Pr-Hof Law

A Leading Technology, Data Protection & Cyber Law Firm

Pr-Hof Law

A Leading Technology, Data Protection & Cyber Law Firm

📢 Regulatory Update: Points to appoint a Data Protection Officer – DPO UK Data (Use and Access) Act: Key Implications on UK Data Protection Law

Authored by: Dan Or-Hof, Eran Gandman, and Matan Adar

The Data (Use and Access) Act 2025 (DUAA), received the Royal Assent on 19 June 2025 and marks a significant evolution in the United Kingdom’s data protection and privacy framework.

The DUAA introduces substantial changes to current UK data protection law, including amendments to the UK Data Protection Regulation (UK GDPR), the Data Protection Act of 2018 (Data Act), and the Privacy and Electronic Communications Regulations 2003 (PEC Regulations).

The changes and measures established under the DUAA will take effect in phases over 2-12 months following the Royal Assent, with exact commencement dates to be set through secondary legislation.

This article outlines key amendments with direct impact on local private organizations doing business in the UK. The DUAA also introduces various changes relevant to other sectors, such as law enforcement, which go beyond the scope of this article.

Automated Decision-Making (ADM): Establishing a more permissive framework

The DUAA establishes a more permissive framework, allowing organizations to make decisions based solely on automated processing, including significant effects to the data subject, in wider circumstances, subject to appropriate safeguards such as transparency, the right to challenge decisions, and access to human review.

These include, for example, automated processing of sensitive data (special categories and criminal offences) that are necessary for entering or performing a contract between the controller and the data subject.

Data Subject Access Requests: Clarifying Response Timelines and Search Expectations

The DUAA introduces a “stop the clock” mechanism for data subject access requests (DSARs), allowing organizations to pause the one-month response timeline while awaiting clarification or additional information from the requester. This change ensures that the statutory deadline does not unfairly penalize controllers when requests are vague or incomplete. Once the necessary information is received, the clock resumes, giving organizations a clearer and more manageable timeframe to respond.

In practice, this rule provides much-needed flexibility for data controllers. When a DSAR lacks clarity, organizations can pause the deadline while seeking further details, ensuring that responses are accurate and tailored to the individual’s needs. Additionally, the DUAA codifies the requirement for “reasonable and proportionate” searches when responding to DSARs, a principle previously grounded in case law. It provides a clearer legal standard for limiting the scope of searches, particularly when dealing with large volumes and complex systems holding data about employees or customers.

These changes apply specifically to access requests and do not alter timelines or other requirements related to other data subject rights under the UK GDPR.

The DUAA reinforces the principle that children merit specific protection and that their rights must be embedded into the architecture of digital services from the outset, by introducing new data protection considerations built on existing data protection by design and by default (DPbD) requirements under Article 25 to the UK GDPR.

Children’s Data Protection: Establishing New Data Protection by Design Requirements

It requires organizations providing online services that are likely to be accessed by children to consider “children’s higher protection matters” when designing their personal data processing activities, including accounting for children’s varying developmental stages, their limited understanding of data risks, and their evolving needs as they grow.

DUAA requires services to integrate child-specific considerations into their design and default settings where a service or product is likely to be accessed by children.

In practical terms, this requires organizations to go beyond generic privacy settings and adopt a child-centric approach to data protection, such as not nudging children toward less privacy-friendly options, ensure that data collection is minimized to the strictly necessary, and providing age-appropriate explanations of how data is used.

Scientific Research: Clarifying the Scope of ‘Scientific Research’ and Introducing ‘Broad Consent’

The DUAA clarifies the scope of the derogation under Art.9 to the UK GDPR, allowing for processing special categories of personal data for “scientific research” including commercial research, such as pharmaceutical trials or private-sector innovation. This clarification, now embedded in the main body of the UK GDPR rather than its recitals, provides researchers with greater legal certainty and consistency when processing personal data for research purposes.

Additionally, the DUAA introduces the concept of “broad consent” into the legislative text, allowing researchers to obtain consent for a general area of research, for example, studies related to a particular disease, even if the precise objectives are not yet fully defined. While this does not create a new lawful basis, it strengthens the interpretation of existing provisions, particularly the derogation under Article 9(2)(j) of the UK GDPR for processing special category data, supported by safeguards under Article 89(1) of the UK GDPR.

The DUAA also consolidates and reinforces required safeguards for research processing, including the principles of data minimization, transparency, and the prohibition of using research data to make decisions that could harm or disadvantage data subjects.

Introducing a new lawful ground – ‘Recognized Legitimate Interest’

The DUAA introduces a new lawful ground for processing personal data under Article 6 of the UK GDPR, known as “recognized legitimate interests”, exempting organizations from conducting a legitimate interests assessment (LIA), provided that the purpose falls within a defined list of activities of public interest.

These include crime prevention, safeguarding vulnerable individuals, responding to emergencies, protecting national security, and supporting public interest tasks authorized by law.

This reform addresses long-standing concerns about the complexity and subjectivity of the LIA process. By removing the requirement to balance the organization’s interests against the individual’s rights in these specific scenarios, the DUAA provides greater legal certainty and operational efficiency.

Establishing a New Standard for Third Country Adequacy – ‘Not Materially Lower’

The DUAA introduces a new legal test for international data transfers, allowing personal data to be sent to third countries that offer protection “not materially lower” than UK standards, replacing the stricter “essentially equivalent” threshold. This shift offers organizations more flexibility while maintaining strong safeguards. The Act also removes the fixed four-year review cycle for adequacy decisions, replacing it with ongoing monitoring to ensure relevance over time.

Additionally, it empowers the Secretary of State to recognize new transfer mechanisms, such as updated standard contractual clauses or certification schemes, giving organizations more tools to support compliant cross-border data flows.

PEC Regulations – Expanding Definitions and Establishing New Exceptions

The DUAA introduces various changes to Key changes to the PEC Regulations, the main ones include:

  • Broader Definitions: “Call” and “Communication” now include attempts that do not reach the recipient, expanding the scope of direct marketing enforcement.
  • New Breach Notification Requirement: Telecom providers must report personal data breaches within 72 hours, aligning with UK GDPR timelines.
  • New exceptions for using tracking technologies: New exceptions that allow for the use of cookies for statistical purposes, customizing a website’s functionality, and providing emergency assistance without consent. In addition, the Secretary of State may introduce further exceptions.
  • Increased Penalties: Fines for breaches of direct marketing rules under PEC Regulations are increased to match UK GDPR levels – up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
  • Charity Marketing: Charities may now use the “soft opt-in” rule to send marketing emails to individuals who have shown prior interest.
  • Codes of Conduct: Sectoral bodies may develop codes of conduct for PEC compliance, subject to ICO approval.

ICO Reform – From Commissioner to Commission

The DUAA replaces the Information Commissioner’s Office (ICO) with a new corporate body, the Information Commission (IC), led by a chair and board. This structural change aims to enhance governance, transparency, and resilience.

The DUAA also grants new powers to the IC, including:

  • New Enforcement Tools: Including interview notices and the power to commission technical reports at the expense of the investigated party.
  • Mandatory Performance Reporting: Annual reports on KPIs and regulatory actions are now mandatory.
  • Mandatory Complaint Handling Procedures: Data controllers must implement formal complaint-handling procedures and acknowledge complaints within 30 days.

Takeaways

  • The DUAA introduces a more flexible and innovation-oriented data protection regime alongside higher risks of non-compliance. Take the time to conduct a full review of your data protection compliance in light of DUAA.
  • Review your data subject access request workflows to incorporate the new “stop the clock” rule and ensure searches are proportionate. Not that these changes apply specifically to access requests and not to other data subject rights.
  • If your organization uses automated tools for recruitment, customer profiling, or service delivery, verify that safeguards like transparency and human review are in place.
  • The new lawful basis for “recognized legitimate interests” simplifies processing for public interest tasks, but documentation of necessity and proportionality remains essential.
  • Make applications designed for children, privacy friendly using the right design features.
  • Review your marketing practices and update them as necessary.  
  • Reassess your data transfer mechanisms to meet the new “not materially lower” standard and prepare for updated clauses or certifications.
  • Establish formal complaint-handling procedures and monitor guidance from the newly formed Information Commission. These steps will help you stay compliant, reduce risk, and take advantage of the DUAA’s more practical approach to data governance.

This article is provided for general informational purposes only and does not constitute legal advice. Organizations should seek specific legal counsel before acting on any of the information contained herein.

Disclaimer:
Our team at Or-Hof and ClearPath is here to support your compliance efforts, help you navigate the evolving requirements of UK Data Protection Law, and align your privacy compliance framework with these new changes.

For further information or legal assistance, feel free to contact us at [email protected].

– The Or-Hof Law Team

Key Implications on UK Data Protection Law