The aim of the above new Act is to simplify data protection matters for organisations, whilst continuing to protect individuals and their rights.
The DUAA makes changes to subject access request (SAR) obligations; and creates a new Information Commission (previously the ICO) powers and complaint-handling duties. Further guidance and codes of conduct are expected throughout late 2025 and early 2026.
Main Provisions
Subject Access Requests (SAR)
When responding to a SAR request, organisations need only conduct ‘reasonable and proportionate’ searches for personal data.
The timescales in which to respond to a SAR remains, ‘without undue delay and within one month’ with the potential to be extended by up to two months for complex requests. However, the time limit for responding can be paused where the organisation reasonably requires further information from the data subject before responding to the SAR. Once the information is provided, the ‘clock’ for responding resumes.
Recognised Legitimate Interest
The DUAA provides a new lawful basis of processing data, where a Legitimate Interest Assessment (LIA) will no longer be required. The new ‘recognised legitimate interests’ means that an LIA is not required in certain contexts, such as fraud prevention, network security, and safeguarding children.
Automated Decision Making (ADM)
The DUAA relaxes certain restrictions on ADM, allowing its use without explicit consent in specific scenarios, provided appropriate safeguards are in place.
Cookies and Direct Marketing
Consent is no longer required for certain cookies used for website functionality, security, and service improvement, providing users are informed and given the option to opt out. This aims to reduce the burden of cookie consent banners for low-risk cookies.
For direct marketing, the Act extends the “soft opt-in” to charities, allowing them to send electronic marketing communications to individuals who have previously engaged with them, unless the individual opts out.
Enforcement and Regulatory Changes
The DUAA enhances the enforcement powers of the Information Commissioner’s Office (ICO). The ICO can now issue fines of up to £17.5 million or 4% of global turnover for breaches of PECR (Privacy and Electronic Communications Regulations), bringing penalties in line with those under the UK GDPR. Additionally, the ICO gains new powers, including the ability to compel witnesses to attend interviews and request technical reports.
The DUAA also restructures the ICO into the Information Commission, introducing a board and executive team to oversee its operations.
International Data Transfers
The DUAA introduces a “data protection test” for assessing the adequacy of third countries’ data protection standards; which evaluates whether a country’s data protection laws are “not materially lower” than those of the UK. The Secretary of State is given the authority to approve countries based on this assessment, potentially impacting international data transfers and the UK’s data adequacy status with the EU.
Right to Complain
Under DUAA, employees must now submit complaints directly to organisations (and so have the statutory right to do so) before escalating the complaint to the Information Commission.
Employers must acknowledge complaints within 30 days and provide a response without undue delay. They must also investigate promptly, and keep the complainant informed about the progress of the complaint.
What Practical Steps do HR Teams Need to Take Now?
In order to prepare for full compliance with the new provisions employers should consider:
- Reviewing SAR processes and any other protection policies, to ensure they reflect the ‘reasonable and proportionate’ standard and incorporate the stop the clock and extension rules.
- Implement or revise internal complaints procedures – to ensure individuals are aware of how to make a complaint, and to facilitate a clear and swift process should a complaint be received.
- Train appropriate staff – on the new rights and responsibilities under the DUAA, especially around complaint handling.
- Audit any ADM systems you have in place ensuring that individuals are clear about the use of ADMs and understand their right to challenge the decisions.
We will continue to monitor Information Commission guidance and sector-specific codes – which will be published in late 2025 and early 2026, to keep you advised of best practices.
