The Data (Use and Access) Act (the DUAA) 2025 proposes to make significant updates to the existing data protection framework.
But what can your organisation do to adapt to these changes and stay compliant with the new legislation?
Rhiannon Hastings, paralegal in Muckle LLP’s data protection team, outlines the top three actions you can take to avoid the risk of hefty fines or reputational damage.
Put legitimate interest assessments (LIAs) in place where needed
The DUAA sets out a list of what would qualify as a ‘recognised legitimate interest’. Once this change is in force, any purposes for processing that qualify as a recognised legitimate interest do not need to be captured in an LIA. However, any purposes for processing that fall outside this scope will still need to be documented.
If your organisation relies on legitimate interest as a lawful basis for processing, it must:
1. put an LIA in place for all purposes for processing that rely on legitimate interest as a lawful basis (if it hasn’t already); and
2. review the LIA once the change proposed by the DUAA in relation to recognised legitimate interests is in force to determine whether any purposes for processing documented in the LIA can be removed.
Create a complaints procedure
The DUAA no longer allows data subjects to submit a complaint to the ICO immediately after receiving a response to their data protection rights request (for example, a subject access request).
Instead, the data subject must submit a complaint to the organisation first, providing it with an opportunity to review the handling of the request. If, following the organisation’s response to the complaint, the data subject remains dissatisfied, they can then submit a complaint to the ICO.
Organisations will be required to implement a complaints procedure to ensure they can handle complaints of this nature. They must consider the statutory timescale (i.e. acknowledging receipt within 30 days of receiving it) and the subsequent process for dealing with the complaint.
Muckle recommends establishing a policy that outlines a step-by-step process for handling complaints, clearly explaining how concerns of data subjects will be addressed. This policy will also serve as a valuable tool to ensure a consistent approach is taken when dealing with complaints.
Amend your cookie policy
If your organisation operates a website and wants to use the new third exception to the collection of technical and usage data using website cookies proposed by the DUAA, you may need to amend your organisation’s cookie policy and cookie pop-up.
This is to ensure that it explains to website users that it will only enable website users to set preferences for the use of functionality and targeting cookies.
The DUAA amends the Privacy and Electronic Communications Regulations 2003 by allowing organisations to use cookies to collect a website user’s technical and usage data:
1. where a user has given their consent;
2. the storage or access is strictly necessary to deliver a requested service (strictly necessary cookies); or
3. collecting statistical information about how an organisation’s online services are used (analytical or performance cookies).
Need further support?
For more information on the changes proposed by the Data (Use and Access) Act 2025, or if you need any support with the above steps, please contact Rhiannon Hastings by emailing: rhiannon.hastings@muckle-llp.com