> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/the-data-use-and-access-act.md). # The Data (Use and Access) Act ### Contents * [1. What is the Data (Use and Access) Act?](#id-1.-what-is-the-data-use-and-access-act) * [2. DUAA's Notable Changes](#id-2.-duaas-notable-changes) * [A. Automated Decision Making](#a.-automated-decision-making) * [B. Smart Data Schemes](#b.-smart-data-schemes) * [C. Research](#c.-research) * [D. Legitimate Interests](#d.-legitimate-interests) * [E. Digital Verification Services](#e.-digital-verification-services) * [F. Data Subject Rights](#f.-data-subject-rights) * [G. International Data Transfers](#g.-international-data-transfers) * [3. What now? Action points for your business](#id-3.-what-now-action-points-for-your-business) ### 1. What is the Data (Use and Access) Act? **This regulation is applicable if your business has UK users.** In June 2025, the first major post-Brexit reform in the UK was passed by Parliament: The Data (Use and Access) Act (DUAA). The Act works to amend UK GDPR and the Data Protection Act 2018. The DUAA applies to all companies incorporated within the UK. In addition, it governs organisations incorporated elsewhere that process the personal data of individuals within the UK. The Act’s purpose is to promote innovation and ease, particularly for SMEs and charities. The hope is to make GDPR feel less risk-ridden to work with through rule clarification and simplification. In tandem, some of the compliance burdens of GDPR are eased to facilitate research and innovation, and to smooth the way for the use of AI. For AI startups, its provisions are particularly relevant. AI-driven tech, smart data frameworks, digital verification services and cookie compliance are all preoccupations of the Act. ### 2. DUAA's Notable Changes The DUAA makes notable changes to the laws around: A. Automated Decision Making (ADM) B. Smart Data Schemes C. Qualifying ‘research’ (and accompanying exemptions) D. Qualifying ‘legitimate interest’ E. Digital Verification F. Data Subject Rights G. International Data Transfers #### A. Automated Decision Making For tech startups, perhaps the most significant reforms made by the DUAA are those around Automated Decision Making (ADM), where a significant decision about an individual is made solely by automated processing, without meaningful human involvement in that decision. Under GDPR, business’s use of ADM is tightly restricted. Its use is prohibited in the majority of cases, for instance in recruiting or credit checks. The DUAA introduces four new articles (22A-D) to replace Article 22 of UK GDPR. These stipulate that: * ADM is no longer restricted unless ‘special category’ data is being processed. * This removes the need for one of the three previous conditions (explicit consent; contractual necessity; or authorisation by law) in order to apply ADM in many more cases. * Certain safeguards are integrated. Data controllers must: * inform the individual of the automated decision; * allow individuals to make representations; * offer the right to seek human intervention; and * enable them to challenge the decision. These reforms are likely to allow accelerated deployment of AI-driven products and services. Since the new Act is less strict than GDPR, the ADM reforms could allow for more flexibility for startups that fall under the UK DUAA. #### B. Smart Data Schemes The DUAA also introduces an empowering provision which lays the ground for secondary legislation to facilitate ‘smart data schemes’. Looking ahead, we can prepare for how these schemes allow traditional barriers between sectors to become permeable. Initially, it’s targeting financial services, energy, telecoms, transport, retail loyalty programmes and homebuying services, but this will likely develop to include more sectors. The new framework allows greater intersector portability of personal data and non-personal data (such as usage data and business data). This is great news for SMEs in particular since they can benefit from easier access to business data held by service providers and reduced switching costs - no big tech overheads or overhauls required. There is also plenty of room for new products and services which make the most of this interoperability between sectors. Open banking illustrates the potential here. By allowing start-ups and non-bank providers access to previously siloed data, open banking not only motivates innovative fintech solutions but gives SMEs more immediate agency over their finances with the ability to aggregate accounts, access real-time insights and streamline payment processes. #### C. Research The DUAA also clarifies that ‘scientific research’ may include commercial research. Exemptions can therefore apply to data used in this research. In certain contexts where data is further processed downstream, where providing a notice would involve 'disproportionate effort’, the act permits researchers to not provide transparency info. It also clarifies that individuals can give ‘broad consent’ to the use of their data in an area of scientific research. #### D. Legitimate Interests The DUAA gives businesses new lawful bases for processing personal data through clarifying and broadening recognised legitimate interests (LIs). An established list of recognised LIs removes the need for organisations to carry out LI assessments/ balancing tests in many scenarios. This list includes: intra-group personal data transfers; processing for IT and network security; and public task interests, such as safeguarding, preventing crime and public security and defence. #### E. Digital Verification Services The DUAA’s reforms around digital verification services (DVS) ease the way for platforms needing fast, secure verification (during, for example, customer onboarding or security checks). The press release tells us: the reforms will give DVS services ‘the ability to get certified against the government's stringent trust framework of standards, and receive a 'trust mark' to use as a result.' This certification aligns with the UK Digital Identity and Attribute Framework and clearly signals the trustworthiness and compliance of the DVS to any business who uses its services. #### F. Data Subject Rights A number of clarifications and changes are introduced in terms of data subject rights. Individuals have the right to complain to a data controller directly, before ICO involvement. The DUAA also heralds a series of new child-specific protections, particularly relevant for any startup working with educational or child-focused tech. DSARs have also had their timescale relaxed. Businesses may 'stop the clock'. This allows them to pause the one month deadline for responding to a DSAR if they need to await necessary clarifications from the requester. The response period resumes once the required information is provided. #### G. International Data Transfers The act establishes a new test for assessing the adequacy of data protection overseas. Rather than requiring that the other jurisdiction’s data protection measures be ‘essentially equivalent’ to UK standards (as is the measure in EU GDPR), the DUAA asks that the other jurisdiction’s protections are ‘not materially lower’ than those of the UK. Accordingly, the Secretary of State has greater discretionary power to determine which countries are adequate for data transfer. The less stringent bar may facilitate more transfers, but also more blacklisting. Existing transfer mechanisms (standard contractual clauses) remain valid but they are not mandatory if this new test is met. In practice, this means one less contract that parties need to agree on. That said, the DUAA’s reforms show a potential divergence from EU Adequacy rules which begs close attention. Businesses may well want to make sure to align with both GDPRs in order to skirt the fallout of any consequences of UK-EU misalignment here. Overall, the DUAA introduces relaxing measures which are designed to support innovation and stimulate growth in the startup space. ADM in particular is an exciting and fertile space. Excitement though, as so often, comes with volatility and careful attention to ICO guidelines and parliamentary factsheets as the fresh legislation settles in is certainly worthwhile. ### 3. What now? Action points for your business * [ ] Explore new areas where ADM could add value such as automating routine decisions. * [ ] Keep an updated inventory of all existing ADM systems used in your products or services for quick referral and compliance checks. * [ ] Consider the potential which data sharing schemes could hold in your organisation * [ ] Explore new products that utilise shared data (e.g. personalised financial advice, market comparisons and automated switching services) * [ ] Keep an eye on government consultations. This way you can influence policy and move with the market. * [ ] If your business uses personal data in research and development, it qualifies for research exemptions. Review data processing plans to determine any benefits from the new data protections under the research bracket. * [ ] Investigate whether your data usage features on the established LI list - if it is covered, streamline or remove the balancing test per DUAA provisions. * [ ] Keep an eye on changes made to the LI list through secondary legislation * [ ] Explore the landscape of different DVS providers, considering whether using one would be worthwhile for your business. * [ ] Fortify a careful, centralised process for handling complaints from individuals. Practically, this could involve an online complaint form. Also perhaps, a process for informing an individual about the trajectory of their complaint. * [ ] Make sure you have a clear record of how personal data currently crosses borders: intra-group transfers, cloud services, partner relationships etc… * [ ] Keep an eye on evolving adequacy decisions and ICO guidance * [ ] Make sure your safeguarding measures are kept up (e.g. human-in-the-loop processes and mechanisms to properly engage with user challenges to data processing/ ADM) * [ ] Update privacy policies, DPIAs and transparency mechanisms to reflect altered data flows as a result of the above changes. * [ ] Consider appointing a DPO/ Privacy Partner to assist with the above tasks and ongoing smart privacy protection. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.assenteo.com/key-legislation/the-data-use-and-access-act.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.