The Data (Use and Access) Act 2025 (DUAA) is a key part of the UK’s Government data reform agenda, designed to make data use more practical for organisations while continuing to protect individuals’ rights. The Act supports responsible data-driven innovation while maintaining public trust and strong privacy safeguards. With enforcement commencing in June 2026, organisations should now be focused on readiness.
What is the Data (Use and Access) Act 2025?
The DUAA intends to update and supplement the UK’s existing data protection framework including the UK GDPR, the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations (PECR). As opposed to replacing these laws, the Act introduces targeted reforms to simplify compliance, provide greater legal certainty, and better reflect how data is used in practice.
Beyond privacy reform, the Act proposes new frameworks for smart data schemes, digital verification services, and wider data-sharing initiatives, highlighting the Government’s ambition to promote innovation while maintaining high data protection standards.
What Are the Latest Developments and Key Changes?
Recent developments under the DUAA signal a shift toward greater proportionality and operational clarity. Key changes focus on reducing unnecessary administrative burden while preserving accountability, specifically for organisations that process high volumes of personal data or rely on data-driven tools.
Furthermore, the introduction of “recognised legitimate interests”, a new lawful basis under the DUAA, provides greater certainty for specified processing activities, subject to appropriate safeguards. The Act also modernises the framework for automated decision making, allowing broader use of automation while reinforcing transparency, safeguards and access to human review where decisions may significantly affect individuals. At the same time, updates to data subject rights handling promotes a more “reasonable and proportionate” approach, alongside clearer expectations around complaints handling.
Together, these developments reflect a move toward practical, risk-based compliance that establishes responsible data use without weaking individual rights.
What Are the Implications for Organizations, and How Can They Prepare?
While the DUAA exhibits a more business-friendly direction, organisations remain fully liable for ensuring personal data is used lawfully, transparently and securely. Consequently, the changes are likely to affect HR processes, external stakeholders’ data management, screening or verification activities, marketing and automated decision making.
Ahead of June 2026, organisations should consider implementing the following measures, where applicable to their role as data controllers:
- Establishing a formal data subject complaints procedure in line with S.103 of the DUAA.
- Reviewing reliance on legitimate interests and updating privacy notices where the new recognized legitimate interests’ basis will apply.
- Evaluating automated decision-making systems (ADM) and ensuring appropriate safeguards including human review.
- Reviewing data governance frameworks and coordinating cross‑functional readiness across Legal, HR, Product, IT, and customer‑facing teams.
Key Takeaways
- The Data (Use and Access) Act 2025 introduces targeted reforms to the UK’s data protection framework.
- Organisations should review data governance, automated decision-making, and complaints handling processes ahead of June 2026.
- The DUAA creates greater clarity around recognised legitimate interests and operational compliance obligations.
- HR, Legal, IT, and Compliance teams should coordinate readiness planning across workforce and customer data processes.
- Digital identity verification and compliant screening practices remain important components of responsible data use.
Looking Ahead
The Data (Use and Access) Act 2025 symbolises a significant evolution in the UK’s data protection landscape. By being proactive and taking practical steps to strengthen governance and effective implementation, organisations can position themselves to meet the June 2026 requirements with confidence, while continuing to use data responsibly to support trust, efficiency, and growth.
Learn how First Advantage can support compliant digital identity verification, right to work checks, and workforce screening readiness in the UK. readiness in the UK.
