UK’s New Data Law Brings Clarity, Flexibility, & Teeth

Key Takeaways

• New Legal Basis Introduced: The DUAA adds a “recognized legitimate interests” basis, removing the need for a balancing test in specific contexts like public security and safeguarding.
• Eased Research and Automation Rules: Organizations can rely on broad consent for scientific research and use more flexible legal bases for automated decision-making (excluding special category data).
• Streamlined Cookie Requirements: Certain cookies—like those for analytics or functionality—no longer require user consent, reducing friction for digital services.
• New Compliance Duties: The law mandates accessible complaint mechanisms and requires online services likely used by children to factor in their privacy needs.
• Stronger ICO Enforcement Powers: The regulator can now compel witness interviews, demand technical reports, and issue fines up to £17.5 million or 4% of global turnover under PECR.

Deep Dive

The UK’s data protection regime has just undergone its biggest recalibration since Brexit. On June 19, 2025, the Data (Use and Access) Act (DUAA) received Royal Assent, introducing a suite of reforms aimed at modernizing how organizations collect, use, and share personal information. But unlike GDPR’s transformative shake-up in 2018, this legislation is more evolutionary than revolutionary, nudging UK data protection in a direction that’s lighter on red tape, but still recognizably rights-driven.

The DUAA does not replace the UK GDPR, the Data Protection Act 2018, or PECR. Instead, it modifies them (sometimes subtly, sometimes structurally) to bring them closer in line with what the UK government calls a “common-sense” approach to data use. In practice, that means the law is designed to make compliance easier and more predictable for organizations, while retaining core protections for individuals. The phrase that keeps surfacing in official communications is “opportunity,” and for good reason. The Act unlocks new flexibilities in areas like scientific research, automated decision-making, and cookie consent, areas that have long frustrated both industry and regulators.

Yet beneath the headline-friendly reforms is a law that subtly raises the stakes for risk and privacy teams. In return for reduced friction in some domains, the DUAA demands more accountability elsewhere. Children’s privacy is now an explicit statutory consideration. Data protection complaints procedures must be formalized. And the Information Commissioner’s Office (ICO) has been handed sharper enforcement tools, including the power to compel witness interviews, request technical reports, and issue fines under PECR reaching up to £17.5 million or 4% of global turnover.

Information Commissioner John Edwards has framed the DUAA as a recalibration of trust and usability.

“The Act gives organizations using personal information new and better opportunities to innovate and grow,” he said in a statement. “Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act’s principles into everyday operations.”

One of the most consequential changes for data controllers is the introduction of a new lawful basis for processing—“recognized legitimate interests.” Under this provision, certain processing activities, such as protecting national security or safeguarding vulnerable individuals, no longer require organizations to conduct the usual balancing test between their interests and the data subject’s rights. It’s a move that promises to streamline internal risk assessments and give operational teams faster green lights, particularly in regulated sectors.

Scientific research, too, benefits from new breathing room. The Act clarifies that individuals can give broad consent to a general area of scientific inquiry, allowing researchers, including those in the commercial sector, to avoid the need for repeated re-consent as long as safeguards remain in place. Additionally, when re-contacting individuals to provide a privacy notice would involve disproportionate effort, organizations may rely on publishing the notice online instead, provided that the processing poses minimal risk and rights are still respected.

The rules around automated decision-making have also been loosened. The DUAA expands the list of lawful bases that can justify such processing, potentially allowing organizations to rely on legitimate interests in contexts where they previously had to seek explicit consent or avoid automation altogether. Importantly, this change excludes special category data, such as health or biometric information, which remains tightly controlled.

In the digital experience realm, the Act takes a measured step away from cookie fatigue. It permits the use of certain cookies without consent, including those used for gathering anonymous statistics or improving website functionality. This could lead to a noticeable reduction in pop-ups and consent banners, though behavioral advertising remains outside the scope of this exemption.

What the Law Now Requires

Despite its pro-business posture, the DUAA doesn’t ignore individual rights. In fact, it codifies new responsibilities that organizations must now address directly.

Any organization that offers online services likely to be used by children must explicitly factor their needs into design and data use decisions. This requirement builds on the existing Age Appropriate Design Code, but it is now baked into statutory law. For firms already aligned with the Children’s Code, little may need to change. For others, the time to assess risks and adjust defaults is now.

The Act also introduces a mandatory framework for handling data protection complaints. Organizations are now expected to provide accessible means, such as online forms, for individuals to submit concerns, and must acknowledge complaints within 30 days. They must also respond without “undue delay,” tightening the timeline and accountability for internal privacy teams. This is not a nicety; it's a compliance obligation.

To support these changes, the ICO has committed to rolling out a new catalog of guidance materials, consultation opportunities, and draft codes of practice. This includes forthcoming work on areas such as artificial intelligence and educational technology (“edtech”), where the ICO is expected to play a more proactive regulatory role going forward.

Stronger Regulator, Sharper Tools

In parallel with easing business compliance, the DUAA reshapes the ICO itself. It introduces structural and reporting reforms intended to enhance transparency, strengthen independence, and modernize its governance. More significantly, it empowers the regulator with new investigatory tools. For the first time, the ICO can compel witness testimony, demand technical assessments, and issue significantly higher penalties under PECR.

Importantly, the ICO has stated that it will continue to apply the law as it stood at the time of an alleged infringement, even as provisions are phased out or amended. Where noncompliance spans both the old and new frameworks, the regulator may use its discretion in deciding whether to enforce under the legacy provision or under the DUAA. For organizations, this transitional window introduces new complexity in regulatory risk management and underscores the need to keep compliance programs in sync with legislative timelines.

Implementation of the DUAA will be phased over the next 12 months, with some provisions coming into force as early as August or October 2025. Others may take until mid-2026. The ICO has already published resources tailored to organizations, law enforcement agencies, and the general public, with more detailed guidance expected in the months ahead.

Privacy, legal, and GRC professionals should waste no time in reviewing their organization’s exposure under the new law. Key priorities include evaluating automated decision-making frameworks, updating lawful basis assessments, reviewing child-facing digital services, and formalizing complaint procedures. Where the DUAA offers new flexibilities, like reduced cookie friction or streamlined SAR processing, teams should assess whether these can be operationalized to create value without adding risk.

The DUAA is a legislative attempt to balance usability with responsibility. It trims regulatory excess in places while reinforcing the foundations of accountability elsewhere. For some, it’s an overdue correction to a system that had become needlessly cumbersome. For others, it’s a reminder that flexibility comes with strings attached, and that smart governance still requires vigilance.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.