The UK Data Use and Access Act (DUAA) came into place last year, reforming in part how the UK regulates personal and non-personal data. 

According to UK regulator the Information Commissioner’s Office (ICO), the DUAA “amends, but does not replace”, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).  

Taken together, the reforms aim to create a more “business-friendly and innovation-ready data regime”, while “preserving the core principles of data protection” for individuals, says Chris Newton-Smith, CEO of IO, formerly ISMS.online.  

However, the interplay between the frameworks means organisations will need to navigate the new landscape carefully, Newton-Smith warns.  

With the final details of the Act coming into place this year, what do UK firms need to know about the DUAA, and what should they do to comply? 

Changes to Regulation 

Key changes under the Act include more flexibility around legitimate interests, reduced administrative burden for low-risk processing and clearer rules on data sharing between organisations, says Rob O’Connor, EMEA CISO at Insight.  

In addition, the role and governance of the ICO are adjusted to be “more growth-orientated and outcomes-focused,” rather than purely compliance-driven, he says. “With this shift, the UK is signaling regulatory divergence from the EU, while still trying to preserve adequacy status,” Connor tells SC Media UK. 

At its core, the Data Use and Access Act is designed to make UK data regulation “more workable” without dismantling the UK GDPR, says Oliver Newbury, chief strategy officer at Halcyon. 

“The direction is pragmatic, with less focus on form filling and more on whether organisations can demonstrate responsible outcomes,” he explains. 

Impact on UK Businesses 

Therefore, while the Act will have an impact on UK firms, this will “practical rather than structural,” says Newbury. “Compliance remains, but the emphasis is shifting away from paperwork towards whether firms really understand how their data is used, shared and protected.” 

For example, the rules on handling subject access requests are clearer, including the ability to pause the clock while you wait for more information. There is also a stronger focus on carrying out “reasonable and proportionate searches,” says Becky White, senior solicitor, data protection and privacy at law firm Harper James. “And there is more flexibility around some solely automated decisions, provided the right safeguards are in place.” 

The DUAA includes some sharper expectations too, says White. “In a few areas, the Act raises the bar and expects organisations to be able to show their workings. For example, if you offer online services that vulnerable data subjects like children are likely to use, you should be able to demonstrate that you have genuinely considered their needs when deciding how their personal information is collected and used.” 

As part of the DUAA, businesses will gain greater certainty when relying on legitimate interests, especially for purposes such as fraud prevention, cybersecurity and service improvement, says Insight’s O’Connor. This means data sharing between organisations will become “more practical and easier to justify”, especially where there is a clear public interest or economic benefit, he says. 

However, firms operating across the UK and EU will need to manage regulatory divergence carefully, as UK and EU GDPR will no longer be identical, he warns. 

At the same time, PECR enforcement is significantly tougher, with fines now aligned with UK GDPR levels – up to £17.5m or 4% of global turnover. 

Status of the Act 

The DUAA received Royal Assent in June 2025 and is being introduced through a phased rollout running through to June 2026. Initial provisions came into force in August 2025, with most of the substantive data protection and privacy changes, including amendments to UK GDPR and PECR, commencing in February 2026. 

The skeleton of the Act is now law. However, the “muscle and connective tissue” such as detailed rules, codes and procedural mechanics are still being phased in, says Insight’s O’Connor. “As it stands, we’re in the transitional, recalibration stage where expectations, secondary legislation and ICO guidance are still forming.” 

There’s still at least one notable milestone ahead, says Harper James’ White. “The Department for Science, Innovation and Technology has set out that different measures commence at different times, and the ICO has confirmed that the requirement for organisations to have a complaints procedure is due to commence in June 2026.” 

Some updates to the regulator’s governance are also due to come through later, she adds. 

Complying With the DUAA 

With this in mind, all UK firms should ensure they are working towards compliance now. But O’Connor has a warning for any companies that might view the new Act as a deregulation opportunity: UK GDPR is the compliance baseline, he says. “The DUAA should be approached as a governance maturity exercise. Regulators are expecting organisations to demonstrate sound judgement, not just to produce compliance artefacts.” 

To start their compliance journey, firms must start mapping which guidelines are relevant to them, particularly when it comes to legitimate interests, data sharing and governance changes, he advises. 

This period should be used to strengthen control and visibility over data, says Halcyon’s Newbury. “Organisations have to know where data sits, who can access it, how it is shared, and how incidents are managed when something goes wrong.” 

Meanwhile, firms must review their cookies and marketing practices, IO’s Newton-Smith advises. “They should be updating their cookie banners, reassessing consent models, and noting that PECR penalties now carry GDPR-level risk.” 

Compliance should sit alongside security and resilience planning, and not left solely to legal or privacy teams, Newbury says. “With ransomware and data extortion increasingly focused on access, availability and leverage, firms that treat the Act as a light touch compliance update are likely to struggle. Those that do well will use the flexibility within the DUAA to simplify controls while improving their ability to withstand and recover from disruption.” 

Kate O'Flaherty Cybersecurity and privacy journalist