top of page
Search

DUAA 2025 – A New Data Framework for Innovation, Simplicity, and Accountability in the UK

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • Jun 24
  • 1 min read

On 19 June 2025, the Data Use and Access Act came into force in the UK—marking a significant update to digital data governance. Rather than replacing laws, it amends existing data protection regulations including the UKGDPR, Data Protection Act 2018, and PECR to better align with innovation, clarity, and practical compliance.

 

About DUAA

✅ Encouraging innovation:

Enables broad consent for scientific research, even commercial.

Allows reuse of personal data for research without issuing privacy notices, if disproportionate effort is proven.

Expands use of automated decision-making by clarifying that legitimate interests may apply—with safeguards.

Relaxes cookie consent rules for functional and statistical cookies.

✅ Reducing complexity:

New recognised legitimate interests allow certain uses (e.g., public safety) without balancing tests.

Clarifies that data disclosure for public tasks can rely on the requesting body’s assessment.

Assumes compatibility for archiving, public interest, and charity email marketing under “soft opt-in.”

Simplifies SAR response obligations—only reasonable and proportionate searches are required.

Improves language clarity, including on transfers and direct marketing legitimacy.

✅ New requirements to note:

Online services for children must now explicitly account for children's needs—linked to the Age Appropriate Design Code.

Complaint handling becomes mandatory: provide digital submission options, acknowledge within 30 days, and respond without undue delay.

 

The DUAA is a modern response to a digital world where data fuels innovation. I support reducing bureaucracy where it doesn’t add value—but I’m cautious about weakening privacy protection. Simplification must not mean complacency.

In my view, the DUAA offers practical improvements for businesses while still holding them accountable. It’s a reminder that compliance doesn’t mean paperwork—it means effective internal processes that meet the law's intent.



 
 
 

Comentarios

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page