Data (Use and Access) Act 2025: Top three ways to stay compliant

The Data (Use and Access) Act (DUAA) 2025 is set to introduce major changes to the UK’s data protection framework, and organisations are being urged to prepare now to ensure compliance.
Rhiannon Hastings, a paralegal in Muckle LLP’s data protection team, has outlined three key steps businesses can take to avoid the risk of fines or reputational harm.
Put legitimate interest assessments in place
The DUAA introduces a list of “recognised legitimate interests”. Once implemented, any processing purposes that fall within this list will no longer require a legitimate interest assessment (LIA). However, purposes that fall outside these categories will still need to be fully documented.
Organisations relying on legitimate interest as a lawful basis must ensure:
– An LIA is completed for all processing activities that rely on legitimate interest (if one is not already in place).
– Existing LIAs are reviewed once the DUAA comes into force, to identify whether any processing purposes can be removed due to their new recognised status.
Introduce a formal complaints procedure
Under the new rules, individuals will no longer be able to escalate complaints directly to the ICO after receiving a response to a data rights request such as a subject access request. Instead, they will first need to raise a complaint with the organisation itself.
Businesses will therefore need to implement a dedicated procedure for handling such complaints, including:
– Acknowledging receipt within 30 days.
– Following a clear, consistent process for reviewing and responding to concerns.
Muckle recommends adopting a formal policy outlining each stage of the process to ensure complaints are handled efficiently and consistently.
Update your cookie policy
Organisations operating websites may need to change their cookie policies and pop-up banners if they intend to use the DUAA’s new third exception allowing the collection of technical and usage data.
Policies must make clear that users will only be able to set preferences for functionality and targeting cookies.
The DUAA updates the Privacy and Electronic Communications Regulations 2003 to permit cookie use when:
A user has provided consent.
Storage or access is necessary to deliver a requested service (strictly necessary cookies).
An organisation is collecting statistical data about how its online services are used (analytical or performance cookies).
Need support?
Further advice on the DUAA 2025 or help implementing these steps is available from Rhiannon Hastings at Muckle LLP. She can be contacted at rhiannon.hastings@muckle-llp.com.