MSPs Brace Themselves For New DUAA GDPR Rules
We can probably all agree that GDPR has been an unwanted distraction from day one.
Eight years on, and the goalposts are moving. The “amendment” is designed to refine and modernise the existing UK GDPR framework.
The UK’s data protection landscape will see the introduction of the Data (Use and Access) Act 2025 (DUAA) and will be effective from June 2026!
That’s just three months from the bill be announced to it taking effect.
So what are the important changes that IT executives and business leaders need to be aware of?
Here’s what we know so far (but we will take a deep dive in the coming days and provide solutions in a later article!)
What is the Data (Use and Access) Act (DUAA) 2025?
At its core, the DUAA tightens the rules around how organisations justify their use of personal data.
One of the most significant updates is the shift from the broad “legitimate interest” standard to a more narrowly defined “recognised legitimate interest.”
Under this new requirement, businesses must ensure that any data processing aligns with specific conditions, such as public security, protecting vulnerable individuals, or preventing crime.
This change reduces flexibility and increases the burden of justification, meaning organisations must be far more precise and accountable in how and why they process data.
DUAA Cookie Monsters
The DUAA also introduces clarification around cookie usage.
While there is some relaxation — allowing certain low-risk cookies, such as analytics or basic website functionality, to operate without explicit consent — the majority of cookies still fall under the strict consent requirements outlined in the Privacy and Electronic Communications Regulations 2003.
This means businesses cannot assume a broad easing of restrictions; instead, they must understand exactly which technologies fall within the exemption and which do not.
DUUA: Purpose Limitation
Another key development is the reinforcement of purpose limitation.
Under new DUUA rules, businesses are restricted in how they can reuse personal data beyond its original collection purpose.
While there are limited allowances for areas such as research or crime prevention, the overall direction is clear: businesses must maintain tighter control over how data is repurposed.
This places increased importance on transparency and accountability in data handling practices.
More Powers to ICO
Perhaps the most impactful change for organisations is the expansion of regulatory powers for the Information Commissioner’s Office (ICO).
The ICO can ask businesses to produce detailed reports on data incidents, compel access to internal documentation, and conduct more thorough investigations.
This signals a shift toward more proactive and intrusive regulatory oversight, where organisations must be prepared to demonstrate compliance at short notice.
The reason for this is because consumers have been given rights to challenge how their data is handled.
Individuals will be able to submit complaints directly to organisations and expect responses within a defined timeframe.
This change increases the likelihood of scrutiny at an operational level, as businesses will need to respond quickly and accurately to data-related concerns.
Find Out More
In a follow-up piece, we will outline the technical and operational measures businesses should consider implementing to align with the new requirements.
Stay tuned to Micro Pro for a detailed breakdown of the IT strategies needed to remain compliant and resilient in this evolving regulatory environment.
In the meantime, check out our GDPR cheat sheet and ensure you have implemented the fundamental data regulations before you plan for DUAA.
