooks.

However, we shouldn’t get too excited about the death of the cookie banner just yet. Any cookies related to direct marketing (where businesses communicate directly with consumers) and tracking will still require consent. And because many websites will still be serving EU visitors, they’ll still need to comply with EU cookie laws – meaning they may continue using cookie pop-ups for simplicity.

Charities get a ‘soft opt-in’ boost

GDPR hasn’t been great for charities. Many have reported shrinking databases due to stricter consent requirements, making fundraising more difficult.

The DUAA has introduced a ‘soft opt-in’ for email marketing. This doesn’t mean charities can start blanket emailing everybody in their contacts database, as the soft opt-in only relates to people who they have an existing relationship with, for example those who have previously donated or expressed interest in the charity.

Legitimate interests

Before the DUAA, businesses could process personal data without explicit consent if they had ‘recognised legitimate interests’ such as national security, emergencies or safeguarding vulnerable people. This usually involved making an assessment where businesses would weigh up these interests with the impact on the individual’s privacy.

Under the DUAA, businesses no longer need to make this ‘balancing act’.

The upshot? “Organisations will have a bit less documentation to do,” says Brooks. “They’ll still need to demonstrate [the use of personal info] is a necessary activity, but there won’t be a balancing act.”

It’s set to have the most impact in areas such as direct marketing, adds Brookes. Now “if an organisation wants to undertake direct marketing on a new audience, it can apply the recognised legitimate interest basis without the need to undertake an assessment.”

Automated decision-making (ADM) restrictions relaxed

The rise of AI has triggered an explosion in the amount of ‘automated decision-making’ (ADM) in our online lives. These are decisions made without any human involvement, such as a bank using an algorithm to determine whether an applicant is right for an online loan. Or companies using algorithms to screen which CVs reach managers’ eyes.

Because the Government wants to encourage AI innovation, it’s eased the restrictions on ADMs. However, this only applies for ADMs that don’t involve ‘special category’ data (such as health, race/ethnicity, sexual orientation or biometric data). 

“Before the Act, there was a general prohibition against ADMs, unless you met certain circumstances,” says Brooks. “The Act has now removed that general prohibition, so it’ll allow organisations to make automated decisions in a wider range of circumstances.”

Businesses using ADMs will still need to inform people that their computers have made decisions about them, while giving them the chance to dispute the decision.

Subject access requests (SARs) clarified

Subject access requests (SARs) allow people to ask organisations for copies of any personal information held about them.

The DUAA has clarified its rules for handling SARs. Businesses are now only required to conduct SARs that are “reasonable and proportionate” to the request, which could save hours of time sifting through data for ambiguous or obscure requests.

Note: If “reasonable and proportionate” sounds vague, that’s because it is – businesses will need to wait for more guidance from the ICO.

“It’s going to be most helpful for organisations who receive a huge volume of complex requests/SARs, because it might streamline the extent of their searches,” says Brooks.

The one-month deadline usually needed to respond to a SARs can now be paused with a new ‘stop the clock’ mechanism, which organisations can use if they need more information from the requester.

The ICO’s powers are strengthened

The Information Commissioner’s Office (ICO) – the UK’s data protection regulator – has been given more powers. These include the authority to levy fines of up to £17.5 million (or 4% of global turnover) for breaches of the Privacy and Electronic Communications Regulations (PECR) – a steep increase from the previous maximum fine of £500,000.

What kind of firms could receive a £17.5 million fine? Brooks says it’ll be those companies “who don’t get consent for marketing and tracking cookies”, before adding that the ICO is currently reviewing the UK’s top 1,000 websites for compliance with data protection laws.

When will the DUAA updates take place?

The changes will be phased in between August 2025 until June 2026.

What do I need to do now?

Relax. Businesses won’t need to take any immediate action, says Brooks, because the provisions are yet to be rolled out. However, she advises that business leaders ”start thinking about the changes and whether they apply to your organisation.” She also suggests keeping an eye on ICO guidance.

If you have users in the EU, it may make more sense to continue sticking to GDPR standards. Says Brooks: “Because the UK is ‘lowering’ its data protection standards, it might be better to stick with the EU GDPR compliance, because everything will still be the same.”

Find out more

• UK GDPR and DPA factsheet
• PEC Regulations factsheet
• ICO plans for new and updated guidance.

Christian Koch is an award-winning journalist/editor who has written for the Evening Standard, Sunday Times, Guardian, Telegraph, The Independent, Q, The Face and Metro. He's also written about business for Accounting Technician, 20 and Director, where he is contributing editor.