The Data (Use and Access) Act (DUAA) was enacted in Jun 2025 and aims to simplify some of the existing data protection rules and guidelines. Thus, encouraging innovation and enabling responsible data-sharing whilst continuing to maintain high data protection standards. There are also some new provisions in the Act such as data processing for digital verification services and smart data schemes.
The DUAA amends and adds to existing UK data protection legislation such as the UK GDPR, DPA18 and the PECR. This simple guidance page will help you to understand some of those changes, what the new rules are and how they may apply to your business or industry.
To understand what The Data (Use and Access) Act 2025 is and how you can comply with the new rules and regulations, read through the information and FAQ’s on this page.
-
GDPR Data Protection Policy Template
Original price was: £25.00.£21.25Current price is: £21.25. (ex vat) -
GDPR Policy Template Pack
Original price was: £89.00.£75.65Current price is: £75.65. (ex vat) -
GDPR Self Assessment Checklist
Original price was: £29.50.£25.07Current price is: £25.07. (ex vat) -
GDPR Policy Template Bundle
Original price was: £219.00.£186.15Current price is: £186.15. (ex vat) -
Subject Access Request Procedure Template
Original price was: £18.00.£15.30Current price is: £15.30. (ex vat) -
GDPR Document Toolkit
Original price was: £345.00.£293.25Current price is: £293.25. (ex vat)
The DUAA came into force in June 2025 with the changes being phased in between June 2025 and June 2026. These changes support technological advances and innovation and simplify data processing for organisations. The DUAA provides clarification on GDPR areas such as legitimate interests, international transfers and access requests, whilst continuing to support and maintain the rights of individuals.
Recognised Legitimate Interests
The Data (Use and Access) Act adds Article 6(1)(ea) to the UK GDPR. This allows a recognised legitimate interest to be used as a valid legal basis for processing. Therefore, if an organisation processes personal information for certain ‘recognised legitimate interests’, it does not need to balance the impact on the data subject(s). This in turn negates the requirement to complete a Legitimate Interests Assessment (LIA).
The Data (Use and Access) Act 2025, Schedule 4, Annex 1 states the lawfulness of processing recognised legitimate interests. Where one these interests applies, you do not need to carry out an LIA. Refer to Sch. 4 (Annex1) for an up-to-date list.
Our Legitimate Interest Assessment Template has been updated to reflect the latest DUAA amendments.
Subject Access Requests (SAR)
The Data (Use and Access) Act has revised some of the existing rules and regulations around Subject Access Requests (SARs). The DUAA makes it clear that a firm only has to make reasonable and proportionate searches when an individual asks for access to their personal information.
Applicable time periods have replaced the standard ‘one month‘ timeframe for responding to access requests. These time periods begin when a firm receives an access request or when additional information is supplied by the data subject to verify their identity. The applicable time period is also halted until any fee is paid where relevant.
Our Subject Access Request Policy & Procedures have been updated to reflect the latest DUAA amendments.
As always, the Information Commissioners Office (ICO) have published extensive guidance about the Data (Use and Access) Act (DUAA). Visit their website to access guidance, information and links for implementing the new data protection rules into your framework.
GDPR & DUAA Policy Templates
You may already know which of your existing data protection policies and controls need to be updated with the DUAA rules. However, Know Your Compliance Limited have you covered if you would rather leave the policy drafting and regulation compliance to us! All our GDPR Policy Templates and Toolkits have been fully updated to incorporate the Data (Use and Access) Act requirements. From new legitimate interest procedures through to DPA complaint handling.
Join 11,000+ organisations who benefit from our professional, market leading policy templates.