Talk to us!

The Data (Use and Access) Act 2025 (DUAA) became law on 19 June 2025, unlocking new opportunities for innovators to use data more effectively, with less red tape and stronger legal clarity. To be clear, it does not replace UK GDPR or the Data Protection Act 2018. Instead, it introduces targeted amendments designed to reduce administrative burdens, support innovation and strengthen enforcement.

Here’s everything your organisation needs to know.

The Changes: 

The DUAA is making a number of key updates to create less friction for innovators in a way that keeps security standards high.

• Subject Access Requests (SARs)
  Organisations can now pause the response period while seeking clarification and only need to carry out searches that are reasonable and proportionate. This update applies to requests received on or after 1 January 2024.
• Legitimate Interests
  Certain activities now have a recognised legitimate interest in law such as safeguarding vulnerable people or processing for public security without requiring the usual balancing test.
• Research and Reuse of Data
  Data collected for one purpose can be reused for scientific, historical or statistical research, provided appropriate safeguards are in place. Commercial research is explicitly recognised.
• Automated Decision Making
  The Act replaces Article 22 of UK GDPR with new provisions that allow significant automated decisions, as long as organisations implement safeguards such as clear explanations, the ability to challenge decisions and meaningful human oversight.
• Cookies and PECR (Privacy and Electronic Communications Regulations)
  Certain low risk cookies (for analytics, security and service improvement) can be used without consent in defined circumstances. The maximum PECR fines now match UK GDPR levels up to £17.5 million or 4% of global turnover.
• International Transfers
  The Act introduces a “not materially lower” standard for adequacy decisions and removes the four year review cycle, giving more flexibility for data flows.
• Smart Data and Digital ID
  Frameworks have been created to enable future smart data schemes, digital ID systems and registers such as the National Underground Asset Register and electronic birth and death registers.
• ICO Reform
  The ICO’s functions will transfer to a new Information Commission with enhanced governance, accountability and regulatory powers.

‍

Why this matters

The DUAA is intended to help organisations use data more effectively, cut unnecessary administration and still maintain strong protections for individuals.

In practical terms this means:

• Reduced time spent on repeated consent or balancing tests.
• More clarity on data reuse and research processing.
• Clearer rules around automated decisions and cookies.
• Stronger oversight and higher potential penalties if processes are not followed.

What should you do now?

Consider these steps to prepare:

• Review SAR processes and train your teams on the new “reasonable and proportionate” search requirement.
• Update lawful basis assessments and identify where new legitimate interest provisions apply.
• Review research and data reuse activities for new opportunities.
• Check automated decision making workflows to ensure safeguards are documented.
• Update cookie and marketing policies to reflect the new exemptions.
• Monitor further guidance from the ICO as the Act is implemented in phases over the next year.

We are happy to see these regulation updates that give organisations more room to innovate without compromising on strong governance and compliance. This move proves that regulation and compliance are ever-changing to fit the fast paced environment of healthtech. Make sure you thoroughly review the DUAA updates and the UK’s data protection framework as a whole to stay compliant. 

If you would like help reviewing your policies or understanding how these changes can affect you, contact our team at Acorn Compliance. We are here to help you stay ahead with confidence.

‍