The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR

The Data Use and Access Act (DUA Act), which entered into force on 19 June 2025, represents the UK’s most substantial departure from the EU GDPR (GDPR) since Brexit. While maintaining structural alignment in some areas, the DUA Act introduces legally significant divergences particularly in Parts 3 to 6, which affect legal bases for processing, data subject rights, research reuse, international transfers, automated decision-making, and enforcement thresholds. These broadly correspond to provisions covering lawful processing, rights, oversight, and enforcement. These changes materially impact compliance obligations for UK-based controllers and processors. The Information Commissioner's Office (ICO) promptly followed with provisional guidance.

We have commented in our earlier article of the DUA Act’s introduction of new Smart Data Schemes and Digital Verification Services, establishing a new legal framework for trusted data sharing in the UK.

This article offers a legal analysis of twelve core reform areas, grounded in the DUA Act text and the ICO’s commentary, with an analysis of main divergence from the GDPR as well as practical recommendations. The twelve core reform areas examined reflect the DUA Act’s most material legal changes and regulatory divergences from the GDPR, which  are the following:

1. Recognised Legitimate Interests (RLIs)
2. Purpose limitation 
3. Automated Decision-Making (ADM)
4. ADM in Law Enforcement and National Security
5. Data Subject Access Requests (DSARs)
6. Complaints handling
7. Age Appropriate Design Code (AADC or Children’s Code)
8. Scientific, historical and statistical purposes
9. International data transfers
10. Cookies and PECR Reform
11. Information Commissioner’s Office (ICO) Reform
12. Codified convergences with EU Law

Implementation Timeline

Most of the data protection provisions in the DUA Act do not take effect automatically on Royal Assent (19 June 2025). Instead, the Act grants the Secretary of State the power to bring different provisions into force by way of statutory instrument, allowing for staggered commencement across several months.

Provisions already in force:

Certain powers and duties came into force on Royal Assent on 19 June 2025, including:

• Section 78: introducing the “reasonable and proportionate” search standard for DSARs.
• Sections 126 to 128: on biometric data retention.
• Section 122 (in part) and Part 1 of Schedule 16: relates to energy smart meter communication licences.
• Various regulation-making powers, including those for the Secretary of State to commence other parts of the Act.

Came into force on 10 July 2025 via SI 2025/672 (Commencement No. 1):

• Section 96: clarifying the Commissioner’s ability to issue notices electronically.
• Section 97: empowering the Commissioner to require production of documents.
• Section 103: inserting new Section 164A DPA 2018 (enhanced ICO complaints-handling powers).
• Sections 104 to 107: additional enforcement and judicial powers.

Expected later in 2025: Provisions relating to:

• Recognised Legitimate Interests (Schedule 1),
• Further processing and compatibility reforms (Schedule 2),
• Subject access reform (including adjustments to Article 15 UK GDPR), expected to come into force following further commencement regulations and ICO guidance.Establishment of the new Information Commission (Part 5 DPA 2018), replacing the current Information Commissioner (commencement by statutory instrument required).
• New statutory objectives for the Information Commission and anticipated AI/ADM statutory codes (Sections 91–93 DPA 2018).
• Automated decision-making provisions (Articles 22A–22D) are expected to be phased in following sector consultation.
• international data transfer reforms, including the new “not materially lower” standard for adequacy and alternative safeguards under amended Articles 45–47 UK GDPR.
• PECR amendments: new cookie consent exemptions, revised definition of direct marketing (Section 110), and the alignment of PECR monetary penalties  with UK GDPR.

 

Comments

The DUA Act marks a decisive step away from the EU GDPR, asserting the UK’s autonomy over its data protection framework. The reforms reflect a strategic prioritisation of innovation, regulatory flexibility, and administrative simplification, often at the expense of harmonised interpretation. Multinational organisations must reconfigure policies, processes, documentation and controls to reflect this shift while continuing to meet the stricter contextual requirements of the EU GDPR.. Navigating dual regimes now requires a bifocal legal strategy: one eye fixed on divergence to capture the opportunities and manage the risks of UK-specific reforms, and the other on convergence to preserve interoperability and reduce fragmentation across borders.

Next Steps

We are closely monitoring the implementation of the DUA Act and its implications across UK sectors. Further commentary on specific provisions will be published in due course. If you have any questions arising from this article, would like to arrange a training session, or require support in aligning your policies, documentation or contracts with the new regime, please contact us.