NEWS – “without comment”
Data (Use and Access) Act 2025: five key changes for businesses
May 05. 2026
The Data (Use and Access) Act 2025 (DUAA) became law on 19 June 2025, bringing important reforms to the UK’s data protection regime, including changes to the powers and composition of the Information Commissioner’s Office (ICO), the UK’s information law regulator. Implementation of the DUAA is taking place in phases, with many provisions taking effect on 5 February 2026. A full list of key provisions coming into force can be found here.
This article focuses on new provisions under DUAA amending the UK GDPR (concerning the processing of personal data) that may be of particular interest to businesses.
The DUAA introduces a seventh lawful basis for processing personal data under Article 6(1) of the UK GDPR: “recognised legitimate interests” (RLI).
The categories of processing that qualify as RLIs are set out in a new Annex 1 to the UK GDPR and include:
processing necessary for national security, public security and defence purposes;
processing necessary for the detection, investigation or prevention of crime;
responding to requests from bodies acting in the public interest, where the processing is for purposes laid down in law; and
processing necessary for the safeguarding of vulnerable individuals.
Crucially, where a controller relies on an RLI, it is not required to carry out a balancing test (ie a legitimate interests assessment weighing the controller’s interests against those of the data subject). Processing must still be necessary and must comply with the wider principles of the UK GDPR, including transparency and data minimisation.
The DUAA also codifies a non-exhaustive list of personal data processing activities that may qualify under the existing legitimate interests basis including direct marketing, intra-group sharing for internal administrative purposes, and ensuring the security of network and information systems. A full legitimate interests assessment continues to be required for these activities.
Businesses sharing personal data with the police or other public authorities in connection with crime prevention or safeguarding may now be able to rely on an RLI, removing the need for a balancing test before making the disclosure. Controllers should review their records of processing activities and privacy notices to identify where reliance on an RLI may simplify compliance. Unfortunately, though (for those seeking efficiencies in their compliance work) many commercial processing activities, a legitimate interests assessment will still be required; the RLI basis is narrow in scope.
The DUAA’s reforms are being introduced on a rolling basis. The following changes are still to come:
19 June 2026: new complaints procedure as outlined above.
Later in 2026: ICO governance reforms and transition to the new ‘Information Commission’ structure. Updated ICO guidance is expected.
Full Article: https://www.farrer.co.uk/news-and-insights/data-use-and-access-act-2025-five-key-changes-for-businesses/
Farrer & Co LLP
+44 (0)20 3375 7441
Posted by: Ian (D. Withers)
www.WAPI.org
Disclaimer: News items in W.A.P.I.’s “News Without Comment” section are republished articles from external sources. W.A.P.I. is not the originator of this content and does not endorse or verify the accuracy of the material. Complaints or requests for correction should be directed to the original publisher. W.A.P.I. will review any substantiated notice of defamation and, if appropriate, remove or update the content.