As we approach the end of 2025, the UK’s data protection landscape is undergoing its most significant transformation. The Data (Use and Access) Act 2025 (“DUAA” and “the Act”) received Royal Assent on 19 June 2025, and its phased implementation will impact organisations throughout the Christmas period and into the new year.
While many are busy wrapping up for the holidays (t-minus three weeks for those who still haven’t started their Christmas shopping), the Bridewell data privacy elves will be working diligently behind the scenes, keeping a watchful eye on the changes, so you can enjoy the festivities knowing you’ll not miss any key implementation deadlines.
And now that the obligatory festive joke is out of the way… this blog outlines what organisations can expect, key dates to be aware of, and practical steps to maximise the opportunities that the Act presents.
Recap: What is the Data Use and Access Act (DUAA)?
The DUAA amends, but does not replace, the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 18”), or the Privacy and Electronic Communications Regulations (“PECR”). It does so with the objective of promoting innovation, streamlining compliance, and clarifying obligations for organisations.
The changes brought about by the Act will be implemented in phases between June 2025 and June 2026, with several key provisions coming into force over the winter and early 2026. You can find more detailed information on the act in our previous blog on the DUAA.
Key Dates for the DUAA
November 27th, 2025
The Information Commissioner’s Office (“ICO”) consultation on the new ‘charitable purpose soft opt-in’ rules closes.
Previously, only commercial organisations had the ability to use the ‘soft opt-in’ under PECR, which allowed organisations to send email and text marketing to individual subscribers if they have previously purchased, or expressed an interest in, similar goods or services. This has now been extended to charities and not-for-profits.
December 27th, 2025
The EU Commission’s UK adequacy decisions expire.
When the UK was part of the EU, personal data could move freely between the UK and EU member states. This changed after Brexit. In 2021, the European Commission granted the UK two adequacy decisions, allowing data transfers from the EU to the UK under both the EU GDPR and the Law Enforcement Directive. These adequacy decisions are set to expire on 27 December 2025. However, the Commission published a draft decision proposing to extend the UK’s adequacy status for another six years, stating that the UK’s data protection standards remain “essentially equivalent” to those in the EU. This review also took into account the DUAA.
Winter 2025 / Early 2026
The ICO has announced that they intend to issue additional guidance on:
Data sharing for scams and frauds
The new lawful basis of ‘recognised legitimate interests’
Changes to the right of access (otherwise termed ‘subject access requests’), such as conducting only “reasonable and proportionate” searches, and relevant exemptions (i.e. manifestly unfounded and excessive requests)
Cross-border data transfers
Regulatory expectations for complaints handling (including the use of online forms and other mechanisms to receive complaints)
Purpose limitation and instances in which a ‘compatibility test’ would not be required; and,
Direct marketing and PECR.
The ICO will also launch consultations on:
Its update to the Automated Decision-Making (ADM) and Profiling Guidance – Guidance that’s expected to cover the use of legitimate interests as the legal basis for processing non-special category data
Research, Archiving and Statistics provisions updates.
January 2026
The following main changes to data protection legislation (Part 5 of the Act) come into force:
Expanded legal bases upon which non-special category data can be subject to automated decision-making
Recognised legitimate interests
Expanded definition of ‘research and scientific purposes’ to “…include any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”
New data protection test for undertaking international transfers (i.e. replacing the “essentially equivalent” standard with a “not materially lower” threshold)
Changes to subject access requests
Additional obligations on controllers providing online services that are likely to be accessed by children, requiring them to protect and support children when designing the services.
23 January 2026
The ICO’s consultation on data protection enforcement procedural guidance closes.
How Can You Prepare for the Data Use and Access Act?
You can prepare for the DUAA by following the five steps below.
Establish a procedure for handling complaints from data subjects about how their personal data is processed and consider making available an electronic complaints form (e.g. on your website and linked in your Privacy Notice).
Review and update your procedures for responding to Subject Access Requests, to take advantage of the requirement to conduct ‘reasonable and proportionate searches’ for individuals’ personal data.
If you’re a charity or not-for-profit organisation, review how the expansion of the soft opt-in rule can support your direct marketing and fundraising activities, and tailor your campaigns accordingly.
Undertake a scan of your cookies and tracking technologies and identify any instances where consent is no longer required, such as those that meet the criteria for the ‘statistical purposes exception’ or ‘appearance exception’ and update your cookie banner configuration and cookie notice accordingly.
Integrate trigger questions into your ‘Data Protection by Design and Default’ processes to embed a risk-based approach to conducting transfer risk assessments. Amongst other factors, questions should include:
a) Does the destination country have an adequacy decision?
b) If not, considering the nature and volume of data, is the transfer likely to pose a low risk to data subjects?
How Bridewell Can Help
As part of our DPO as a Service or Data Privacy Consultancy services, we can help you meet your compliance obligations under the DUAA.
DUAA Data Privacy Programme Impact Assessment – Evaluate how the legislation may affect your organisation.
Cookies and AdTech Audit – Assess compliance with consent requirements and identify opportunities to rely on legitimate interests (as opposed to consent).
Advisory and Implementation Support – Advisory on updating your Privacy and Cookies Notices, Record of Processing Activities (“RoPA”), and Data Subjects’ Rights procedures.
Training, Awareness & Communications – Build understanding and readiness within your organisation.
