DUAA Compliance: Track the UK Data (Use and Access) Act 2025 Changes and Map Them to Your Policies
The Data (Use and Access) Act 2025 reforms the UK GDPR, the Data Protection Act 2018 and PECR, with a package commencing 5 February 2026 under SI 2026/82 and the new complaints duty from 19 June 2026. RegSpace monitors the commencement timeline, scores your policies against the new obligations, and hosts s.164A complaints intake, all as draft intelligence for your counsel.
What is DUAA?
The Data (Use and Access) Act 2025 (DUAA) is a UK statute that received Royal Assent on 19 June 2025. It reforms rather than replaces the existing UK data protection framework, amending the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). Its headline measures include a list of recognised legitimate interests that removes the need for a balancing test, a revised automated decision-making regime in new Articles 22A to 22D, a stop the clock rule for data subject access requests, changes to cookies and direct marketing under PECR, the replacement of the Information Commissioner's Office with a reformed regulator (the Information Commission), and a new duty on controllers to facilitate and handle complaints (Data Protection Act 2018 section 164A). The reforms commence in phases through regulations: SI 2026/82 brings several provisions into force from 5 February 2026, while the section 164A complaints duty applies from 19 June 2026.
Who does DUAA apply to?
DUAA reshapes obligations for organisations already subject to the UK GDPR, the DPA 2018 and PECR, so if you process personal data of people in the UK or send electronic marketing to them, the changes touch you.
- Controllers established in the UK, or outside the UK targeting or monitoring individuals in the UK, that determine the purposes and means of processing under the UK GDPR
- Processors acting on a UK controller's instructions, who must keep their own records, contracts and security measures aligned as the framework shifts
- Organisations that rely on legitimate interests as a lawful basis, who can now use the new recognised legitimate interests list without a balancing test for the listed activities
- Organisations that carry out solely automated decision-making, including profiling, which is governed by the revised Articles 22A to 22D regime
- Senders of electronic direct marketing and operators of cookies and similar technologies, who are affected by the PECR changes (including new cookie-consent exemptions, the charity soft opt-in and higher PECR fines)
- Any controller that must receive, facilitate and handle data protection complaints from individuals under the new DPA 2018 section 164A duty
Key DUAA obligations
Apply the recognised legitimate interests list correctly
DUAA introduces a list of recognised legitimate interests that can be relied on without carrying out the usual legitimate interests balancing test. Controllers still need to confirm the activity genuinely falls within a recognised interest and document the basis, so the change is an evidencing and scoping task, not a free pass.
Meet the revised automated decision-making regime (Articles 22A to 22D)
The new Articles 22A to 22D reshape the rules on significant decisions taken solely by automated means, including profiling, with safeguards such as the ability to obtain human intervention, make representations and contest a decision. Controllers need to identify in-scope automated decisions and ensure the required safeguards and transparency are in place.
Operate DSARs under the new 'stop the clock' rule
DUAA introduces a 'stop the clock' mechanism that lets controllers pause the response clock while waiting for information reasonably needed to clarify or fulfil a request, alongside a 'reasonable and proportionate' search standard. Controllers should update their subject access request procedures so the pause is applied and logged correctly.
Update cookies and direct marketing practice under PECR
The Act amends PECR, including new exemptions from cookie consent for certain low-risk purposes, a soft opt-in for charities, and higher maximum PECR fines aligned to UK GDPR levels. Review your cookie banner, consent records and marketing flows against the revised rules.
Refresh privacy notices and records for the new framework
Because lawful bases, automated decision-making safeguards and complaint routes are changing, privacy notices, records of processing and internal policies need to reflect the amended UK GDPR and DPA 2018 so individuals are told accurately how their data is used and how to complain.
Stand up the section 164A complaints-handling duty
From 19 June 2026, controllers must facilitate the making of complaints (for example by providing a complaint form), acknowledge a complaint without undue delay, take appropriate steps to respond, and inform the complainant of the outcome, with Article 12 signposting of this internal route before individuals escalate to the regulator.
Track the move from the ICO to the Information Commission
DUAA reconstitutes the regulator, replacing the Information Commissioner's Office with the Information Commission, with new governance and duties. Organisations should follow the transition so guidance, registration and reporting channels are pointed at the correct successor body.
Manage the phased commencement
DUAA's provisions do not all take effect on Royal Assent; they are switched on by commencement regulations. SI 2026/82 brings a package into force from 5 February 2026 and the section 164A complaints duty applies from 19 June 2026, so compliance work needs to be sequenced to those dates rather than treated as a single switch.
Key dates
- 19 June 2025The Data (Use and Access) Act 2025 received Royal Assent. Most substantive duties do not begin on assent; they commence later through regulations.
- 5 February 2026SI 2026/82 brings several DUAA provisions into force, including the recognised legitimate interests list, the new Article 22A to 22D automated decision-making regime, the DSAR 'reasonable and proportionate' and 'stop the clock' changes, PECR cookie-consent exemptions, the charity soft opt-in and higher PECR fines.
- 19 June 2026The new duty on controllers to facilitate and handle data protection complaints (Data Protection Act 2018 section 164A) applies, with Article 12 signposting of the internal complaint route.
- Phased via regulations (dates follow later commencement orders)Further DUAA provisions, including the reconstitution of the regulator as the Information Commission, are commenced through additional regulations on their own timetable, so the operative dates for some changes follow later commencement orders and should be confirmed against those instruments.
How RegSpace helps with DUAA
Draft, source-linked intelligence for your team to review. Not legal advice.
RegSpace ships a dedicated DUAA obligation pack woven into its gap analysis, covering the dated DUAA reforms such as recognised legitimate interests, the Article 22A to 22D automated decision-making regime, the DSAR stop-the-clock change, the PECR updates and the section 164A complaints duty, so the new requirements are checked explicitly rather than buried in generic data protection coverage.
RegSpace provides a per-tenant hosted complaints form for the section 164A duty that auto-acknowledges the complaint, starts the response clock and alerts your DPO. Every response is drafted for human approval before it goes out, so the workflow facilitates and tracks complaints while keeping a qualified person in control of each reply.
Weekly-monitors the UK regulator and legislative trackers that touch you, including the DUAA commencement timeline, and drafts a source-linked digest of what changed (for example when a new commencement order moves a date). Where a change hits a policy you have published, Watcher produces a DOCX redline in track changes for your counsel to review.
Scores your uploaded privacy notice, data protection policy and related documents against the law and shows where each obligation is missing, partial or covered with a gap score, so you can see where your documentation falls short of the amended UK GDPR, DPA 2018 and PECR before the changes commence.
Gives you the registers and workflow to evidence the work in one place: a RoPA, a risk register with a 5x5 matrix, controls, incidents, DPIAs, cookies, assets and vendors, plus a review and approval workflow, tickets and dashboards to document accountability as you implement the DUAA changes.
Scores vendor and third-party risk and reconciles your published privacy notice against what your registers actually record, surfacing mismatches you will want to fix as notices are updated to reflect DUAA's lawful-basis and automated-decision changes.
DUAA FAQ
What is the UK Data (Use and Access) Act 2025?
The Data (Use and Access) Act 2025 (DUAA) is a UK statute that received Royal Assent on 19 June 2025. It reforms the existing UK data protection regime rather than replacing it, amending the UK GDPR, the Data Protection Act 2018 and PECR. Its changes are commenced in phases through regulations, not all on the day of assent.
Does DUAA replace the UK GDPR?
No. DUAA amends the UK GDPR, the Data Protection Act 2018 and PECR; those laws remain in force in their revised form. The familiar principles, lawful bases and data subject rights still apply, but several are reshaped, for example by the recognised legitimate interests list, the new Article 22A to 22D automated decision-making regime and the DSAR stop-the-clock rule.
When do the DUAA changes take effect?
DUAA received Royal Assent on 19 June 2025, but most duties commence later via regulations. SI 2026/82 brings a package of provisions into force from 5 February 2026 (including recognised legitimate interests, Articles 22A to 22D, the DSAR changes and the PECR updates), and the section 164A complaints-handling duty applies from 19 June 2026.
What are recognised legitimate interests under DUAA?
DUAA introduces a list of recognised legitimate interests that can be relied on as a lawful basis without performing the usual legitimate interests balancing test. You still need to confirm that an activity genuinely falls within a recognised interest and document that basis, so it streamlines, rather than removes, the assessment for the listed activities.
What is the section 164A complaints duty?
Section 164A of the Data Protection Act 2018, inserted by DUAA and applying from 19 June 2026, places a duty on controllers to facilitate the making of complaints, acknowledge them without undue delay, take appropriate steps to respond, and inform the complainant of the outcome, with Article 12 signposting of this internal route. RegSpace offers a hosted complaints form that auto-acknowledges, starts the clock and alerts your DPO, with human approval of every response.
What changes does DUAA make to cookies and direct marketing?
DUAA amends PECR. The changes include new exemptions from cookie consent for certain low-risk purposes, a soft opt-in for charities, and higher maximum PECR fines aligned to UK GDPR levels. You should review your cookie banner, consent records and marketing flows against the revised PECR rules, most of which commence on 5 February 2026.
How does RegSpace help with DUAA compliance?
RegSpace has a dedicated DUAA Navigator obligation pack woven into its gap analysis, plus hosted section 164A complaints intake that auto-acknowledges, starts the clock and alerts your DPO with human approval of every response. Watcher monitors the DUAA commencement timeline and drafts source-linked digests and policy redlines, Assessor scores your policies against the new obligations, and the GRC Workspace holds the registers and workflow to evidence the work. RegSpace outputs are draft regulatory intelligence for your qualified counsel to review; it does not provide legal advice, file anything with a regulator, or guarantee compliance.
Stay ahead of DUAA changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.