The Data (Use and Access) Act 2025 (DUAA) is the most significant change to UK data protection law since Brexit. It received Royal Assent on 19 June 2025, and the majority of its data protection provisions came into force on 5 February 2026.

If you run a UK business that collects personal data, uses cookies, sends marketing emails, or makes automated decisions about customers or employees, this Act changes your obligations. Some changes reduce administrative burden; others significantly increase the penalties you face for getting things wrong.

Why this matters to your business

The DUAA is not a wholesale replacement of UK GDPR or the Data Protection Act 2018. It is a targeted reform that amends both, along with the Privacy and Electronic Communications Regulations 2003 (PECR). The Act reflects the government's post-Brexit objective of maintaining high data protection standards whilst reducing compliance costs for businesses.

Three things make this Act particularly important for business owners:

It is already in force. Most provisions commenced on 5 February 2026. You should already be operating under the new rules.
It changes everyday obligations. Cookie banners, privacy officers, legitimate interests assessments, and automated decisions are all affected. These are not niche issues; they touch every business with a website or a payroll system.
The penalties for PECR breaches have increased dramatically. The maximum fine for breaching electronic marketing and cookie rules has risen from 500,000 pounds to 17.5 million pounds or 4% of global turnover. The ICO now has the same enforcement teeth for nuisance marketing as it does for data breaches.

Data (Use and Access) Act 2025 key changes for businesses

Overview of 8 key reforms in the DUAA 2025 affecting UK businesses, with commencement timeline.

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. It amends the UK GDPR, Data Protection Act 2018, and PECR. The majority of data protection provisions (Part 5) came into force on 5 February 2026.

Royal Assent: 19 June 2025
Part 5 commencement (major data protection changes): 5 February 2026 (Commencement No. 6 Regulations, SI 2026/82)
Smart Data (Part 1): In force from 20 August 2025
Final commencement expected: By June 2026

8 key changes for businesses

Recognised legitimate interests – new lawful basis under Article 6(1)(ea) for specified purposes, no balancing test required
Senior Responsible Individual (SRI) – alternative to Data Protection Officer for some organisations
Automated decision-making – relaxation of Article 22 restrictions, broader lawful bases permitted
Cookie consent exemptions – first-party analytics cookies exempt from consent if conditions met
PECR penalty alignment – maximum PECR fines increased from £500,000 to £17.5 million or 4% of turnover
International transfer reforms – new ‘data protection test’ for adequacy decisions
Smart Data schemes – mandatory data sharing (with consent) across sectors
Digital verification services – trust framework for digital identity

ICO guidance on the DUAA 2025

GOV.UK commencement plans

Recognised legitimate interests: a new lawful basis

The DUAA adds a seventh lawful basis for processing personal data under a new Article 6(1)(ea): recognised legitimate interests.

This matters because the existing legitimate interests basis (Article 6(1)(f)) requires a Legitimate Interest Assessment (LIA) - a documented balancing test that many businesses find time-consuming and uncertain. The new basis removes the balancing test entirely for specific pre-approved purposes listed in a new Annex 1 to the UK GDPR.

Recognised legitimate interests (new DUAA lawful basis)

New Article 6(1)(ea) lawful basis introduced by the DUAA 2025 for specified purposes without requiring a balancing test.

The DUAA 2025 introduces a new lawful basis under Article 6(1)(ea) UK GDPR called recognised legitimate interests. This allows processing for certain pre-approved purposes listed in a new Annex 1 to the UK GDPR without requiring a Legitimate Interest Assessment (balancing test).

New lawful basis: Article 6(1)(ea) UK GDPR - recognised legitimate interests
In force from: 5 February 2026
Balancing test required: No - unlike Article 6(1)(f) legitimate interests, no LIA balancing test is needed
Who can use it: Any controller, including public authorities (unlike standard legitimate interests)

Recognised purposes (Annex 1 to UK GDPR)

National security
Public security
Defence
Emergencies (responding to emergencies affecting life, health, or safety)
Crime prevention and detection (including safeguarding vulnerable individuals)

Important: The Secretary of State can add or remove purposes by regulation. Direct marketing and intra-group data sharing still require a standard Legitimate Interest Assessment under Article 6(1)(f).

Distinct from standard legitimate interests: Article 6(1)(f) (standard legitimate interests with balancing test) continues to exist alongside the new Article 6(1)(ea)
Data subject rights: Individuals retain the right to object to processing under recognised legitimate interests
Legislation: Data (Use and Access) Act 2025, amending UK GDPR Article 6

ICO summary of DUAA changes

What this means in practice

The recognised purposes are currently narrow - focused on national security, public security, emergencies, and crime prevention. For most commercial processing (marketing, analytics, product improvement), you will continue using the standard legitimate interests basis with a balancing test. However, the Secretary of State has the power to add further purposes by regulation, so this list may expand over time.

If your business processes data for safeguarding, fraud prevention, or emergency response, review whether the new basis applies. It could simplify your compliance documentation significantly.

Senior Responsible Individual: a new compliance role

The DUAA introduces the Senior Responsible Individual (SRI) as an alternative to the Data Protection Officer (DPO). The DPO model, inherited from EU GDPR, requires the appointed person to operate independently and avoid conflicts of interest. For a 20-person company where the office manager handles data protection alongside other duties, these requirements can be burdensome.

The SRI takes a different approach: instead of independence, it emphasises accountability at a senior level. The SRI must be a member of the organisation's senior management team, directly accountable for data protection compliance.

Senior Responsible Individual (SRI) replacing DPO

The DUAA 2025 introduces the SRI as an alternative to the DPO for certain organisations.

The DUAA 2025 introduces the concept of a Senior Responsible Individual (SRI) as an alternative to the Data Protection Officer (DPO) for certain organisations. The SRI must be a senior member of the organisation's management team, accountable for data protection compliance.

In force from: 5 February 2026
SRI requirement: Must be a senior member of management, accountable for data protection compliance
Public authorities: Must still appoint a DPO (SRI is not available as an alternative for public authorities)
Large-scale monitoring or special category processing: ICO is developing guidance on whether SRI or DPO is required in these cases
Key difference from DPO: SRI is embedded in senior management; DPO must operate independently and cannot be penalised for performing their tasks

When SRI may replace DPO

The ICO is developing detailed guidance on exactly when an organisation may appoint an SRI instead of a DPO. The intention is to reduce the administrative burden on smaller organisations while maintaining accountability.

When DPO is still required

Public authorities and bodies (except courts acting judicially)
Other circumstances to be specified by ICO guidance

ICO DUAA summary of changes

Choosing between SRI and DPO

Public authorities must still appoint a DPO. For private sector organisations, the choice depends on your processing activities. If you conduct large-scale systematic monitoring of individuals or process special category data at scale, the ICO may still expect a DPO. For most SMEs with standard customer and employee data processing, the SRI offers a more practical compliance model.

If you already have a DPO, you are not required to change. The DPO role continues to be recognised. The SRI is an additional option, not a replacement mandate.

Automated decision-making: broader scope for businesses

The previous Article 22 of UK GDPR restricted solely automated decisions that produce legal or similarly significant effects on individuals - decisions such as automated credit scoring, algorithmic recruitment screening, or insurance pricing. These were only permitted with explicit consent, contract necessity, or specific legal authorisation.

The DUAA relaxes this restriction. From 5 February 2026, significant automated decisions are permitted on any lawful basis, provided appropriate safeguards are maintained.

DUAA changes to automated decision-making rules

The DUAA 2025 relaxes Article 22 restrictions on solely automated decisions, broadening the lawful bases available.

The DUAA 2025 replaces the previous Article 22 UK GDPR restriction on solely automated decisions that produce legal or similarly significant effects. From 5 February 2026, significant automated decisions are permitted on any lawful basis, provided appropriate safeguards are in place.

In force from: 5 February 2026
Previous position (Article 22): Solely automated decisions with legal/significant effects only permitted with explicit consent, contract necessity, or legal authorisation
New position (DUAA): Significant automated decisions permitted on any lawful basis (including legitimate interests) with appropriate safeguards
Safeguards retained: Right to obtain human intervention, express their point of view, and contest the decision
Special category data: Automated decisions using special category data still restricted to explicit consent or substantial public interest

What businesses should do

Review any automated decision-making processes that produce legal or significant effects
Ensure appropriate safeguards are documented and accessible to individuals
Update privacy notices to reflect any changes to automated decision-making practices
Continue to maintain records of automated decision-making in your ROPA

ICO guidance on DUAA and automated decision-making

The trade-off

This change gives businesses more flexibility to deploy AI and algorithmic decision-making in areas like customer service, fraud detection, and HR processes. However, the safeguards remain significant. Individuals retain the right to obtain human intervention, express their views, and contest automated decisions. If you are implementing or expanding automated decision-making systems, you need robust processes for handling these requests.

The relaxation does not apply to automated decisions based on special category data (health, race, religion, political opinions). These remain restricted to explicit consent or substantial public interest grounds.

Cookie consent: new exemptions for analytics

Since 2011, PECR has required websites to obtain prior consent before placing non-essential cookies. The DUAA introduces exemptions for certain categories, most notably first-party analytics cookies. If your analytics cookies meet specific conditions, you may no longer need prior consent to set them.

DUAA cookie consent exemptions for analytics

New PECR cookie consent exemptions for first-party analytics cookies introduced by the DUAA 2025.

From 5 February 2026, the DUAA 2025 amends PECR Regulation 6 to exempt certain analytics cookies from the prior consent requirement. This does not apply to advertising, tracking, or third-party cookies.

Exemption scope: First-party analytics and statistics cookies only
In force from: 5 February 2026
Condition 1: Purpose: Cookies must be used solely to collect aggregate statistics about website or app usage
Condition 2: Information: Clear information must be provided to users about the cookies and their purpose
Condition 3: Opt-out: A simple, free mechanism to opt out must be offered to users

What remains unchanged

Advertising and targeting cookies still require prior consent
Third-party analytics cookies still require prior consent
Strictly necessary cookies remain exempt (as before)
The UK GDPR’s requirements for lawful basis still apply to any personal data collected via analytics cookies

This aligns UK law with how the ICO was already enforcing cookie rules in practice.

ICO guidance on storage and access technologies (cookies)

What stays the same

Advertising cookies, third-party tracking, cross-site profiling, and social media pixels still require prior consent. The exemption is deliberately narrow: it covers aggregate statistical analysis of your own website, not individual-level tracking or targeting.

Even for exempt cookies, you must still inform users about what cookies you use and provide an easy way to opt out. This means your cookie policy and opt-out mechanism remain important, even if your consent banner becomes simpler.

PECR penalties: a 35-fold increase

Perhaps the most immediately consequential change for businesses is the alignment of PECR penalties with UK GDPR levels. Before the DUAA, the maximum fine the ICO could impose for a PECR breach (nuisance calls, spam emails, cookie non-compliance) was 500,000 pounds. This was already a significant sum for a small business, but for larger organisations it was often seen as a cost of doing business.

PECR penalties aligned with UK GDPR levels (DUAA 2025)

DUAA 2025 aligns PECR maximum fines with UK GDPR penalty levels, increasing from GBP 500,000 to GBP 17.5 million.

From 5 February 2026, the DUAA 2025 aligns PECR enforcement penalties with UK GDPR levels. This is a significant increase in the ICO’s enforcement powers for electronic marketing and cookie breaches.

Previous PECR maximum fine: £500,000
New PECR maximum fine (from 5 February 2026): £17.5 million or 4% of annual worldwide turnover (whichever is higher)
Increase factor: 35x increase in maximum penalty
Applies to: All PECR breaches including nuisance calls, spam emails/texts, unsolicited fax marketing, and cookie compliance failures
In force from: 5 February 2026

What this means for businesses

Organisations that send unsolicited marketing communications or fail to comply with cookie rules now face the same maximum penalties as for UK GDPR breaches. The ICO has signalled that this alignment reflects the seriousness of privacy intrusions from nuisance communications.

Practical impact: Businesses should review their marketing consent practices, TPS/CTPS screening, and cookie consent mechanisms urgently.

ICO DUAA guidance for organisations

Why this matters strategically

The penalty increase signals a fundamental shift in how PECR enforcement should be viewed. Electronic marketing compliance is no longer a secondary concern with modest financial risk. It now carries the same potential consequences as a major data breach.

If your business sends marketing emails, makes marketing calls, or uses cookies, the financial risk of non-compliance has increased by a factor of 35. This should be reflected in your compliance priorities, staff training, and budget allocation for data protection.

What your business should do now

The DUAA is already in force. These are the practical steps to bring your business into compliance.

1. Review your lawful bases

Check whether any of your processing falls within the new recognised legitimate interests. If so, you can simplify your documentation. For all other processing, ensure your existing lawful bases remain correctly documented.
2. Decide on DPO or SRI

If you currently have a DPO, consider whether the SRI model is more appropriate for your organisation. If you do not have either, assess whether you need one and which role suits your size and processing activities. Monitor ICO guidance for detailed eligibility criteria.
3. Audit your automated decision-making

Identify any processes that make solely automated decisions with legal or significant effects. Review whether your safeguards (human intervention, right to contest) are documented and accessible to individuals. Update your privacy notice to reflect any changes.
4. Review your cookie implementation

Audit your website cookies and determine whether any qualify for the new analytics exemption. Even if exempt, ensure you provide clear information and an easy opt-out. Do not remove consent mechanisms for advertising or third-party cookies.
5. Reassess your PECR compliance

With penalties now reaching 17.5 million pounds, review your electronic marketing practices. Check consent records, TPS/CTPS screening, unsubscribe mechanisms, and cookie consent banners. The financial risk of non-compliance is now 35 times higher.
6. Update your privacy notice

Your privacy notice should reflect the new lawful bases, any changes to automated decision-making, and the SRI (if appointed). Schedule a review within the next quarter if you have not already updated it.
7. Brief your team

Ensure staff who handle personal data, marketing, or website management understand the key changes. The PECR penalty increase in particular should be communicated to anyone involved in marketing campaigns.
8. Monitor ICO guidance

The ICO is publishing detailed implementation guidance throughout 2026. Check the ICO DUAA page regularly for updates on the analytics cookie exemption, SRI requirements, and recognised legitimate interests.

How this connects to existing obligations

The DUAA does not replace UK GDPR, the Data Protection Act 2018, or PECR. It amends all three. Your existing obligations under those laws continue. If you are already compliant with UK GDPR and PECR, the DUAA changes are incremental rather than transformational.

The Act also introduces provisions beyond data protection, including Smart Data schemes (mandatory data portability across sectors) and a digital verification trust framework. These are being implemented separately and will affect specific sectors as regulations are made.

Business Context Testing

Content Graph

Guvnor

Data Use and Access Act 2025: what changed for businesses

Why this matters to your business

Recognised legitimate interests: a new lawful basis

What this means in practice

Senior Responsible Individual: a new compliance role

Choosing between SRI and DPO

Automated decision-making: broader scope for businesses

The trade-off

Cookie consent: new exemptions for analytics

What stays the same

PECR penalties: a 35-fold increase

Why this matters strategically

What your business should do now

1. Review your lawful bases

2. Decide on DPO or SRI

3. Audit your automated decision-making

4. Review your cookie implementation

5. Reassess your PECR compliance

6. Update your privacy notice

7. Brief your team

8. Monitor ICO guidance

How this connects to existing obligations

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

Why this matters to your business

Recognised legitimate interests: a new lawful basis

What this means in practice

Senior Responsible Individual: a new compliance role

Choosing between SRI and DPO

Automated decision-making: broader scope for businesses

The trade-off

Cookie consent: new exemptions for analytics

What stays the same

PECR penalties: a 35-fold increase

Why this matters strategically

What your business should do now

1. Review your lawful bases

2. Decide on DPO or SRI

3. Audit your automated decision-making

4. Review your cookie implementation

5. Reassess your PECR compliance

6. Update your privacy notice

7. Brief your team

8. Monitor ICO guidance

How this connects to existing obligations

Related guides in Compliance & Legal

Business Context Testing

Content Graph