The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law. Most of the changes in the bill offer organisations the opportunity to do things differently, rather than needing you to make specific changes to comply with the law. The changes will be phased in between June 2025 and June 2026.
The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
Key changes that impact VCSE groups and organisations –
- Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object. However, you must have:
- obtained the email address when the person offered support to, or expressed an interest in, the charity’s charitable purposes;
- gave the person the opportunity to opt out of the charity using their details when it first collected them; and
- gives the person the same opportunity each time they contact them.
- Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.
- Children and online services: if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age appropriate design code (AADC).
- Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.
It also clarifies or simplifies the legislation in several areas –
- New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use, against the benefits arising from that use. This includes clarification that direct marketing can be a legitimate interest.
- Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.
- Cookie rules: it allows you to set some types of cookies for your website without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website.
- Automated decision-making: it opens up the full range of reasons, or ‘lawful bases’, that you can rely on when you use people’s personal information to make significant automated decisions about them. So long as you continue to apply appropriate safeguards. This potentially includes allowing you to rely on the legitimate interests lawful basis for this type of processing. This doesn’t apply to special category data, which is more protected.
This is not an exhaustive breakdown of the new legislation, but the Information Commissioner’s Office has provided a range of breakdowns and guides for organisations. We will also be looking at updating our guidance and factsheets as the ICO produces further guidance on the new legislation. But in the meantime, if you have any questions or queries, please do not hesitate to contact our team.
