Need an update on what’s happening with DUAA? Now that the legislation is in the later stages of its commencement plans, it’s a good time to discuss what changes this bill has brought and what will happen over the first half of 2026.
What is the Data (Use and Access) Act?
What can enterprises expect from DUAA?
Staying informed about latest DUAA developments
Need an update on what’s happening with DUAA? Now that the legislation is in the later stages of its commencement plans, it’s a good time to discuss what changes this bill has brought and what will happen over the first half of 2026. In this article, we’ll go over what DUAA is, key changes and a timeline for the remaining stages in the Department for Science, Innovation and Technology’s plans for roll-out.
Otherwise known as DUAA, it’s a piece of legislation which builds onto the data protection and privacy legislation in the UK; it is not to be mistaken for a replacement of the General Data Protection Regulation Act (GDPR) of 2018 or the Privacy and Electronic Communications Regulations (PECR) of 2003.
The bill includes updates on digital information laws in the UK. The goal of DUAA is, as stated in government guidance, to improve innovation and economic growth and to simplify rules for organisations. These changes made by DUAA are expected to give businesses an avenue to do things differently instead of following definitive changes to meet legal compliance.
Key changes being made by DUAA are more permissive towards organisations’ ways of handling user data. Some examples include the introduction of the permission for organisations to use storage and access technologies like cookies without explicit consent in the case of “certain, low-risk situations”; a “stop-the-clock” procedure which means organisations can pause their response time for subject access requests if more information is needed; and “legitimate interests”, which allows businesses more freedom to process personal data for certain, ‘legitimate’ reasons such as crime prevention, safeguarding and emergencies, amongst several other changes which we will review in this article.
4 stages have been announced for the provisions to commence over the course of approximately a year’s time from when the bill receives Royal Assent (which occurred on 19th June 2025).
On 20th August 2025, the first stage was brought into force. Notable commencements also include:
Further details on the legislative sections put into action in this stage can be found at legislation.gov.uk, with some explanatory notes, which expand and clarify the commencements at stage one.
Stage 2 came into force on 30th September 2025. The number of changes at this stage is minimal but no less impactful.
With this particular stage, section 124 amends the 2023 Online Safety Act (OSA), which includes the commencement of the majority of the measures on digital verification and the retention of information by internet service providers when in connection to the passing of a child.
Stage 3 regulations are set to be enacted approximately 6 months after Royal Assent; this focuses on provisions of information about health and adult social care in England (seen in part 7 of the bill) and the main changes to data protection legislation, which are seen in part 5, with the exception of section 103, which is regarding complaints by data subjects.
The final stage listed in the DUAA commencement plan is stage 4, which is said to take place more than 6 months after Royal Assent. This stage is expected to be enacted in early 2026. This is the final sstage;it includes provisions that require a longer lead time to implement. Which are:
Changes listed by GOV.UK:
This legislation allows organisations to make decisions on a wholly automated process in situations where there are legal or similarly significant effects on individuals, which allows decisions to be made in wider scenarios.
With this change, safeguards have to be included to give people the chance to challenge any decision-making about them. The safeguards set out are listed to be:
However, it should also be noted that these safeguards will not apply when it’s to protect national security or when preventing obstructions of justice.
As mentioned before, DUAA introduces a “stop-the-clock” rule. Organisations, if they require more information from the requester, can pause their response time for subject access requests, which is when an individual requests access to a copy of their personal data held by an organisation.
Rules require that online services which are likely to be accessed by children consider protection and support measures when designing their services.
DUAA now classifies commercial research as also ‘scientific research’. While further safeguards have been put in place to protect personal data within research, it still means that researchers now have broader access to areas of related research.
Legitimate interests are data that organisations can have access to without needing explicit consent on grounds of reasonable, justifiable interest for processing. Now, organisations have legal ground to process this personal data with DUAA. As long as fundamental rights are not infringed upon in the process.
However, what counts as legitimate interest can be quite broad, even more so in a B2B context. Whilst in government guidance, scenarios such as crime prevention and emergency response are listed; legitimate interest can also be for “commercial interests, individual interests or broader societal benefits”.
DUAA simplifies and clarifies the rules on transferring personal data internationally, which will be particularly helpful to SMEs, as many third-party apps and cloud software are used in processing servers outside of the UK.
Organisations will have to respond and handle complaints from those concerned with the way data is being used, for example, if it potentially breaches data protection legislation. This can be done via an e-complaint form and then following up with the individual in order to provide the outcome of the complaint.
Cookies and other storage and access technologies are now accessible to organisations without the explicit consent of the user in low-risk scenarios.
The Data Protection Act has been amended to support more efficient and closer teamwork between law enforcement and UK intelligence agencies to safeguard national security.
The ICO and GOV.UK have mentioned numerous times how DUAA will foster innovation, but what can enterprises and consumers expect from these changes?
Businesses now have the chance to carry out better research to understand audiences thanks to the clearer classification of what and when personal information can be used for scientific research, which includes commercial research, as well as the clarification that users can give "broad consent".
Organisations will be able to reuse personal data for scientific research without needing to provide a privacy policy “if that would involve a disproportionate effort” if they continue to maintain the users’ rights by publishing a notice on the website to explain what is being done.
With the exception of certain personal data categories such as race, ethnicity, religious beliefs, etc., with safeguards in place, legitimate interests can be used lawfully in order to process personal information to facilitate substantial automated decision-making.
Certain cookies are also allowed to be set without needing direct consent from users to collect statistical information and to improve web functionality.
The best sources to familiarise yourself with DUAA and its changes are through following the legislation on GOV.UK and their guidance on DUAA changes for an accessible summary of the key changes.
The current version of the bill is available for download and provides all the necessary details on changes that the legislation will make.
For updates on updates and commencements of the bill in the remainder of 2026, a resource to refer to would be the GOV.UK guidance “Data Use and Access Act 2025: plans for Commencement”.
With the introduction of this act, the Information Commissioner’s Office (ICO) are also working on new guidance and have since published their own guide on DUAA, which goes over the changes that organisations may experience from this bill.
If your brand is looking to leverage DUAA laws or concerned about how this may impact your next promotional campaign, speak with one of our promotional experts at +44 (0) 203 80 555 36 or email hello@promotionsinteractive.com for a free, no-obligation chat.
We’re happy to answer any of your questions or to tell you more about what we do and how we could support your next promotional campaign.
