The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Data Subject Access Requests (DSARS)

Relevant DUA Act Provisions: sections 75 to 79, inserting new Article 12A UK GDPR and a new Section 45A in the DPA 2018

The DUA Act introduces targeted reforms to DSAR handling under UK GDPR, without altering the fundamental right of access. Key reforms include:

• Reasonable and proportionate search: A new paragraph in Article 15(1) UK GDPR, provides that the data subject is only entitled to such confirmation, personal data and other information “as the controller is able to provide based on a reasonable and proportionate search.” This introduces a statutory limit on the scope of searches required and codifies a standard previously found in ICO guidance and case law. The claim of phrase “reasonable and proportionate” search is likely to be disputed and may require further guidance from the ICO.
• Clarified scope of the data copy: Article 15(3) is also amended to clarify that the “copy” of personal data undergoing processing must correspond to the information that the controller is reasonably required to provide under paragraph 1. This helps define the controller’s disclosure obligations and limits over-disclosure.
• Stop-the-clock provision: A new Article 12A(1) allows controllers to pause the one-month deadline for responding to a DSAR where they are waiting for: identity verification, clarification of scope or receipt of a fee if the request is manifestly unfounded or excessive). This formalises the “stop-the-clock” position previously found only in ICO guidance.
• Retention of “manifestly unfounded or excessive” threshold: Section 75 amends section 53 of DPA 2018 regarding manifestly unfounded or excessive requests. It clarifies that controllers may still refuse DSARs or charge a reasonable fee where a request is manifestly unfounded or excessive, consistent with existing UK GDPR Article 12(5). However, the criteria for determining what is “reasonable” remain undefined in the primary legislation and will likely be clarified in ICO guidance or caselaw.
• Legal professional privilege exemption: The Act inserts a new Section 45A DPA 2018, establishing a statutory exemption from subject access rights for information protected by legal professional privilege (LPP). Where LPP is claimed, the controller must inform the requester (unless doing so would itself breach LPP or another duty of confidence), and must maintain a record of the decision for ICO review if requested. This amendment offers clearer protection in cross-border contexts where privilege doctrines may differ.

Divergence

These reforms confirm a UK-specific approach by codifying limits on searches and formally recognising the LPP exemption, while retaining alignment on the core right of access. The new language around “reasonable and proportionate search” diverges from the open-ended EU GDPR obligation and may result in narrower disclosure in borderline cases.

ICO Commentary 

In its public guidance the ICO welcomed the DSAR amendments as aligning law enforcement and general processing rules, and providing greater clarity and procedural safeguards for controllers. The ICO also emphasised that controllers must explain refusals or redactions clearly and inform data subjects of their rights to complain or appeal, including where LPP is invoked.

Recommendations

• Review and update DSAR policies and staff training to reflect the new “reasonable and proportionate search” standard.
• Implement formal “stop-the-clock” procedures and maintain clear audit trails when pausing the response period.
• Ensure clarity in redaction procedures for LPP, including legal documentation and decision recording under Section 45A DPA 2018.
• Revise privacy notices to reflect the amended wording in Articles 15(1) and 15(3).
• Monitor forthcoming ICO guidance on “reasonable and proportionate”, searches and procedural safeguards under the new LPP exemption. 

This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) 2. Purpose limitation  3. Automated Decision-Making (ADM) 4. ADM in Law Enforcement and National Security 5. Data Subject Access Requests (DSARs) 6. Complaints handling 7. Age Appropriate Design Code (AADC or Children’s Code) 8. Scientific, historical and statistical purposes 9. International data transfers 10. Cookies and PECR Reform 11. Information Commissioner’s Office (ICO) Reform 12. Codified convergences with EU Law