Designed as the most consequential reform to UK data protection law since the UK GDPR, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. After a staggered introduction of its data protection provisions, the bulk came into force on 5 February 2026.
The DUAA in no sense replaces UK GDPR. It adjusts how parts of the regime operate, particularly with respect to necessary decision-making that many organisations encounter: international data transfers, the contractual documentation used to enable such transfers, and access rights granted to international organisations (which permit them to process personal data held by public bodies for a diversity of purposes that were not envisaged under pre-existing GDPR regimes).
The DUAA also introduces structured routes for certain public-to-private data flows (including Digital Verification Services and Smart Data frameworks) and redefines automated decision-making rules. In so doing, it raises overarching concerns regarding the EU adequacy decision when it comes to the UK’s ongoing data handling.
In this article, Adrien Herbert summarises the core concepts for organisations falling under the scope of DUAA, focusing on day-to-day compliance decisions and commercial negotiations.
International data transfers
DUAA’s most legally significant change to international transfers is the replacement of the ‘essentially equivalent’ standard with a new statutory ‘data protection test’. Personal Data Controllers in the UK public sector must now determine whether the destination country for data transfer maintains a standard of protection that is ‘not materially lower’ than the UK’s regime.
The long-utilised ‘essentially equivalent’ requirement demanded close-to-UK-level protection in most respects, whereas ‘not materially lower’ allows greater differences, provided they are not material. The word “material” does a lot of heavy lifting in this context and generally speaking as lawyers we try to avoid conversations as to “materiality” as often as possible. DUAA looks to support a more contextual, pragmatic assessment, including the ability to take account of legal and cultural differences in the destination jurisdiction. In practice, fewer transfer destinations should fail the test outright; risk assessments should therefore speed up.
Whilst this has benefits, most well-trained and experienced Data Protection Officers will be concerned that the effect is to loosen the safeguards by which the Data Controller ensured the adequacy of the third country data protection regimens, as it provides for “non-equivalence” to extend as far as the parties consider not to be “material” at the time at which a transfer decision is taken.
The new regime also affects how the UK regulates adequacy, when it comes to ‘safe destination’ decisions on a national level. The Secretary of State retains their gatekeeping role but now also applies the softer ‘not materially lower’ standard, whilst also considering “any matter which they consider relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom”. The Secretary of State acts as the ultimate arbiter of whether to share data with third countries or international organisations. The changes represent a major dilution of the protections previously afforded vast swathes of personal health, driving, education and taxation information. Practitioners estimate that government adequacy decisions may come faster in the next few years as a result.
The newfound flexibility notwithstanding, exporters using standard transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses must still complete a Transfer Risk Assessment (TRA). Here too, there are new standards: exporters must assess, “acting reasonably and proportionately”, whether the destination jurisdiction meets the data protection test. Many organisations should be able to adopt less defensive TRAs than after the 2020 Schrems II ruling in the Court of Justice of the European Union, but the obligation to perform and document the assessment remains.
Contracting and transfer templates
To the relief of many, the introduction of DUAA did not force an immediate re-papering of existing transfer documentation. Transfer mechanisms validly entered into before the relevant commencement remain effective, provided they continue to comply with UK data protection law as it stood when executed. The Information Commissioner’s Office (ICO) has indicated that organisations should continue to use the current versions of the IDTA and the UK Addendum while updates are prepared.
Organisations cannot be too complacent, however. New transfers initiated after commencement, even if they rely on existing template documents, must be assessed against the new statutory data protection test. In addition, the IDTA framework anticipates that transfer assessments will be kept under review, meaning the analysis behind the paperwork must move with the law even if the document itself has not yet been updated.
The ICO has signalled a refresh of the IDTA and UK Addendum will follow in 2026, and organisations should anticipate drafting updates in their template suites and negotiation playbooks. This may include updating the assessment standard across clauses, schedules and guidance text to reflect the ‘not materially lower’ data protection test, and ensuring lawful-basis representations in sub-processor and onward transfer provisions address ‘recognised legitimate interests’ and that this basis does not require a balancing test.
Legal and procurement teams should note that while contract templates may not need replacing just yet, they should begin reviewing internal guidance, playbooks and negotiating positions now so that any required refreshes later in 2026 are incremental rather than disruptive.
Access to public sector personal data
Organisations seeking personal data held by public bodies, if there is a public-interest use case, now have additional ‘levers’ to obtain it under the DUAA. The key concept is a new lawful basis under Article 6 UK GDPR called “recognised legitimate interests”. Reasons for access covered by the category include:
- national security and defence
- crime detection and prevention
- safeguarding vulnerable individuals, and
- responding to requests made by bodies acting in the public interest.
The most important new feature for organisational decision-makers is that recognised legitimate interests do not require a balancing test. Where the lawful basis applies, the controller does not need to carry out the typical ‘rights and interests’ balancing exercise that applies to ordinary legitimate interests.
For organisations whose model involves obtaining personal data from public bodies for a public-interest application, this change is set to reduce the analytical burden that often sits behind disclosure decisions. Fraud-prevention services, healthcare research, regulated utilities and infrastructure operators may all benefit. It is not difficult to perceive what, more than likely, were the drivers to the changes introduced and to understand the widespread disquiet caused (particularly within the National Health Service in relation to the sharing of health records).
The DUAA also introduces an “information gateway” approach for justifying certain disclosures. Where the traditional dynamic often placed the public authority in the position of gatekeeper, expected to satisfy itself that the recipient needed the data to perform public functions, now the recipient certifies the legal basis for the request and bears responsibility for that certification. Again, there is a practical expectation this will mean faster, less defensive disclosure decision-making by public bodies, albeit with closer scrutiny of the recipient’s request documentation.
Beyond ad-hoc disclosures, the DUAA creates structured routes for public-to-private data flows. The Digital Verification Services (DVS) framework establishes a statutory gateway, allowing public authorities to share personal data with accredited DVS providers where (i) the data subject has requested the verification service and (ii) the disclosure complies with data protection law.
‘Smart Data’ provisions in DUAA extend the ‘open banking’ style model into sectors such as utilities, transport and telecoms, with scope to expand via sectoral regulations. Upon the instruction of the customer, data holders (often public or quasi-public bodies) are legally required to share customer and business data with authorised third parties. For organisations operating in or adjacent to regulated sectors, Smart Data may be one of DUAA’s most commercially significant elements over the medium term.
Automated decision-making and AI
In a further variation, DUAA makes a structural change to rules on automated decision-making (ADM) which, in the past, the GDPR had typically limited to qualified decision making in the financial services and insurance markets. New sections inserted into the Data Protection Act 2018 replace the previous regime associated with Article 22 UK GDPR, and the earlier presumption against solely automated decisions producing legal or similarly significant effects is substantially relaxed. Organisations may rely on any lawful basis under Article 6 UK GDPR to take automated decisions, including legitimate interests and recognised legitimate interests, provided statutory safeguards are in place.
Those safeguards include giving the data subject the right to contest an automated decision, and a right to have it reviewed by a human. This means the compliance focus shifts away from whether ADM is permitted in principle, and toward whether the system offers required transparency and challenge mechanisms.
It is perfectly arguable however, that by the time the safeguards become available, automated decisions have been taken and depending on the context, harm may well have been done.
Regulation remains stricter where special category data is involved. There is a higher bar for solely automated decisions that involve health data, biometrics or other special category data, and these still generally require explicit consent or a substantial public interest condition.
EU adequacy risk and strategic planning
As you will by now have appreciated, the DUAA has gone some distance towards relaxing the GDPR and by association the UK GDPR controls on the use of personal information by public sector bodies and international organisations. Secretaries of State have new latitude with which to determine the purposes to which our information may be put, and subjective determination such as the “desirability” of sharing data are introduced to a regime in which “limitation” and “safeguards” used to be the primary objectives.
Looking ahead, these reforms pose a wider question: whether the European Commission will renew the UK’s EU adequacy decision when it is reviewed later in 2026. The Commission has flagged elements of DUAA – including the relaxed transfers test, recognised legitimate interests and the rewritten ADM regime – will require closer scrutiny.
Any loss of EU adequacy would be far more disruptive than DUAA’s domestic changes. EU-to-UK personal data flows could require rapid re-papering using EU transfer mechanisms, creating an operational strain across customer, supplier and intra-group relationships. The overall direction driven by the DUAA is a more permissive regime than the EU’s, precisely the shape of divergence that can create adequacy risk.
Organisations should not assume the worst at this stage, but they would do well to bear resilient transfer governance in mind. Programmes built now can assume the UK will remain adequate when 2026 draws to a close, while still maintaining sufficient mapping, documentation and template readiness to pivot if the EU’s decision goes the other way.
Practical next steps for organisations following the Data (Use and Access) Act
The introduction of DUAA does not require a wholesale rebuild of privacy compliance programmes, but it does warrant targeted updates. A practical plan will include:
- Updating the organisation’s transfer risk assessment templates and internal guidance to reflect the new ‘not materially lower’ data protection test and the expectation that assessments can be carried out reasonably and proportionately.
- Keeping existing IDTAs and UK Addenda in place where valid, while preparing template refreshes and negotiation positions to include further contractual controls where necessary to address any undesired relaxation at a statutory or regulatory measures arising in expected ICO updates.
- Reviewing use cases involving public bodies to determine recognised legitimate interests and whether the organisation can support the accountability burden that comes with the information gateway approach.
- Ensuring any automated decision-making is done in line with statutory safeguards, separately assessing any special category data inputs against the higher threshold.
- Briefing senior stakeholders on the EU adequacy review timeline and building strategies to reduce disruption if EU-to-UK transfer mechanisms need to be deployed at speed.
Get in touch if you have any questions about the themes raised in this article.
