The Data Use and Access Act (DUA Act), which entered into force on 19 June 2025, represents the UK’s most substantial departure from the EU GDPR (GDPR) since Brexit. While maintaining structural alignment in some areas, the DUA Act introduces legally significant divergences particularly in Parts 3 to 6, which affect legal bases for processing, data subject rights, research reuse, international transfers, automated decision-making, and enforcement thresholds. These broadly correspond to provisions covering lawful processing, rights, oversight, and enforcement. These changes materially impact compliance obligations for UK-based controllers and processors. The Information Commissioner's Office (ICO) promptly followed with provisional guidance.
We have commented in our earlier article of the DUA Act’s introduction of new Smart Data Schemes and Digital Verification Services, establishing a new legal framework for trusted data sharing in the UK.
This article offers a legal analysis of twelve core reform areas, grounded in the DUA Act text and the ICO’s commentary, with an analysis of main divergence from the GDPR as well as practical recommendations. The twelve core reform areas examined reflect the DUA Act’s most material legal changes and regulatory divergences from the GDPR, which are the following:
1. Recognised Legitimate Interests (RLIs)
2. Purpose limitation
3. Automated Decision-Making (ADM)
4. Data Subject Access Requests (DSARs)
5. Complaints handling
6. Law enforcement and national security
7. Age Appropriate Design Code (AADC or Children’s Code)
8. Scientific, historical and statistical purposes
9. International data transfers
10. Cookies and PECR Reform
11. Information Commissioner’s Office (ICO) Reform
12. Codified convergences with EU Law
Implementation Timeline
Most of the data protection provisions in the DUA Act do not take effect automatically on Royal Assent (19 June 2025). Instead, the Act grants the Secretary of State the power to bring different provisions into force by way of statutory instrument, allowing for staggered commencement across several months.
- Provisions already in force: The creation of the new Information Commission and the revised strategic governance framework (Part 5 DPA 2018) came into force immediately.
- Due to come into force 19 August 2025 (two months post-Royal Assent): Amendments to the ICO’s investigatory powers, such as the ability to request documents as well as information.
- Expected later in 2025: Provisions relating to:
- Recognised Legitimate Interests (Schedule 1),
- Further processing and compatibility reforms (Schedule 2),
- Subject access reform (including adjustments to Article 15 UK GDPR), are expected to come into force following the publication of secondary legislation and ICO guidance.
- Staggered implementation likely for:
-
- Automated decision-making provisions (Articles 22A–22D) which introduces layered safeguards and is expected to be phased in following sector consultation.
- international data transfer reforms, including the new “not materially lower” standard for adequacy and alternative safeguards under amended Articles 45–47.
- PECR amendments, especially changes to the cookie consent regime and the alignment of PECR fines with UK GDPR maximums, which may require industry consultation or updates to related codes of practice.
Comments
The DUA Act marks a decisive step away from the EU GDPR, asserting the UK’s autonomy over its data protection framework. The reforms reflect a strategic prioritisation of innovation, regulatory flexibility, and administrative simplification, often at the expense of harmonised interpretation. Multinational organisations must reconfigure policies, processes, documentation and controls to reflect this shift while continuing to meet the stricter contextual requirements of the EU GDPR.. Navigating dual regimes now requires a bifocal legal strategy: one eye fixed on divergence to capture the opportunities and manage the risks of UK-specific reforms, and the other on convergence to preserve interoperability and reduce fragmentation across borders.
Next Steps
We are closely monitoring the implementation of the DUA Act and its implications across UK sectors. Further commentary on specific provisions will be published in due course. If you have any questions arising from this article, would like to arrange a training session, or require support in aligning your policies, documentation or contracts with the new regime, please contact us.