When did the Data (Use and Access) Act 2025 receive Royal Assent?

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, after passing through Parliament as a revised version of the earlier Data Protection and Digital Information (DPDI) Bill. It amends the UK GDPR, the Data Protection Act 2018 and a range of sector-specific statutes.

Does DUAA 2025 replace UK GDPR?

No. DUAA 2025 amends UK GDPR and the DPA 2018 but does not replace them. The UK GDPR remains the primary framework for personal data processing. DUAA introduces targeted reforms (a broadened legitimate interests ground for certain processing, reforms to international transfer mechanisms and the creation of smart data schemes), but the core rights and obligations of UK GDPR remain unchanged.

What is a smart data scheme under DUAA 2025?

A smart data scheme is a government-regulated framework that requires data holders (such as banks or energy suppliers) to share customer data with authorised third parties at the customer's request. Open Banking was an early example created without this legislation. DUAA gives the Secretary of State powers to create new smart data schemes by secondary legislation, potentially covering sectors such as energy, mortgages and telecoms.

How does DUAA 2025 change the ICO?

DUAA 2025 renames the Information Commissioner's Office to the 'Information Commission' and gives it a new principal objective of promoting a climate of confidence in data use. It also introduces a statutory framework for ICO enforcement decisions, including a new right of appeal to the First-tier Tribunal on points of fact as well as law.

GDPR & Privacy

Data (Use and Access) Act 2025: UK website changes

Steven | TrustYourWebsite · 8 May 2026 · Last updated: May 2026

The Data (Use and Access) Act 2025 (DUAA) is the most significant reform to UK data protection law since the UK GDPR took effect in 2021. It received Royal Assent on 19 June 2025 after a long parliamentary passage. The Bill started life as the Data Protection and Digital Information (DPDI) Bill in the previous Parliament.

For most small and medium UK websites, the day-to-day impact of DUAA is more limited than the headlines suggested. The UK GDPR and the Data Protection Act 2018 remain the governing framework. But several DUAA provisions are directly relevant to website operators. The main ones touch legitimate interests, cookie notices and international data transfers.

To check your current compliance position under UK GDPR as amended by DUAA, run a free scan at /uk/en/scan.

Summary: what DUAA changes for UK websites

The table below maps each DUAA reform area to its old-law baseline and the practical impact on a typical UK website.

Reform area	Old-law baseline	Practical impact on a UK website
Recognised legitimate interests	UK GDPR Article 6(1)(f) requires a three-part LIA for every legitimate interest.	Limited. The named purposes are public-interest, not commercial. Marketing and analytics still need a full LIA.
Renamed regulator	Information Commissioner's Office (ICO).	The ICO is now the "Information Commission" with a new principal objective. Day-to-day enforcement contact stays the same.
ICO appeals	Appeals to the First-tier Tribunal on points of law only.	Enforcement decisions can now be appealed on points of fact. Material change for businesses receiving notices.
International transfers	Adequacy regulations and the IDTA under DPA 2018.	New "data bridges" framework. Existing SCCs and the IDTA continue under transition rules.
Smart data schemes	Sector-by-sector (Open Banking and similar).	New general framework. Relevant if you operate in finance, energy or telecoms. Minimal for general e-commerce.
Cookie rules (PECR)	PECR Regulation 6 consent for non-essential cookies.	Unchanged. The DPDI Bill proposals to soften reconsent did not survive.
Digital verification services	Voluntary market for ID verification.	New statutory trust-mark framework. Affects which providers count as "approved".

Background: from DPDI Bill to DUAA

The DPDI Bill was first introduced in March 2023. It fell when the 2024 general election was called. A revised version was reintroduced by the new government in October 2024 and passed as DUAA in June 2025. The final Act is narrower in some respects than the original DPDI Bill. Several provisions that would have created greater divergence from EU GDPR were removed or softened during passage, partly to preserve the UK's EU adequacy decision.

Understanding this legislative history matters for businesses that may have read commentary on the DPDI Bill. Not everything proposed in 2023 made it into the final Act.

Key changes for website operators

Recognised legitimate interests

DUAA 2025 introduces the concept of "recognised legitimate interests". This is a defined list of specific purposes where the controller can rely on legitimate interests under UK GDPR Article 6(1)(f) without conducting a full legitimate interests assessment (LIA). The initial list covers purposes such as safeguarding, national security, crime prevention and certain research activities.

For most commercial website operators, this provision has limited direct application. The recognised legitimate interests cover largely public-interest and safety purposes rather than commercial processing. The existing LIA requirement continues to apply to marketing, analytics and most commercial uses of personal data. See our guide to legitimate interests for UK marketing for a full explanation of the three-part balancing test.

Reforms to international data transfers

DUAA replaces the existing adequacy and transfer mechanism framework in the DPA 2018 with a reformed "data bridges" system. The Secretary of State can now designate countries or international organisations as providing an "appropriate level of protection" by means of secondary legislation rather than the full adequacy process.

Existing adequacy decisions and standard contractual clauses (SCCs) continue to apply during a transition period. For businesses using SCCs or the UK's own International Data Transfer Agreement (IDTA) with processors in non-adequate countries, no immediate action is required. The practical effect of DUAA's transfer reforms is felt mainly by larger organisations with complex cross-border arrangements. The ICO's international transfers guidance sets out the current position.

Renamed ICO and new accountability framework

DUAA renames the Information Commissioner's Office to the "Information Commission". The Act gives the Commission a new statutory principal objective: to promote a climate of confidence that enables the free flow of personal data. This represents a shift in emphasis from pure enforcement toward enabling economic use of data. The ICO's enforcement powers remain in place and have in some respects been clarified.

The Act also introduces a formal appeals framework. ICO enforcement decisions can now be appealed to the First-tier Tribunal on points of fact, not just law. This is a meaningful procedural change. It may affect how businesses respond to ICO reprimands and enforcement notices.

The DPDI Bill contained proposals to reform PECR to allow persistent cookie consent records and reduce the frequency of consent prompts. These provisions were largely removed from DUAA during passage. The ICO and privacy groups had raised concerns about their compatibility with UK adequacy.

The practical result is that the existing PECR Regulation 6 cookie consent rules remain unchanged. Consent for non-essential cookies must still be freely given, specific, informed and unambiguous. Reconsent is required when the purposes change materially. See our guide to cookie consent rules under PECR for the current requirements.

Smart data schemes

Part 1 of DUAA creates a general framework for smart data schemes. These let customers require data holders to share their data (transaction records, usage history or tariff information) with authorised third parties. Open Banking predates DUAA and operates on the same principle.

For website operators, smart data schemes are mainly relevant if you work in a regulated sector such as financial services, energy or telecoms where a scheme may be designated. For general e-commerce and service businesses, the immediate impact is small.

Data intermediaries and digital verification services

DUAA creates a framework for trust marks and registration requirements for data intermediaries. These are organisations that facilitate data sharing between parties. The Act also creates a statutory framework for digital identity verification services. Individuals can use verified digital IDs to prove age, identity or credentials.

For websites that already use third-party identity verification, DUAA's digital verification service (DVS) provisions may affect which providers qualify as "approved" under the new framework. GOV.UK maintains the trust framework standards that DVS providers must meet to be certified.

What has not changed

Several provisions of UK GDPR and DPA 2018 are unaffected by DUAA. The following obligations remain exactly as before.

The six lawful bases under UK GDPR Article 6 continue to apply. The minor modification of recognised legitimate interests is noted above. Consent requirements under Article 7 are unchanged. Data subject rights (access, rectification, erasure, portability and objection) are unchanged. The obligation to appoint a Data Protection Officer where required is unchanged. The 72-hour breach notification deadline to the ICO under Article 33 is unchanged. PECR rules on cookies and electronic marketing are unchanged.

Comparing UK and EU data protection after DUAA

The EU retained its GDPR framework without the reforms DUAA introduces. UK and EU data protection law have now diverged further. The EU adequacy decision for the UK, granted in 2021, is under ongoing review. DUAA was drafted with adequacy preservation as an explicit objective. The government has stated its intention to maintain EU adequacy.

For businesses that transfer personal data from the EU to the UK (for example EU customers whose data is processed on UK servers) the adequacy decision means no additional transfer safeguards are currently required. Businesses should monitor ICO and government guidance if the adequacy decision is renewed, restricted or revoked. For an overview of how UK and EU frameworks compare, see our comparison of UK GDPR and EU GDPR after Brexit.

Practical impact by business type

Most of the DUAA reforms apply unevenly across sectors. The table below maps the reform areas to where they actually bite.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Business type</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Material DUAA changes</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Action required</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">General e-commerce or services SME</td> <td className="border border-slate-300 px-3 py-2">Renamed regulator. Cookie rules unchanged. PECR consent still required.</td> <td className="border border-slate-300 px-3 py-2">Update privacy notice references to the Information Commission at next review.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Financial services, energy, telecoms</td> <td className="border border-slate-300 px-3 py-2">Smart data schemes framework. Sector-specific schemes may be designated.</td> <td className="border border-slate-300 px-3 py-2">Monitor secondary legislation. Plan for customer-initiated data-portability flows.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Research, fraud-prevention, safeguarding</td> <td className="border border-slate-300 px-3 py-2">Recognised legitimate interests list covers narrow public-interest purposes.</td> <td className="border border-slate-300 px-3 py-2">Review LIAs. A small number of activities may move into the recognised list.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">International data exporters</td> <td className="border border-slate-300 px-3 py-2">Data bridges framework replaces adequacy regulations and IDTA process.</td> <td className="border border-slate-300 px-3 py-2">Existing SCCs and IDTA continue under transition. Track new bridges as designated.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Identity-verification providers and users</td> <td className="border border-slate-300 px-3 py-2">Statutory DVS trust-mark framework on GOV.UK register.</td> <td className="border border-slate-300 px-3 py-2">Check whether your provider is trust-marked. Update due-diligence files.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Any organisation receiving an ICO notice</td> <td className="border border-slate-300 px-3 py-2">New appeals route on points of fact, not just law.</td> <td className="border border-slate-300 px-3 py-2">Material change in defence strategy. Take advice before responding.</td> </tr> </tbody> </table> </div>

Steps for website operators

Most small business websites do not need to change anything immediately in response to DUAA. The Act is felt primarily in institutional and structural reform. However, it is worth reviewing the following at your next annual compliance review.

Review any legitimate interests assessments you have on file. Note whether any of your purposes might fall within a recognised legitimate interest. Most will not, but it is worth confirming.

If you use international data transfers, confirm whether your transfer mechanisms (IDTA, SCCs or adequacy) remain valid under the transition provisions. The ICO has published updated guidance on transfers.

Review your UK privacy policy requirements under UK GDPR and update any references to the regulator. The ICO is now formally the Information Commission, although in practice the website and contact channels at ico.org.uk continue unchanged.

Monitor ICO guidance as the Commission adapts its enforcement and guidance publications to reflect the new principal objective and appeals framework. Tone and priorities may shift over time even where the legal rules have not.

For a current check of your website's UK data protection position, run a free scan at /uk/en/scan.

Sources

Share this article

Check your website now

Scan your website for privacy issues and 30+ other checks.

Start free check

UK Website Guides

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

UK GDPR vs EU GDPR after Brexit for UK businesses

UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookies, ICO enforcement and when you still need an EU representative.

DPA 2018 vs UK GDPR: Which Law Applies to Your Website?

The DPA 2018 and UK GDPR work together but cover different ground. Which applies to your website, when DPA exemptions bite and how they interact in 2026.

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.