Data Use and Access Act 2025: What UK Data Governance Professionals Need to Know

Earlier this month, most of the data protection provisions under the Data (Use and Access) Act 2025 (DUAA) came into force. This has pragmatic implications for many of our clients and contacts in the data industry - the changes materially affect enforcement risk, lawful basis decisions, AI governance, and operational compliance processes.

The Act updates the UK GDPR, the Data Protection Act 2018, and PECR, marking the most significant shift in the UK data protection landscape since Brexit.

Below is a concise summary of what matters most to UK data professionals and some very brief notes on the kinds of action you and your teams should consider implementing.

“Recognised Legitimate Interests”

The Act introduces a new category of lawful basis called recognised legitimate interests.

A lawful basis is the legal justification for processing personal data. Normally, using “legitimate interests” requires a documented balancing test between organisational need and individual rights.

Under DUAA, certain defined activities (such as safeguarding or crime prevention) may rely on recognised legitimate interests without performing that balancing test each time.

What to do:

• Update Records of Processing Activities (RoPAs).
• Review lawful basis guidance and decision trees.
• Train teams to avoid misclassification or taking unnecessary time consuming actions

DSAR Clarifications

A Data Subject Access Request (DSAR) allows individuals to ask what personal data you hold about them.

DUAA clarifies expectations around:

• “Reasonable and proportionate” searches
• Handling excessive or vexatious requests

This offers practical flexibility but still requires careful documentation.

What to do:

• Update DSAR procedures.
• Ensure justification for search scope is documented.
• Refresh staff training.

Automated Decision-Making (ADM) and AI

Automated decision-making (ADM) refers to decisions made by systems with little or no human involvement (e.g. credit scoring, AI screening tools).

DUAA broadens when ADM may be permitted under certain lawful bases but maintains requirements for:

• Transparency
• Safeguards
• Meaningful human oversight

What to do:

• Make an inventory of AI and profiling systems.
• Review DPIAs (Data Protection Impact Assessments).
• Confirm oversight mechanisms are operational, not theoretical.

Complaints Procedures (From June 2026)

From June 2026, organisations must implement a formal internal data protection complaints procedure.

Prepare now by:

• Designing a documented workflow.
• Assigning accountability.
• Aligning with existing governance processes.

Increased Enforcement Risk (Especially Under PECR)

Perhaps less of a pragmatic concern for many of our public sector clients at MetadataWorks, but worth noting all the same. PECR — which governs electronic marketing, cookies, and communications privacy — now carries fines aligned with UK GDPR levels:

• Up to £17.5 million, or
• 4% of global annual turnover

This significantly increases exposure for non-compliant marketing practices, cookie implementations, and consent mechanisms.

What to do:

• Review cookie and marketing compliance.
• Ensure consent management tools are robust.
• Update risk registers and board reporting to reflect higher penalty thresholds.

Need Help?

If your organisation would like support understanding what these changes mean in practice my door is always open. You can contact us at hello@metadataworks.co.uk– we’ll make sure your organisation keeps up with the legislative changes.