Context
The ICO has confirmed that the Data (Use and Access) Act 2025 (the DUAA) has received Royal Assent, so is now law. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.
Key points to note and next actions
Changes to the law include:
- clarifying how personal information can be used for research;
- lifting restrictions on some automated decision making;
- setting out how to use some cookies without consent;
- allowing charities to send people electronic mail marketing without consent in certain circumstances;
- requiring organisations to have a data protection complaints procedure; and
- introducing a new lawful basis of ‘recognised legitimate interests’.
The Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under the Privacy in Electronic Communications Regulations (PECR).