The UK’s Data Use and Access Act (DUAA) updates the UK’s data protection policies, amending the existing UK GDPR and PECR (Privacy and Electronic Communications Regulations). The idea behind DUAA is to make data processing easier for innovation and growth. Are you ready for DUAA?
The UK General Data Protection Regulation (UK GDPR) is the United Kingdom’s version of the EU’s GDPR. Following Brexit, the EU GDPR was incorporated into UK law via the Data Protection Act 2018, with slight amendments. While the core principles remain almost identical to the EU’s GDPR, there are important distinctions that UK businesses—and any organisation handling the data of UK residents—must be aware of. In 2025, this so-called UK GDPR became the Data Use and Access Act (DUAA).
Like the EU GDPR, the DUAA sets out strict requirements for how businesses must collect, process, and safeguard personal data. To be compliant, organisations must:
Process personal information fairly and lawfully:
Data collection and use must be lawful, fair, and transparent.
Collect data for specific purposes:
Personal data can only be gathered for clearly defined, legitimate purposes.
Appoint a data controller:
An individual (or organisation) must be designated as responsible for demonstrating compliance.
Limit collection and storage:
Follow the principle of data minimisation—only collect what is necessary and store it only as long as needed.
Maintain accuracy:
Ensure personal data is accurate and kept up to date.
Protect data security:
Apply appropriate technical and organisational measures to safeguard integrity, confidentiality, and availability.
DUAA/UK GDPR applies to:
Any organisation based in the UK that processes personal data.
Any non-UK organisation that offers goods or services to, or monitors the behavior of, UK residents.
This means even if your business is outside the UK, you may still need to comply if you handle UK citizens’ data.
DUAA/UK GDPR grants individuals a robust set of data privacy rights:
Individuals can request a copy of their personal data.
Data subjects can correct inaccurate or incomplete data.
Individuals can request deletion of their personal data.
People can limit how their data is used.
Data must be provided in a usable, transferable format.
Individuals can refuse use of their data for profiling, marketing, or other purposes.
People are protected from decisions made solely by automated means without human involvement.
Cookies remain a critical compliance issue. Under DUAA/UK GDPR and the UK’s Privacy and Electronic Communications Regulations (PECR), websites must obtain valid consent before placing most types of cookies.
Compliance requires:
Informed consent: Users must opt in to non-essential cookies.
Transparency: Clearly disclose categories, purposes, and retention periods of data collected via cookies.
Easy withdrawal: Make it simple for users to withdraw consent at any time.
For most UK websites, this means implementing a cookie consent banner that gives users genuine and clear choice.
The Information Commissioner’s Office (ICO) enforces UK GDPR. Fines can reach up to GBP 17.5 million or 4% of global annual turnover, whichever is higher. Beyond financial penalties, non-compliance risks:
Loss of consumer trust
Contractual risks if partners demand proof of compliance
Legal action from individuals
Businesses should take proactive steps to reduce compliance risk:
Review data practices:
Audit how data is collected, processed, and shared, ensuring compliance with DUAA.
Implement consent management:
Use a consent management platform (CMP) such as CookieHub to streamline cookie and consent compliance.
Check partner contracts:
Update third-party contracts to ensure they reflect UK GDPR obligations.
Update privacy policies:
Clearly explain how personal data is used, stored, and shared.
Train employees:
Educate staff on DUAA obligations and their role in compliance.
As a trusted consent management platform, CookieHub helps businesses simplify compliance with DUAA and PECR. From cookie consent to data transparency, CookieHub empowers organisations to manage user choices without the complexity of building compliance processes from scratch.
Thousands of businesses already rely on CookieHub to identify hidden cookies, provide transparent consent banners, and safeguard against ICO fines.
The DUAA establishes rules for how organisations in the UK may access, share, and use personal data in line with the UK GDPR. It applies to businesses and public bodies operating in the UK, as well as foreign entities that process UK residents’ data in connection with goods, services, or monitoring activities. The DUAA complements the UK GDPR by setting clearer standards for data access, particularly in regulated or high-risk sectors.
Personal data refers to any information that can identify a living individual, directly or indirectly. This includes details such as name, date of birth, address, identification numbers, online identifiers (like cookies or IP addresses), or any factors relating to a person’s physical, cultural, or social identity.
Sensitive data (legally referred to as special category data) includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health information, and details about sex life or sexual orientation. Processing this type of data under the DUAA and UK GDPR requires stronger safeguards and usually explicit consent.
The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulator. It oversees compliance with the UK GDPR, the Data Protection Act 2018, and related laws such as the DUAA. The ICO has powers to investigate, issue guidance, and levy fines for non-compliance.
The DUAA generally does not apply to individuals using personal data for strictly personal or household purposes. Certain exemptions may also apply to data processed for journalism, academic research, or national security. Additionally, specific statutory provisions may allow limited use of personal data without DUAA obligations in exceptional cases.
Guidance and official updates are available on the Information Commissioner’s Office (ICO) website (ico.org.uk). Depending on your sector, regulators such as the NHS (for healthcare) or the FCA (for finance) may provide additional resources. For in-depth advice, consulting a legal or compliance professional with expertise in UK data protection law is recommended.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
