The new Data Use and Access Act (DUAA) 2025 updates the existing rules on data protection, privacy, and digital communication; it’s something every organisation, including small businesses and charities, needs to understand.
The DUAA doesn’t replace the UK GDPR, the Data Protection Act 2018 or PECR (Privacy and Electronic Communications Regulations). Instead, it builds on them. And in doing so, it aims to reduce red tape, support innovation and offer a clearer framework for how businesses can use data.
Here’s what you need to know and what you need to do next.
A More Innovation-Friendly Approach to Data
If you rely on data to do research, improve services, or develop new products, the DUAA opens the door to more flexibility, without losing sight of people’s rights.
Wider use for research
You can now process data for scientific research – even commercial – under clearer conditions. Individuals can give broader consent up front, rather than for each specific project.
Fewer hoops for research notices
If notifying people individually would involve “disproportionate effort”, you can publish privacy notices online instead, provided you meet other safeguards.
More freedom for automation
You’re no longer limited in how you apply lawful bases to significant automated decisions. That includes potentially using the legitimate interests basis; however, this won’t apply to special category data like health or ethnicity.
Simpler cookie rules
You can now set some cookies, like those used for analytics or performance, without having to collect consent every time.
NOTE: If your business relies on customer data for product development or user insights, these reforms could streamline your approach – as long as you still operate transparently and fairly.
More Practical Flexibility for Day-to-Day Operations
Many changes in the DUAA are designed to remove administrative burdens and reduce uncertainty.
Recognised legitimate interests
If you’re processing data for certain clearly defined purposes, such as safeguarding national security, you no longer need to conduct a full balancing test.
Simpler data sharing
If another organisation (like the police) asks you for personal data, you don’t need to assess their legal basis for asking. That responsibility sits with the requester.
Assumed compatibility
Re-using data for archiving, research, or public interest activities? You no longer need to justify compatibility with the original purpose.
Marketing flexibility for charities
Charities can now rely on a “soft opt-in” for sending marketing emails to people who’ve shown interest in their work – unless those individuals object.
More clarity around access requests
You only need to conduct reasonable and proportionate searches when responding to a subject access request (SAR), not exhaustive ones.
NOTE: These changes remove ambiguity around everyday tasks like sharing data or sending emails – and give smaller organisations more confidence in their compliance processes.
Your New Obligations Under DUAA
The DUAA isn’t just about easing rules. It also introduces some new requirements that you may need to act on.
Digital complaints process
If someone wants to complain about how you handle their data, you must offer a straightforward route for doing so (such as an online form). You must acknowledge the complaint within 30 days and respond “without undue delay”.
Protecting children online
If you offer digital services likely to be used by children, you must factor their needs into how you collect and use their data. This aligns with the Age Appropriate Design Code, which you should already be familiar with if you’re in this space.
NOTE: These aren’t just best practices – they’re now legal obligations. Build them into your website and data handling workflows sooner rather than later.
Enhanced Regulatory Oversight
The DUAA also reshapes the ICO (Information Commissioner’s Office) to make it a more powerful and transparent regulator:
- The ICO gains new investigatory powers
- A more modern structure will support proactive guidance
- Government has asked the ICO to produce dedicated codes of practice on AI and edtech
NOTE: Expect more specific guidance in areas like artificial intelligence, children’s digital services, and education tech, in addition to more consultation and industry feedback built in.
How Should Businesses Get DUAA Compliant?
Start by reviewing your current data handling policies, especially if you use automation, research user behaviour, or collect email addresses for marketing. Then:
- Review your privacy notices and cookie banners
- Check whether any of your processes now qualify for the “recognised legitimate interests” exemption
- Build or improve your digital complaints process
- Review how you handle SARs and train your team accordingly
- Update any processes involving children’s data if your services might be used by under-18s
If you have a Data Protection Officer (DPO) or internal data lead, bring them into the loop now. If you don’t, consider working with a trusted advisor or legal specialist to bring your policies in line.
Summary: DUAA Preparation for Businesses
The DUAA represents a more balanced, practical and pro-innovation approach to data protection in the UK. For businesses and organisations, it’s a chance to simplify, clarify and modernise – without losing sight of public trust or legal responsibility.
Staying compliant doesn’t need to be overwhelming. If you treat data fairly, communicate transparently, and stay proactive, the DUAA could offer a welcome opportunity to do better business, with less bureaucracy.
Small businesses access unsecured, fast funding from Got Capital. As an alternative lender, Got Capital offers financing solutions specifically designed for and catered to the needs of SMEs, free from personal guarantees.
