Guidance

Data (Use and Access) Act factsheet: UK GDPR and DPA

Published 27 June 2025

A summary of the most significant changes made to the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018” ) under the Data (Use and Access) Act 2025 (“DUAA”, “the Act”).

The Act will come into force in stages. Details of the regulations and exact dates that each measure will come into force will be available on GOV.UK.

This information is only for reference and not regulatory guidance or legal advice. The Information Commissioner‘s Office (“ICO”) is responsible for publishing regulatory guidance on its website - www.ico.org.uk.

Provision(s) in the DUAA
Section 67

Title
Meaning of research and statistical purposes

Description of measure
This measure makes it clearer when you can use personal data for scientific research, and statistical purposes. Amongst other things, the measure clarifies that the definition of research is inclusive of commercial scientific research – for instance, a pharmaceutical company conducting vaccine research. Processing that falls under these categories is subject to the research provisions, which include certain exemptions and safeguards detailed elsewhere in the Act.

By clarifying the meanings in the legislation itself rather than in the UK GDPR recitals, this measure gives researchers greater consistency and certainty.

How is this different from previous legislation?
Previously, the research categories were not set out in the UK GDPR or the DPA 2018, with the only explanation of their meaning coming in the recitals. For example, recital 159 states that “the processing of personal data for scientific research purposes should be interpreted in a broad manner”.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 67 of the DUAA amends Article 4 of the UK GDPR.

---

Provision(s) in the DUAA
Section 68

Title
Consent to processing for the purposes of scientific research

Description of measure
This measure allows researchers to rely on broad consent, subject to certain conditions such as consistency with relevant ethical standards. If a researcher is unclear of the precise purpose of a study at its start, they can ask for consent for an area of scientific research (e.g. the study of certain diseases). While consent is not often used by researchers as their lawful basis under the UK GDPR, this will give those that do want to rely on broad consent more legal certainty.

How is this different from previous legislation?
The concept of “broad consent” for research purposes was previously found in the UK GDPR recitals. Bringing it into the main text of the legislation will raise awareness of the concept and give researchers greater clarity.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 68 of the DUAA amends Article 4 of the UK GDPR.

---

Provision(s) in the DUAA
Section 70; Schedule 4

Title
Lawfulness of Processing

Description of measure
This measure creates a new lawful ground for processing personal data under Article 6 of the UK GDPR. It is designed to give non-public bodies greater confidence about processing personal data for a limited number of “recognised legitimate interests”.

These include processing that is necessary for crime prevention, safeguarding vulnerable people, responding to emergencies, safeguarding national security or assisting other bodies deliver public interest tasks that are sanctioned by law.

How is this different from previous legislation?
Previously, most organisations would have relied on the “legitimate interests” lawful ground in Article 6(1)(f) UK GDPR to process personal data for such purposes. That ground requires organisations to undertake a “legitimate interests assessment” before the processing begins.

While the requirement for the processing to be necessary remains, the need for a detailed legitimate interests assessment which balances the data controller’s interest against the individual’s interest has been removed. This is in recognition of the societal value of the processing in specified situations and the potential negative impacts of any delay

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 70 of the DUAA mainly amends Article 6 of the UK GDPR.

Schedule 4 of the DUAA inserts new Annex 1 into the UK GDPR.

---

Provision(s) in the DUAA
Section 71

Title
Purpose limitation

Description of measure
Under the UK GDPR, the purpose limitation principle ensures that an individual’s personal data is re-used only in ways that they might reasonably expect.

This measure clarifies the circumstances in which “further processing” or data re-use is compatible with the original purpose, including when personal data is being re-used for a very different purpose from which it was originally collected. For example, when a company may wish to disclose personal data for crime prevention. The measure also clarifies the position when there is a change of controller and the requirement for an Article 6(1) lawful ground to be satisfied for all further processing or data re-use.

How is this different from previous legislation?
Previously, the legislation on personal data re-use was difficult for controllers and individuals to navigate, particularly as it was not clear about certain specific public interest circumstances in which further processing would be permitted and these measures rectify this.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 71 of the DUAA amends Articles 5 and 6 of the UK GDPR, and inserts new Article 8A into the UK GDPR.

---

Provision(s) in the DUAA
Section 72

Title
Processing in reliance on relevant international law


Description of measure
This measure clarifies that under the UK GDPR, data controllers can process personal data on grounds of public interest under Article 6(1)(e) and Article 9(2)(g) UK GDPR where the basis of such processing is set out in relevant international law.
The requirement for a basis in relevant international law is met if processing meets a condition in Schedule A1 of the DPA 2018 (as inserted by these measures), which currently includes reference to the UK-US Data Access Agreement. The SoS has the power to add additional conditions relating to international treaties.


How is this different from previous legislation?
Under the UK GDPR, data controllers can process personal data on “public interest” grounds if the basis for the processing is set out in “domestic law”.
This measure makes it clear that relevant international law can also provide a basis for processing of personal data on public interest grounds.


Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?

Section 72 of the DUAA:

Amends Article 6(3) of the UK GDPR.

Amends Article 8A(3) of the UK GDPR (Article 8A is inserted by section 71 of the DUAA).

Amends Articles 9(2)(g) and (5) of the UK GDPR

Amends Article 10(1) and (2) of the UK GDPR.

Inserts new section 9A and schedule A1 into the DPA 2018.

---

Provision(s) in the DUAA
Sections 75-78; section 104

Title
Data subjects’ rights

Description of measure
These measures clarify rules around subject access requests for organisations and individuals. They make provisions on time limits to respond to data subject requests; and codify existing case law around reasonable and proportionate searches.

How is this different from previous legislation?
Previously, the one-month deadline to respond to a Subject Access Request (SAR) started as soon as the request was received, regardless of whether data controllers had all the information they needed to take the required action. The Act introduces a “stop the clock” provision which will allow organisations to pause the response time – without the risk of missing the deadline – if they need data subjects to clarify or refine their requests or to provide more information. Once the organisation has the information they need, the response time continues. In addition, the previous law did not explicitly state that searches needed to be “reasonable and proportionate”, although this has been established by case law.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Sections 75-78 and 104 of the DUAA:

Amend Article 12, 13, 14 and 15 and inserts new Article 12A of the UK GDPR and section 45, 53 and 54 of the DPA 2018.

Amend section 94 of the DPA 2018. Insert new section 180A into the DPA 2018.

---

Provision(s) in the DUAA
Section 79

Title
Data subjects’ rights to information: legal professional privilege exemption

Description of measure
This reform introduces an exemption for “legal professional privilege” under the law enforcement regime, making it clear that controllers are not compelled to release confidential communications between a lawyer and their client. It will bring consistency with the UK GDPR, and the intelligence services regimes, which already have such exemptions.

How is this different from previous legislation?
Under the previous law enforcement regime, there was no specific exemption for legal professional privilege meaning that those processing under that regime had to rely on other exemptions. These required them   to balance the necessity and proportionality of applying the exemption against the rights and freedoms of the data subject even though an exemption is almost certain to be appropriate where it concerns communications between lawyers and their clients.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 79 of the DUAA:

Adds new section 45A into the DPA 2018 and amends sections 43, 44 and 51.

Adds new section 12A(5) to the UK GDPR.

---

Provision(s) in the DUAA
Section 80; Schedule 6

Title
Automated decision-making [UK GDPR]

Description of measure
This measure facilitates the responsible use of automation to help grow the economy and enable a modern digital government. With stringent safeguards in place, it creates a more permissive framework for making decisions based solely on automated processing that have legalor similarly significant effects for individuals.

These safeguards include: providing data subjects with information about significant decisions made about them; enabling individuals to make representations about and to challenge them; as well as enabling them to obtain human intervention in the taking of the decision.

This measure also introduces several regulation-making powers to ensure that the government will have the ability to bring greater legal certainty, where necessary, in the light of constantly evolving technology.

How is this different from previous legislation?
The previous rules related to solely automated decision-making were framed as a general prohibition on decision-making of this nature, except where certain limited conditions apply. These rules were complex to navigate, leaving organisations unclear when they could engage in such activity. This hindered the use of automated decision-making that can enhance productivity and make people’s lives easier.

These reforms simplify the requirements for solely automated decision-making, making it clear to controllers and individuals when the safeguards and restrictions apply. They achieve this by enabling organisations to carry out solely automated decision-making in wider circumstances, as long as they implement measures to provide the relevant safeguards.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 80 of the DUAA replaces Article 22 of the UK GDPR and section 14 of the DPA 2018 with new Articles 22A-D of the UK GDPR.

---

Provision(s) in the DUAA
Section 80; Schedule 6

Title
Automated decision-making [law enforcement]

Description of measure

General reforms:
This measure facilitates the responsible use of automation to help ensure that those processing under the law enforcement regime are fully able to tackle crime. With stringent safeguards in place, it creates a more permissive framework for making decisions based solely on automated processing that have an adverse legal or similarly significant adverse effect on individuals. These safeguards must include providing data subjects with information about significant decisions made about them and must enable individuals to make representations about them, challenge them and obtain human intervention in the taking of the decision. It also introduces several regulation-making powers to ensure that the government will have the ability to bring greater legal certainty, where necessary, in the light of constantly evolving technology.

Active Human Review exemption:
This change means that individuals can continue to have confidence that the correct decisions are being made about them, whilst avoiding the risk of undermining an investigation by tipping off a suspect that they are of interest.

How is this different from previous legislation?
General reforms:
The previous rules relating to solely automated decision-making were framed as a general prohibition on decision-making of this nature, except where certain, limited, conditions applied. These rules were complex to navigate, leaving those processing under the law enforcement regime unclear when they could engage in such activity, thus hindering its use in tackling crime and bringing offenders to justice.

These reforms simplify the requirements for solely automated decision-making, making it clear to those processing under the law enforcement regime and individuals when the safeguards and restrictions apply. They achieve this by enabling them  to carry out solely automated decision-making in wider circumstances, as long as they implement measures to provide certain safeguards.

Active Human Review exemption:
A new exemption to the safeguards has been introduced to the law enforcement regime, which may be applied where this is required for a limited set of reasons such as to avoid the obstruction of an investigation or safeguard national security so long as the decision is reconsidered as soon as reasonably practicable after it is taken and the reconsideration involves meaningful human involvement.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 80 of the DUAA replaces sections 49 and 50 of the DPA 2018 with sections 50A-D.

---

Provision(s) in the DUAA
Section 81

Title
Data protection by design: children’s higher protection matters

Description of measure
This measure introduces a new duty for information society services that are likely to be accessed by children, building on existing obligations under Article 25 of the UK GDPR. It requires these services to take account of the “children’s higher protection matters” specified in the new Article  25(1B) of the UK GDPR when designing processing activities carried out when providing services to children. These matters include how best to protect and support children when using the service; the fact that children may be less aware of the risks and consequences associated with the processing of their personal data; and the fact that children have different needs at different ages and different stages of development.

How is this different from previous legislation?
Article 25 of the UK GDPR already requires data controllers to implement appropriate technical and organisational measures to ensure data protection by design and by default. This requires consideration of varying risks for rights and freedoms of individuals but does not expressly refer to children’s needs. This measure changes this by adding a new explicit duty for information society services likely to be accessed by children to take account of children’s needs when designing their services.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 81 of the DUAA amends Article 25 of the UK GDPR.

---

Provision(s) in the DUAA
Section 82

Title
Logging of law enforcement processing

Description of measure
This reform only removes the requirement for those processing under the law enforcement regime to record a justification and retains the other requirements to record the time, date and so far as possible, the identity of the person who accessed or disclosed the data.
To help improve accountability for data-use by those processing under the law enforcement regime, the DPA 2018 introduced a requirement for them to keep logs of various personal data processing activities, which included the requirement to record a justification every time an officer consults or discloses personal data on an automated system. Recording the justification was intended to help detect unauthorised access, however this has proven to be ineffective because anyone accessing the system unlawfully is unlikely to record that as a reason in the log.

How is this different from previous legislation?
Those processing under the law enforcement regime are no longer required to record, in writing, a justification every time personal data is consulted or disclosed, thus reducing administrative burdens on law enforcement agencies.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 82 of the DUAA amends section 62 of the DPA 2018.

---

Provision(s) in the DUAA
Section 85; Schedules 7-9

Title
Transfers of personal data to third countries etc.

Description of measure
These measures introduce reforms to the UK GDPR and the law enforcement equivalent in the DPA 2018. There are some measures that apply to the law enforcement provisions only and these are covered at the end of this section.

The measures introduce a new data protection test to be applied by the Secretary of State when deciding whether to approve data transfers to a third country or international organisation. The test is whether the third country or international organisation has a standard of data protection which is “not materially lower” than the standard in the UK. The measures also remove the four-year review period for adequacy regulations but maintain the requirement that the regulations are subject to ongoing monitoring.

These measures also introduce a data protection test for data exporters when using alternative transfer mechanisms such as standard contractual clauses or other appropriate safeguards. The data protection test is met if, after an international transfer, the level of protection for a data subject will be “not materially lower” than under UK law. Controllers and processors are required to act reasonably and proportionately when considering whether the data protection test is met. Alongside this is a power for the Secretary of State to recognise new transfer mechanisms for allowing international personal data transfers.

Changes specific to law enforcement
Separately, apart from reforms which mirror the UK GDPR, Schedule 8 introduces specific reforms which apply only to the law enforcement regime in the DPA 2018.  These measures clarify the rules for law enforcement transfers in special circumstances and make clear that the legislation does not limit transfers to individual pieces of data.

The DUAA also introduces a limited exception to the prohibition of onward transfers of UK data without prior authorisation if it is necessary to prevent an immediate and serious threat and further, creates a clear route through which transfers can be made to processors based outside the UK.

How is this different from previous legislation?
Prior to these reforms, the data protection test was not set out as clearly for data controllers  in the legislation; there was a 4-year review period for adequacy regulations; and the Secretary of State did not have a power to update the list of appropriate safeguards that controllers may use to transfer personal data.

Law enforcement reforms
In relation to the law enforcement specific reforms, the Special Circumstances provision contained language which did not give confidence to law enforcement to use this provision.

The exception from the prohibition of onward transfers without prior authorisation already exists for EU data and we are extending this to UK data. This is to enable international data sharing in an emergency when a serious threat to the UK or third country occurs.

Controller to processor international transfers are currently  permissible but not explicitly provided for in the legislation.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 85 and Schedules 7-9 of the DUAA amend Chapter 5 of the UK GDPR and Chapter 5 of Part 3 of the DPA 2018.

---

Provision(s) in the DUAA
Sections 86-87

Title
Safeguards for processing for research purposes

Description of measure
This measure brings together the conditions which must be met for processing under the research provisions.

These safeguards include respect for the principle of data minimisation, as well as preventing processing which leads to decisions being made about, or substantial harm caused to, data subjects.

The clause also gives the Secretary of State a power to add to the existing safeguards, but not to amend or remove them.

How is this different from previous legislation?
These safeguards are currently split between the UK GDPR, recitals, and the DPA 2018.  Bringing them together will make the law simpler, giving researchers and data subjects greater clarity and consistency.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Sections 86-87 of the DUAA add new Article 84 A-D to new Chapter 8A of the UK GDPR.

---

Provision(s) in the DUAA
Section 88

Title
National Security Exemption [law enforcement]

Description of measure
This measure amends the previous national security restrictions in the law enforcement regime to mirror those available under the UK GDPR and intelligence service regimes. Aligning the regimes will ensure that those processing under the law enforcement regime can provide the same level of protection as organisations operating under the UK GDPR and the intelligence services regime.

It will also remove barriers to the timely sharing of data where this is required in order to safeguard national security, allowing for more collaborative working between those processing under the law enforcement regime and the intelligence services.

How is this different from previous legislation?
This reform replaces the piecemeal national security restrictions under the law enforcement regime with a single exemption which mirrors that under the UK GDPR and intelligence services regime. The exemption can be applied where it is ‘’required’’ for the purposes of safeguarding national security. It applies  to the following areas: 

- Most of data protection principles in Chapter 2;
- All of the data subject rights in Chapter 3;
- The need to inform the Information Commissioner of a data breach (Chapter 4, section 67);
- Some of the international transfer requirements in Chapter 5; and
- Some of the provisions relating to the Information Commissioner’s powers of entry to conduct inspections and take enforcement action, set out in Parts 5, 6 and 7.

It also makes some minor changes to the way in which national security certificates operate, again to ensure consistency with the similar provisions under UK GDPR and the intelligence services regime.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 88 of the DUAA:

Adds new section 78A to the DPA 2018.

Amends sections 26(2)(f), 44, 45 48, 68(7)(d), 79, 110 and 186(3) of the DPA.

Consequential amendments are also made to a number of Statutory Instruments  and Acts of Parliament.

---

Provision(s) in the DUAA
Sections 89-90

Title
Joint working designation notices [law enforcement]

Description of measure
This provision will enable a qualifying competent authority, such as Counter Terrorism Policing, to form a joint controllership with the intelligence services for specific processing. 

The Secretary of State will designate such processing through a ‘designation notice’ only where they are satisfied it is required for the purpose of safeguarding national security.  This processing will be subject to the same standards that are required of and applied by the intelligence services, with necessary controls and safeguards including consultation with the Information Commissioner’s Office.

How is this different from previous legislation?
The DPA 2018 precluded joint controllerships being formed between UK intelligence agencies and law enforcement organisations, resulting in friction and inefficiency when working together. This measure rectifies this by permitting joint controllerships to be formed by UK intelligence agencies and law enforcement as was previously the case under the Data Protection Act 1998.

Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Sections 89-90 of the DUAA:

Amend section 82 of the DPA 2018.

Add new sections 82A – 82E to the DPA 2018.

---