Photo representing The Data (Use and Access) Act (DUAA 2025) Is Here: What Your Business Needs to Know

The Data (Use and Access) Act (DUAA 2025) Is Here: What Your Business Needs to Know

/ Personal Data Protection / By

UK data protection is set for its biggest transformation since GDPR.

After months of parliamentary debate, the UK Data Protection and Digital Information (No. 2) Bill has received Royal Assent as The Data (Use and Access) Act (DUAA 2025). This marks a significant shift in how UK data protection compliance works in practice.

At CSRB, we have been closely monitoring these developments, and we are here to help you understand what this means for your organisation.

What Is the Data (Use and Access) Act (DUAA 2025)? And Why Now?

  • The new Act represents the UK’s most substantial departure from the EU GDPR since Brexit. Rather than maintaining strict alignment with European rules, the government has chosen to follow its own path, one which promises to reduce administrative burdens whilst maintaining robust protection for individuals’ data.
  • The timing is not just coincidental. With the UK’s digital economy growing rapidly, and concerns about regulatory friction hampering innovation, this legislation aims to create a more business-friendly regime. The goal is straightforward: keep the protections that matter whilst removing the bureaucracy that does not.

From Bill to Act: What’s Actually Changed?

Several key changes will directly impact how your organisation handles data protection:

  • Data Protection Officer (DPO): Perhaps the most significant change is the replacement in some instances of mandatory Data Protection Officers with “Senior Responsible Individuals“. This gives organisations far more flexibility in how they assign data protection responsibilities internally. You are no longer required to have someone with specific DPO qualifications, just someone well researched in the subject matter of data privacy to be accountable. Many will continue to employ Data Protection Officer’s and will still be legal required to appoint a DPO.
  • Data Protection Complaints Procedure – Organisations will be required by the DUAA 2025 to develop and integrate a complaints procedure, regarding data privacy, into their day-to-day operations overseen by a competent individual (e.g. DPO). This was not a requirement under the Data Protection Act (DPA 2018) previously.
  • Data Subject Access Requests (DSARs): Data Subject Access Requests can now be refused when they are considered “vexatious or excessive“. This addresses one of the biggest pain points for businesses dealing with repeat or unreasonable requests. Organisations will also only have to perform ‘reasonable searches’ for information, when responding to DSARs.
  • Record-Keeping Becomes Risk-Based: The blanket requirement to maintain detailed processing records is gone. Now, only high-risk processing activities require comprehensive documentation. For many businesses, this represents a significant administrative saving.
  • ICO Becomes the Information Commission: One of the other big changes is that the Information Commissioner’s Office (ICO) will be renamed the Information Commission (IC), and they have been given a new emphasis on AI governance, children’s privacy, and data security in public services. The regulator will also adopt a more risk-based, proportionate approach to enforcement.

Immediate Benefits:

  • Reduced documentation requirements for most processing activities;
  • More flexibility in assigning data protection responsibilities;
  • Clearer grounds for refusing unreasonable subject access requests; and
  • Simplified cookie consent requirements for low-risk analytics.

For Compliance Teams: The changes require a strategic review of existing procedures. Teams that have built comprehensive GDPR compliance programmes will not need to dismantle everything, but there are opportunities to streamline processes significantly.

Resource Allocation: Rather than spending time on administrative compliance, teams can focus more on genuine risk management and privacy-by-design principles.

What You Do Not Need to Panic About (Yet)

Despite the changes, many basics remain unchanged:

  • International Data Transfers: If you handle EU citizens’ data, you will still need to comply with the EU GDPR requirements. The UK changes do not affect your obligations when processing European data.
  • Core Privacy Principles Remain: The fundamental principles of data protection – lawfulness, fairness, transparency, purpose limitation – have not changed. The Act modifies implementation, not underlying philosophy.
  • Existing Contracts and Policies: Your current data processing agreements and privacy policies do not suddenly become invalid. Changes can be implemented gradually as part of normal review cycles.
  • Sector-Specific Regulations: Industries like finance, healthcare, and telecommunications still face additional sector-specific obligations that go beyond general data protection rules.

What You Should Start Preparing For

Immediate Actions (Next 3-6 Months):

  • Review your current DPO arrangements and consider whether a Senior Responsible Individual model works better.
  • Assess your DSAR procedures and update response protocols.
  • Evaluate your record-keeping requirements based on risk levels.
  • Update cookie policies for low-risk analytics tracking.

Medium-Term Planning (6-12 Months):

  • Comprehensive review of data processing legal bases.
  • Staff retraining on new procedures.
  • Policy updates to reflect changed requirements.
  • Systems updates where necessary.

Strategic Considerations: Consider how these changes might affect your competitive position. Organisations that can streamline their data protection processes whilst maintaining high standards may find themselves with operational advantages.

How CSRB Clients Are Adapting to the Changes

Our clients are approaching these changes strategically. Rather than rushing to implement changes many organisations are:

  • Taking a Measured Approach: They are identifying which changes offer genuine business benefits versus those that might create unnecessary risk.
  • Maintaining High Standards: The best-performing organisations are using the flexibility to improve their data protection practices, not just reduce them.
  • Planning for Dual Compliance: Clients with European operations are developing frameworks that satisfy both UK and EU requirements efficiently.
  • Leveraging Competitive Advantages: Forward-thinking businesses are using streamlined compliance as a differentiator, particularly in competitive tender situations.

Final Thought: You Have Got Time; But Use It Wisely

  • The Data (Use and Access) Act (DUAA 2025) does not require immediate wholesale changes to your data protection programme. However, organisations that proactively adapt to the new rules are likely to gain competitive advantages.
  • At CSRB, we are helping clients identify which changes offer the most value for their specific circumstances. Some organisations will benefit enormously from the DPO flexibility; others will find the DSAR changes most valuable.
  • The key is developing a strategic approach that balances operational efficiency with robust data protection. The DUAA 2025 provides the tools, but how you use them will determine the business benefits you realise.
  • CSRB is here to support your understanding and implementation of The Data (Use and Access) Act (DUAA 2025). We provide support services tailored to your unique needs and industry. Please get in touch to discuss how CSRB can help you use improved privacy and data protection processes for business improvement as well as compliance. Please Get in touch to book an initial conversation and follow us on LinkedIn for the latest data protection news.