The Data (Use and Access) Act 2025 (DUAA) is a major piece of UK legislation designed to streamline data protection rules, promote economic growth, and simplify compliance while maintaining high privacy standards. It amends existing UK GDPR and PECR frameworks with phased rollouts.
While both the Data Protection Act 2018 and the current Privacy and Electronic Communications Regulations will remain in place, the new act proposes important revisions. This article walks you through some of the biggest changes and explains what you need to do to ensure you and your business remain data protection compliant.
Who does the new act affect?
Data protection laws aren’t just for large businesses. Whether you are a small business, charity, institution, or sole trader, they are always relevant if you handle or store personal information. Sometimes, data handling can be as simple as storing a client’s contact details, or sending out a batch of marketing emails. Many people do not even realise they are handling personal data, or know when they have breached data protections regulations, so it’s vital you remain informed to avoid potential penalties.
What are subject access requests and how should they be handled?
Anyone whose data you store has the right to request a record of the details you have on file about them. This is known as a subject access request and you have a legal duty to respond within a month, after verifying the requestor’s identity and carrying out a ‘reasonable and proportionate’ search of your records.
However, the recent rules offer a new caveat: if you need further information, you can pause the ordinary one-month deadline by requesting clarification. For example, if you are unsure
what kinds of data the requestor is looking for, you can pause the deadline by asking them to specify what information they need.
What you can do to comply with subject access requests
Subject access requests can be stressful and difficult to deal with. You may not have a unified data storage system, and may find that someone’s data is spread across a variety of platforms, email trails, and physical documents. This can make subject access requests time-consuming and worrisome, so you should take the following preventative steps to make the burden easier:
- Establish a business-wide SAR process beforehand
Make sure everyone in the business understands how to deal with subject access
requests, including how to verify identities, request clarification, and search
effectively for data. Make sure everybody understands the deadlines involved. - Establish a verification procedure
An important stage of dealing with subject access requests is verifying the
requestor’s identity before you release information. You should establish a procedure
beforehand. For example, you can check whether the request comes from an email address you have on file, and request further personal details for verification where
necessary. - Understand how to search for data
You might want to establish a unified storage system where you can keep all data in
one place. Otherwise, you might want to establish a data mapping system so you
know where to start looking. - Have a templated response letter
To make the process simpler, you can template a response letter to requestors, and
update it with the relevant information, as required.
How does the new act affect marketing?
One of the main changes in the new Act is that it provides a much stronger basis to use direct marketing as a legitimate interest. This means it is sometimes permissible to process personal data for marketing purposes, without obtaining consent. However, there are still strict rules about when and how this can happen and you may be fined if you fail to comply. You will need to be clear about which rules apply when:
- If you are sending marketing emails to individuals, sole traders or
partnerships: you must still obtain consent beforehand and you must always offer
them the possibility to opt-out later. - If you are sending an email to business individuals, like
johnsmith@company.co.uk: you do not need to ask for prior consent but you must
carry out a legitimate interests assessment. You need to offer the opportunity of a
clear way to opt-out. - If you are emailing a non-personal address, like support@ or info@: you do not
need to obtain consent, but you should make sure they have not previously chosen
to opt-out. You need to offer the opportunity of a clear way to unsubscribe. - If you are emailing a previous or existing customer: you can email them using a
soft opt-in. This means you don’t always need consent to use personal details a
customer has provided while previously engaging with your services, but you need to
ensure your marketing is relevant to their earlier engagement. You still need to offer
them the opportunity to opt-out of future marketing in every message.
You should always remember that the fact that someone’s contact details are available publicly does not mean that you can automatically engage in direct marketing. The same rules regarding consent, and opt-out procedures still apply.
What you can do to comply with direct marketing regulations
With different regulations for each scenario, the rules surrounding direct marketing can often be difficult to navigate. If you are a business or charity, it’s important you take the following steps to ensure compliance:
- Understand which legal basis applies to each kind of marketing. Ensure you and your team are clear on when consent is required, when you can use a soft opt-in, and when you have a legitimate interest.
- Carry out any necessary legitimate interests assessments. When you are relying on a legitimate interest, as opposed to consent, you need to carry out something known as a legitimate interests assessment. This is an evaluation that balances your interests as a data handler, against the data subject’s rights. You should keep a record of these assessments.
- Ensure you are obtaining consent where necessary. You need to make sure your consent forms are up-to-date and that you keep an accurate record of who has consented to receive marketing.
- Offer an unsubscribe option. You need to offer subscribers, previous customers, professionals, and businesses the option to unsubscribe from your marketing emails.
How does the new act affect cookies?
Cookies and data analytics are an important aspect of GDPR law. Many businesses create a website and do not even realise that it is processing consumer data until much later, so it’s important you remain up-to-date and understand the regulations you need to follow. The new Data (Use and Access) Act 2025 has relaxed some of the rules. There are now some kinds of cookie use you no longer require consent for. For example, you don’t need consent if your website does not track individual users and collects cookies for the sole purpose of improving services. You can also use cookies without consent if your website collects data for the sole purpose of appearance customisation, like modifying the language, without changing the content displayed. You can check the full list of exemptions online, but it’s likely you’ll still need a cookie banner.
What you can do to comply with cookie regulations
- Understand what kind of cookies your website uses
Your website is tracking data without your knowledge. You can use online tools like
Cookie Bot to understand what kinds of data your website tracks and how it is used. - Ensure you have a cookie blocker in place
Make sure your website has a tool that blocks the storing of cookies, until the user
has given consent. - Make sure you request consent if necessary
If you use cookies in any way that requires consent, make sure you have a cookie
pop-up or banner that requests your users’ permission.
What does the new act say about complaints?
One of the main changes made by the new Act is that it requires you to have a designated data protection complaints procedure in place by the 19th June 2026. This means you need to offer customers a clear way to complain about the way their data has been handled, which can be either electronic or in-person. This could be a complaints portal, email address, phone number, or a clear way to complain face-to-face. If you receive a complaint, you must acknowledge that you have received it within thirty days’ time, and provide a full response to their complaint ‘without undue delay’.
What you can do to comply with the new complaints regulations
- Establish a complaints procedure
Make sure you have a clearly-labelled procedure for consumers to make data
protection complaints. - Template acknowledgment letters
You can create templates of acknowledgement in advance, and simply adjust them
with the relevant details if you receive any complaints. - Establish a complaints processing procedure
Ensure your team is trained in how to deal with complaints and that you provide clear
guidance concerning timelines. - Keep an accurate record
Make sure you keep a record of any complaints received and dealt with.
Summary
The new Data (Use and Access) Act has made several important changes. To avoid potential penalties, it’s important you check what kinds of data your business is processing and adjust your procedures accordingly. If you’re unsure where to start, which things you need to change, or whether you have breached data protection regulations, we can help connect you with an expert today.
Findmeasolicitor.co.uk
Written and researched by Kristin Poole.