Book a Call

New Data Related Regulations

2025 saw the introduction of new data related regulations. The Data (Use and Access) Act, or DUAA, gained royal assent in June 2025 and affects current legislation found within the Data Protection Act and the Privacy and Electronic Communications Regulation.

The DUAA does not replace these two Acts; however, it does overlay more definition about how things are meant to work. Some things make it easier for businesses, and other types of “non-legal person”, and other things make it harder for them. Just as a reminder a legal person is an individual (whether they are born in the UK, or the EU) and, therefore, everything else, a business, charity, club, association, etc. is a non-legal person.

The main points that relate to these changes are below.

Making Things Easier

Now that’s sorted there are some things that might brighten your day.

  • The DUAA recognises a new lawful basis of processing. It’s called “recognised legitimate interest” and covers one of the gaps between “legitimate interest” and “vital interest”.
  • It allows you to provide information to Public Organisations while they perform their duties without having to consider restrictions related to data sharing. This is specific to Public Organisations, and they must make a determined effort to ensure that they have the right to request personal information form you in the first place.
  • Previously it was a requirement of the Data Controller to ensure that permission had been sought to use personal information in each process to complete all interactions with the individual. Now you can automatically use the “Assumption of Compatibility” feature in the DUAA to automatically re-use certain pieces of information in other processes.
  • Charities will benefit from a “Soft Opt-In” feature to enable them to send electronic marketing to any individual that supports them. As usual, individuals will be able to object to this type of marketing and the charity will have to respect this decision and stop send such marketing when any individual makes this request.
  • There will be a reworded Legitimate Interest test available to help decide when Legitimate Interest can be used within marketing.
  • It will be made clearer that “Subject Access Requests” (SARs) require “reasonable and proportionate” searches form information upon receipt of a SAR from an individual.

Tightening Up Definitions

Evidence that you have considered the implications of utilising the above enhancements and not infringing any other rights.

  • It will provide information on when certain types of cookies can be used without getting consent. This will be centred on those cookies that are used for statistical purposes and those that may improve the functionality, or performance, of your website.
  • It will provide the ability for an individual’s personal information to be re-used for scientific research purposes without giving them a privacy notice. There is no information at the time of writing this article as to what the boundaries of what this may be, other than saying such use would not involve any disproportionate effort on the information holders.
  • It will make the definitions relating to scientific research clearer and will provide what will be classified as “broad consent” to an area of scientific research.
  • It will also define, or help to define, areas of “Automated Decision Making” that can be used when processing personal information as long as you apply appropriate safeguards. Be warned though, this element of the DUAA will not be allowed where processing of Special Category Data would be required anywhere in the process.

Allowed Innovations

As long as you have not conflict with the concerns listed above you may:

  • Use personal information for specified areas of scientific research.
  • Adjust Privacy Notices to comply with the revised framework.
  • Review which processes may use Automated Decision Making. It has also not been made clear which requests will still be available to individuals, like the right to object and the right to request a review of any decision made by an automated process by an individual.
  • As long as you explain the purpose of your cookies (and comply with all required safeguards), you may be able to capture more information and expand what you classify as essential cookies.
  • The potential to allow digital identity and verification services.

Other New Developments

It isn’t all plain sailing and individuals will, with what some see as enhanced protection, should be assured that:

  • The Age-Appropriate Design Code will be fully explained and such that processes will be expected to be fully considered. While this is specifically designed to help with processing of data relating to children and online services, the full explanation of the Code may go further.
  • A new offence relating to the creation of an unsolicited, and non-consensual, intimate image will be outlined. This will include, but may not be limited to, AI generated images.
  • To provide responses to complaints pertaining to processing of personal information within specific timelines This may refer to the aims contained within BS 8543, but this is unclear at the moment. Consider what you may need to do to meet these new requirements.
  • Documentation to reflect the changes in what is going to be allowed will have to be in place.
  • The DUAA also allows the ICO to change its structure and provides new powers for them to assist everyone through their investigations.

Timeframe for Implementation

This is the trickiest bit. As usual there is not a fully publicised timetable where the individual elements on the DUAA will become fully applicable. If you’re like us you’d want to know what’s coming and start making any required changes now.

Starting is very important as you define the journey to be taken, but it allows the final destination to change.

We are in the same boat as everyone else

Please feel free to look through the other blogs here, or use our chat bot to ask some burning questions. The information you want may well have been provided already. Some of what I provide is very detailed.

We would be pleased to answer your enquiry through email at enquiries@eyebray.com, by calling 0743211611, or by using https://meetings.hubspot.com/eyebrayltd to see when I am free.