Five ways the Data (Use and Access) Act 2025 will make things easier for businesses 

Rob Eakins

Changes have been made to the UK’s data protection regime through the introduction of the Data (Use and Access) Act 2025 (DUAA). Whilst the provisions considered in this article are already in force, others will be introduced over time. The DUAA does not replace the UK’s existing data protection legislation (including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) but will make some changes to that legislation in order to simplify the UK’s data protection regime. 

In this article we look at five areas in which the DUAA may impact businesses for the better. 

Subject Access Requests 

The DUAA has introduced a number of practical changes to how organisations handle Subject Access Requests (SARs), providing organisations with greater clarity and flexibility. In particular, searches in response to a SAR now need to be ‘reasonable and proportionate’, thus removing the pressure on organisations to search every system and backup where doing so would be disproportionate. The changes also clarify that the deadline for a response to a SAR is calculated from when the organisation receives: (i) the request; (ii) the further information (if any) the organisation has requested to verify the identity of the person making the request; or (iii) the fee (in relation to manifestly unfounded or excessive requests), whichever is the latest. This formalises existing guidance which previously lacked a statutory footing.    

International data transfers 

The DUAA has amended data protection legislation to make it easier for UK businesses to effect international transfers of personal data. If a UK-based business wants to transfer personal data to a separate legal entity based outside of the UK, the business should first establish If there is an adequacy decision in place regarding the country of receipt (in other words, is it a country already approved by the UK government?). If not, then limited derogations such as explicit consent and contract necessity should be considered. If the derogations do not apply, then appropriate safeguards in relation to the transfer must be put in place. These safeguards include the use of the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU Standard Contractual Clauses.   

Previously, where safeguards were to be put in place, it was necessary to first carry out a transfer risk assessment (TRA) to establish if data protection laws in the recipient’s country were essentially equivalent to those in force in the UK. The transfer could only take place if the organisation transferring the personal data was satisfied that the necessary standard was met. Although the same principle still applies, the DUAA now refers to a ‘data protection test’ rather than TRAs, and the required standard is now that the protection provided is ‘not materially lower’ than that which applies in the UK. It is believed that this is a lower threshold to meet, providing greater flexibility and discretion when assessing data protection regimes, and meaning that data protection tests can be shorter and more proportionate than TRAs. 

Recognised legitimate interests 

Processing of personal data is only lawful if one of the grounds set out in the UK GDPR applies. The DUAA introduces a new lawful ground of ‘recognised legitimate interests’ – this is additional to, and different from, the legitimate interests basis which already existed in the UK GDPR. It refers to five pre-approved purposes that are in the public interest, including crime prevention and detection, responding to emergency situations and safeguarding national security.  

Whilst organisations relying on legitimate interests would normally be required to carry out a balancing exercise to see if the organisation’s legitimate interests in carrying out the processing are outweighed by the individual’s interests or fundamental rights and freedoms, this is not necessary in the case of recognised legitimate interests, as the government has determined that, for these limited purposes, the public interest outweighs the risks to individuals’ rights. Nonetheless, an organisation must still determine that that the processing is necessary for the recognised legitimate interest and comply with all other requirements of data protection legislation in relation to the processing. It should also be kept in mind that although the normal balancing exercise is not required, individuals still have the right to object to the processing of their personal data where the basis for such processing is recognised legitimate interests.  

Processing for other legitimate interests 

The DUAA introduces a new provision into the UK GDPR to clarify that direct marketing may in some cases be carried out on the basis of a legitimate interest as currently referred to in the UK GDPR. However, the clarification that direct marketing can be a legitimate interest for data protection purposes does not remove the impact of PECR, which still requires consent to be obtained in order to lawfully send marketing communications via certain channels. 

Organisations that meet the legal definition of a charity will benefit from the introduction of a new soft opt-in introduced into PECR by the DUAA. This allows charities to send electronic marketing without prior consent where the purpose of the message is to further the charity’s charitable purposes and at the time the recipient’s details were obtained the recipient expressed an interest in those charitable purposes or offered or provided support to the charity. The recipient must also have been given the opportunity to opt out of receiving marketing messages at the time their details were collected and must be provided with an opt‑out option in each subsequent marketing message. In many ways this reflects the soft opt-in already available to businesses, but applies only to new contacts acquired by a charity after the 5 February 2026. 

Changes introduced by the DUAA confirm that intra-group transmission of personal data and processing necessary for ensuring the security of network and information systems are also examples of processing that may be necessary for the purposes of a legitimate interest. This simplifies regulatory compliance for businesses within corporate groups for which the transfer of personal data is a practical reality and gives businesses greater confidence when relying on legitimate interests as a lawful basis for monitoring cyber threats.    

Research  

The DUAA amends parts of the UK GDPR to explain that processing of personal data for the purposes of scientific research includes processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. This removes any ambiguity about whether commercial and private‑sector research can benefit from the various UK GDPR provisions which refer to scientific research.  

Changes have also been made to ensure easier reuse of personal data for research purposes. The UK GDPR sets out a “purpose limitation” which prevents personal data being processed in a manner that is incompatible with the purpose for which it was originally collected. The change introduced by the DUAA states that processing for the purpose of scientific research is to be treated as processing in a manner compatible with the original purpose. Nonetheless, appropriate safeguards must be put in place to protect the rights and freedoms of the individuals involved. 

How Bermans can help 

The Data (Use and Access) Act 2025 brings welcome simplification, but businesses still need to ensure their data protection practices and contracts remain compliant. 

Bermans Commercial team advises on all aspects of data protection, including UK GDPR compliance, subject access requests, international data transfers and lawful processing. We also review and draft the commercial contracts that support your data handling activities, helping ensure your agreements reflect your regulatory obligations and manage risk effectively.

To discuss how the DUAA affects your business, or for support with data protection and commercial contracts, contact Bermans Commercial team.