The Data Use and Access Act 2025 (DUAA) updates data protection law to help organisations use personal data responsibly while protecting individuals’ rights. Most changes give organisations opportunities to work differently rather than imposing mandatory compliance measures. The DUAA amends, but does not replace, the UK GDPR and the Data Protection Act 2018 (DPA).
Key Changes
- ‘Soft opt-in’ for charities
Charities can now send electronic marketing to people whose information they collect when someone supports or expresses interest in their work, unless the individual objects. This makes it easier for charities to engage with supporters while still respecting individual choice. - Recognised legitimate interests
Organisations can rely on certain recognised legitimate interests to process personal information without carrying out a balancing test. This means that, for activities such as protecting public security, organisations no longer need to weigh the potential impact on individuals against the benefits of processing the data. - Disclosures to support public tasks
The DUAA clarifies that organisations can share personal information with bodies such as the police to help them carry out public functions. Responsibility for determining the necessity of the information now lies with the requesting organisation, reducing the administrative burden on the data holder. - Re-use of personal data
Organisations can assume that some re-uses of personal information are compatible with the original purpose it was collected for. This includes disclosing information in the public interest, even if consent was originally given for a different purpose, helping organisations respond more flexibly to new needs. - Subject Access Requests (SARs)
When responding to requests for personal information, organisations are only required to carry out reasonable and proportionate searches. This provides clarity on expectations and reduces the risk of unnecessary work while still allowing individuals access to their data. - Children and online services
If your organisation provides online services likely to be used by children, you must explicitly consider children’s needs when deciding how to collect and use their personal information. This ensures their rights and safety are central to data handling. - Data protection complaints
Organisations must make it easier for people to raise complaints, acknowledge them within 30 days, and respond without undue delay. This supports transparency and accountability in how personal information is handled.
Learn more: GOV.UK – Data (Use and Access) Act 2025
Need support? Contact our Core Services Team on 0191 643 2626 or development@voda.org.uk for advice on compliance.
