The United Kingdom's new Data and Use Act 2025 (DUAA) introduces targeted but significant reforms to the rights of data subjects, marking a distinct evolution from the framework established by the EU's General Data Protection Regulation (GDPR) and the UK's Data Protection Act 2018 (DPA 2018). While not a complete overhaul, the DUAA recalibrates the balance between individual rights and organizational burdens, aiming to foster innovation and reduce administrative friction. These changes will require organizations to reassess and, in some cases, reconfigure their data protection policies and procedures.

The most substantial impacts on data subjects and organizations center on the handling of Subject Access Requests (SARs), the rules governing automated decision-making, and the introduction of a formalized complaints process before involving the Information Commissioner's Office (ICO).

Comparison of Data Subject Provisions: DUAA vs. UK DPA / EU GDPR

How Do These Changes Impact Organizations?

The modifications introduced by the DUAA will have a tangible impact on the day-to-day operations of organizations processing personal data in the UK.

1. Managing Subject Access Requests (SARs): A More Pragmatic Approach

• Reduced Burden for Complex Searches: The shift to a "reasonable and proportionate search" standard provides a legal basis for organizations to define the scope of a SAR response. This is particularly significant for large organizations or those dealing with vast, unstructured datasets where exhaustive searches can be prohibitively expensive and time-consuming. Organizations can now more confidently push back on overly broad or unclear requests.

• Clarity on Vexatious Requests: The change from "manifestly unfounded" to "vexatious" may offer a clearer threshold for refusing requests that are intended to cause disruption or are an abuse of the right of access. However, organizations will need to carefully document their reasoning for deeming a request vexatious, as this may be scrutinized by the ICO.

• Improved Dialogue with Data Subjects: The "stop the clock" mechanism encourages communication between organisations and data subjects. It provides a formal process for seeking clarification without the pressure of an impending deadline, potentially leading to more focused and relevant information being provided.

  
  

2. Innovation through Automated Decision-Making

• Greater Flexibility for AI and Automation: By expanding the lawful bases for solely automated decision-making (for non-special category data), the DUAA aims to lower the barrier for using AI and machine learning for significant decisions. This could streamline processes in areas like credit scoring, fraud detection, and personalized services.

• Increased Responsibility for Safeguards: With this new flexibility comes a greater responsibility to implement and communicate robust safeguards. Organisations will need to have clear processes for human review, appeals, and explaining the logic behind automated decisions to data subjects. Transparency will be key to building trust and ensuring fairness.

  
  

3. A New Frontline for Complaint Handling

• Mandatory Internal Resolution: The requirement for data subjects to complain to the controller first effectively makes organizations the initial arbiters of data protection disputes. This will necessitate the establishment or enhancement of internal complaints handling procedures. Staff will need to be trained to recognize, manage, and resolve data protection complaints efficiently and in line with the DUAA's requirements.

• Potential Reduction in ICO Investigations: For organisations with effective complaints procedures, this change could reduce the number of formal investigations by the ICO. However, it also places a greater onus on them to resolve issues satisfactorily to avoid escalation.

  
  

4. Encouraging Research and Development

• Streamlined Use of Data for Research: The broader definition of "scientific research" to explicitly include commercial research, coupled with more flexible consent models and exemptions from providing detailed privacy information in certain contexts, will make it easier for commercial entities to leverage data for innovation. This is particularly relevant for the tech and life sciences sectors.

What Data Subjects Should Know About Their Rights

Data subjects should be aware of the following key aspects of their rights under the DUAA and its amendments:

• New Data Access Rights: You have a new legal right to access your customer data from businesses you interact with (traders) and to request corrections to that data. You can also authorize other trusted services or individuals to access this data and act on your behalf. This aims to give you more control over your information held by businesses.

• Complaint Process Changes: If you believe your data protection rights have been infringed, you are now generally required to make your complaint directly to the organization (controller) first. The organization must acknowledge your complaint within 30 days. While you can still complain to the Information Commission, the initial step is now often with the organization itself.

• "Reasonable and Proportionate" Data Searches: When you make a data access request, organizations are only required to provide information based on a "reasonable and proportionate search" for your data. This means they don't have to undertake an exhaustive search if it's overly burdensome, so you might not receive every single piece of information, but they must still conduct a reasonable effort.

• Legal Professional Privilege Exception: Organizations are not required to disclose information that is subject to legal professional privilege in response to your data requests. However, they must inform you if they rely on this exemption, provide reasons (unless national security is a concern), and tell you about your right to complain to the Information Commission or seek a court order.

• Safeguards for Automated Decisions: If a decision that significantly affects you is made solely by an automated system, the organization must provide safeguards. These include giving you information about the decision, allowing you to make representations, ensuring there's a way for human review (human intervention), and allowing you to contest the decision. This enhances your ability to challenge AI-driven decisions.

• Changes to "Cookie" Consent: While websites still need your consent for many types of tracking, there are now specific situations where information can be stored or accessed in your device without explicit consent. This applies if it's technically necessary for a communication or for a service you have specifically requested (e.g., remembering your shopping cart). Additionally, for statistical purposes or to adapt a website's appearance to your preferences, websites may use cookies if they provide you with clear information and a simple, free way to object, and you don't opt out. Always check privacy notices and cookie banners for details on how your data is being collected and used, and exercise any opt-out options provided.

• Information Commission's Role: The Information Commission is the new independent regulator for data protection. Its objectives include protecting your personal data, promoting public trust, and ensuring innovation and competition in data use.

• Data Protection Legislation Still Applies: It is important to remember that the DUAA generally clarifies that new powers to process or share data do not override the requirements of existing data protection legislation like the UK GDPR and the DPA 2018, unless explicitly stated otherwise in the law. This means your core data protection rights largely remain intact and, in some areas, are strengthened with more specific provisions and safeguards.

In conclusion, the DUAA signals a pragmatic shift in the UK's data protection landscape. For data subjects, while their core rights remain, the process for exercising them, particularly for SARs and complaints, has been altered. For organisations, the Act offers opportunities to reduce administrative burdens and innovate, but it also imposes new responsibilities for transparency, fairness in automation, and effective internal governance of data subject rights. Adapting to this new environment will be crucial for compliant and successful data processing in the post-DUAA era. To book a consultation contact us for support with compliance and implementation.