DUAA Compliance Support

On 19 June 2025, the Data (Use and Access) Act (DUAA) finally received Royal Assent following a lengthy passage through Parliament.  The Act has introduced a number of changes to the existing UK data protection (DP) regulatory framework, the Data Protection Act (DPA) 2018, the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).

What Changes Has DUAA Introduced?

Several of DUAA’s provisions came into effect throughout 2025.  These include the introduction of a ‘reasonable and proportionate search’ standard for data subject access requests (DSARs), allowing data controllers to exclude excessive or unfocused searches, and a relaxation of the rules on automation decision-making.  Further, the Act has introduced to the ‘legitimate interests’ legal basis for processing a list of limited, pre-approved ‘recognised legitimate interests’, for which a legitimate interest assessment (LIA) will not need to be conducted.  DUAA has also amended the PECR by broadening cookie-consent exemptions (i.e., using cookies for certain purposes no longer requires consent), allowing not-for-profit organisations to rely on ‘soft opt-in’ consent for electronic marketing messages, and extending the window for notifying PECR personal data breaches from 24 to 72 hours.

The Act’s remaining provisions will become applicable during 2026.  By June 2026, organisations will need to have mandatory process for handling data protection complaints, including providing an electronic method for submission.  The Act will also introduce Smart Data schemes to mandate data sharing for competition, and a legal framework for Digital Verification Services (DVS), creating a certified system for digital identities, for simpler, more secure online transactions.

Read more about the changes made by DUAA in our blog, DUA Act Finally Becomes Law.

DUAA Compliance Support

URM’s team of data protection consultants can work with you to determine your level of compliance with the new requirements, and to help you take advantage of some of DUAA’s benefits.  With our gap analysis service, we can evaluate your current processing practices and data protection governance against DUAA requirements to identify any areas of noncompliance.  The output of the analysis is a report, where we provide prioritised recommendations for closing any gaps found.

Organisations have found a gap analysis to be a useful tool to provide a check on current compliance, but also when they are looking to improve their data protection position or when considering new business ventures.  As URM operates with clients worldwide, a gap analysis can be used to consider compliance before an organisation moves into new international markets.

Why URM?

Track record

URM’s DP and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice.  With a 20-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.

Flexible service offerings

A key differentiator between URM and other data protection service providers is our flexible service offerings.  Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of site days (remote or on site) etc. Equally, with our remediation support, URM can assist you address any gaps identified and achieve full GDPR compliance. We can also help you maintain that compliance with GDPR auditing services.

Knowledge transfer

URM prides itself on its knowledge transfer philosophy and training expertise which helps to ensure that you not only understand what the principles and requirements of the GDPR are but how to best meet them.

‍