Data (Use and Access) Act (DUAA) Policy

Posted on by Know Your Compliance
Locks on a data protection background
01
Oct

Files and folders with a padlock icon.DUAA Summary

The Data Use and Access Act 2025 (“the DUAA”) does not mean starting over with data protection policies and procedures. Rather, it updates some on the existing legislation and regulations and aims to provide simplicity in certain areas. The Act adds to and in some cases updates existing UK data protection laws such as the UK GDPR, DPA18 and PECR.

What is the Data (Use and Access) Act (DUAA)?

The Data (Use and Access) Act (DUAA) was enacted in Jun 2025. It amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). These changes support technological advances and innovation and simplify data processing for organisations. The DUAA provides clarification on GDPR areas such as legitimate interests, international transfers and access requests, whilst continuing to support and maintain the rights of individuals.

It is a wide-ranging Act regarding access to customer data and business data. It contains several new provisions relating to data processing for digital verification services, smart data schemes and includes a new National Underground Asset Register. There are also essential and important changes to the UK’s existing data protection legislation, including the UK GDPR, DPA18 and the Privacy and Electronic Communications Regulations 2003 (PECR). The aim of the changes to the UK data protection laws via the DUAA is to simplify some of the rules for organisations, encourage innovation and enable responsible data-sharing while maintaining high data protection standards.

Do I Need a DUAA Policy?

Do you need a Data (Use and Access) Act (DUAA) Policy or is it better to update your existing GDPR Data Protection Policy Template?

Much of the DUAA rules and guidance add to and/or clarify the existing data protection laws in the UK. For this reason, it is a better option to update your existing GDPR Data Protection Policy Template than to write a specific DUAA Policy. 3 of the main changes brought in by the DUAA are around legitimate interest as a legal basis, transfers outside the UK and subject access request procedures.

It is therefore important to ensure that your existing policies and procedures in these 3 areas are up-to-date with the DUAA and current GDPR rules.

GDPR Toolkit iconLegitimate Interests

The DUAA has introduced specific legitimate interests that can be relied upon without the need for a legitimate interests assessment (LIA). The Act has added Article 6(1)(ea) to the UK GDPR, allowing processing as a valid legal basis for the purposes of a recognised legitimate interest. Schedule 4, Annex 1 of the DUAA defines what these recognised legitimate interests are. Where one or more of these apply, an organisation no longer needs to carry out a Legitimate Interests Assessment to balance the impact on a data subject.

Subject Access Requests

There are revised timeframes and procedures for handling and responding to subject access requests related to personal data. Whilst these changes are minor, you will still need to update your existing Subject Access Request Procedures. The generic “within one month of receipt of the request” references within the UK GDPR have now been revised to an applicable time period under Article 12A.

Personal Data Transfers Outside the UK

The DUAA contains Schedule 7 which amends the rules under the UK GDPR and DPA18 that apply when an organisation transfers personal information to third-countries and international organisations. You should read this schedule in full and update your existing International Transfer Policy to ensure compliant processes and assessments for any transfers outside the UK.