Back to Blog
LegalTech & IA

One Year of the Data (Use and Access) Act: Has the UK Finally Cracked the Code on Privacy and Innovation?

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 7, 2026
10 min read
One Year of the Data (Use and Access) Act: Has the UK Finally Cracked the Code on Privacy and Innovation?

What is the Data (Use and Access) Act and why should you care?

The Data (Use and Access) Act (DUAA) came into force in the UK on 19 June 2025, replacing parts of the UK GDPR with a more flexible framework. It aims to balance data protection with innovation, introducing new obligations for organisations and new rights for individuals. Think of it as the UK's attempt to build a data highway that's both safe and fast—no more crawling through the potholes of outdated regulations.

One year in: the good, the bad, and the confusing

So, has the DUAA delivered on its promises? Let's look at the highlights. On the plus side, the Act introduces clearer rules for scientific research, allowing data to be reused more easily without consent in certain cases. It also creates a new 'data adequacy' framework for international transfers, which is a relief for businesses that were sweating over Brexit-related data flows. But it's not all sunshine. The Act's 'legitimate interests' provisions are still a grey area, and many organisations are struggling to interpret them without a roadmap. It's like being told you can drive faster, but the speed limit signs are written in invisible ink.

New obligations: what your business needs to do now

If you're a data controller or processor in the UK, the DUAA brings several new requirements. First, you must appoint a senior individual responsible for data protection (a 'Data Protection Officer' equivalent). Second, you need to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, which is not new but now has stricter timelines. Third, the Act introduces a new 'data subject access request' (DSAR) regime with tighter response times—down from one month to 21 days. Yes, you read that right. So, if your current DSAR process involves a lot of manual digging and coffee breaks, it's time to automate.

Opportunities for innovation: the silver lining

The DUAA isn't just about compliance; it's also designed to spur innovation. For example, it creates a 'data sharing' framework for public and private sectors, making it easier to use data for public benefit (think health research or smart city projects). It also introduces 'data trusts' as a legal structure for collaborative data governance. If you've ever wanted to share data with competitors for a common goal without fear of antitrust or privacy violations, this is your chance. Just remember: with great power comes great responsibility—and a lot of paperwork.

Practical tips for staying compliant (and sane)

  • Update your privacy notices to reflect the new lawful bases under the DUAA.
  • Review your international transfer mechanisms—the new adequacy decisions are a good start, but don't assume they cover everything.
  • Invest in automated DSAR tools to meet the 21-day deadline.
  • Train your staff on the new rules, especially around 'legitimate interests' and 'research exemptions'.

And if you're feeling overwhelmed, remember: even the ICO admits it's still learning. The key is to stay informed and adapt. For official guidance, check the ICO's DUAA page.

FAQ

Does the DUAA replace the UK GDPR entirely?

No. The DUAA amends and supplements the UK GDPR, but the core principles remain. Think of it as an upgrade, not a replacement.

What are the penalties for non-compliance under the DUAA?

The maximum fine remains the same as under UK GDPR: the higher of £17.5 million or 4% of annual global turnover. So, still painful.

Can I still rely on EU Standard Contractual Clauses for UK data transfers?

Yes, but only if you've completed a transfer risk assessment. The ICO has published its own 'International Data Transfer Agreement' as an alternative.

DUAA Compliance Checklist

  • Appoint a senior data protection lead
  • Update privacy notices for new lawful bases
  • Review international transfer mechanisms
  • Implement automated DSAR process (21-day response)
  • Conduct DPIAs for high-risk processing
  • Train staff on legitimate interests and research exemptions

Check off each item as you complete it. Still need help? The ICO offers a self-assessment tool.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.