Is the Data (Use and Access) Act in force?

Yes. It received Royal Assent on 19 June 2025 and is being switched on in stages. The bulk of the data protection and privacy changes took effect on 5 February 2026, so the main provisions that affect everyday business are now live.

Does the DUAA replace UK GDPR?

No. It amends the UK GDPR, the Data Protection Act 2018 and the PECR cookie and marketing rules, rather than replacing them. The familiar framework still stands; the Act reforms specific parts of it.

Do I still need a Record of Processing Activities (ROPA)?

Yes. The Act did not remove the Article 30 duty to keep records of your processing. The idea of cutting records back to high-risk processing only came from the earlier Data Protection and Digital Information Bill, which did not become law. If anything, the new lawful bases and transfer rules give you more to keep your records current about.

What should a small business do first?

Make sure your records reflect the new options accurately, review your cookie banner against the relaxed low-risk rules, put a clear complaints route in place, and check whether any processing can now rely on a recognised legitimate interest. A current ROPA makes each of those a quick check rather than a project.

Resources

The Data (Use and Access) Act 2025, in plain English

The UK’s biggest data protection update in years is now in force. Here is what actually changed for small businesses, and what you can safely ignore.

The Data (Use and Access) Act 2025 (often shortened to the DUAA) received Royal Assent on 19 June 2025 and has been switched on in stages. The bulk of the data protection and privacy provisions took effect on 5 February 2026, so the changes that matter to most businesses are now live.

Two things to get straight before the detail. The Act amends the UK GDPR, the Data Protection Act 2018 and the PECR cookie rules; it does not replace them. And it is a reform of the existing regime, not a clean break, so most of what you already do still applies.

The myth: “ROPAs are being scrapped”

You may have read that record-keeping was about to be cut back so that only high-risk processing needed a record. That proposal belonged to the previous government’s Data Protection and Digital Information Bill, which fell before the 2024 election and never became law. The DUAA did not carry it through.

So the Article 30 duty to keep a Record of Processing Activities stands. Controllers and processors still need to document their processing in the prescribed form. If anything, the new lawful basis and transfer rules below give you slightly more to keep those records current about, not less.

What actually changed

A new lawful basis: recognised legitimate interests

The Act adds a lawful basis to Article 6: recognised legitimate interests. For a defined, narrow set of purposes, you can rely on legitimate interests without carrying out the usual balancing test (the legitimate interests assessment).

The recognised purposes include things like preventing or detecting crime, safeguarding vulnerable people, responding to emergencies, and certain disclosures to public authorities. It is narrower than many headlines suggest. Most everyday commercial uses, such as marketing to existing customers, still need a legitimate interests assessment.

Subject access requests: stop the clock, and proportionate searches

Two practical changes. First, you can now pause the response deadline (the “stop the clock” rule) while you reasonably wait for information you need to deal with a request, for example to confirm the requester’s identity or to clarify a vague request. The clock restarts once you have what you asked for.

Second, the law now says in black and white that your search for someone’s data need only be reasonable and proportionate. That codifies what the ICO already expected, but having it in the legislation is helpful when a request is sweeping.

Cookies and PECR: lighter consent, far heavier fines

You no longer need consent for certain low-risk uses of cookies and similar technologies, such as audience measurement and analytics, keeping a service secure, or remembering a user’s settings, as long as you give people clear information and a straightforward way to opt out. The aim is to cut needless cookie banners.

The trade-off is enforcement. Penalties under PECR (the cookies and electronic marketing rules) have been raised to match the UK GDPR: up to £17.5 million or 4% of worldwide annual turnover, whichever is higher, against a previous cap of £500,000. Sloppy cookie practice is now a materially bigger risk.

A duty to handle complaints

Organisations now have to give people a clear way to complain about how their data is handled, acknowledge those complaints, and respond to them, rather than leaving the ICO as the first port of call. In practice that means a simple complaints route (often an online form) and a process for dealing with what comes in.

More room for automated decisions, with safeguards

The rules on solely automated decisions that have a significant effect on people have been loosened, provided safeguards are in place: telling people, letting them ask for human review, and letting them contest the outcome. The tighter restrictions still apply where the decision relies on special category data such as health.

International transfers: a new data protection test

Transfers of personal data out of the UK are now judged against a new “data protection test”, which broadly asks whether protection in the destination is not materially lower than at home. Existing tools such as the UK international data transfer agreement continue to work, so most organisations will not need to tear up current arrangements.

A new regulator

The Information Commissioner’s Office is being reconstituted as the Information Commission, with modernised governance and enforcement powers. For most small organisations the day-to-day point of contact and guidance is unchanged in substance.

What a small business should do now

Check your records reflect reality, including any lawful bases you are relying on, so the new options are captured accurately.
Review your cookie banner against the relaxed low-risk rules, and remember that fines for getting cookies and marketing wrong are now far higher.
Put a clear, simple route in place for people to complain about their data.
Check whether any processing can rely on a recognised legitimate interest, while remembering most commercial uses still need the balancing test.

None of this requires a privacy team. It requires knowing what personal data you hold and why, which is exactly what a current ROPA gives you.

Frequently asked questions

Is the Data (Use and Access) Act in force?: Yes. It received Royal Assent on 19 June 2025 and is being switched on in stages. The bulk of the data protection and privacy changes took effect on 5 February 2026, so the main provisions that affect everyday business are now live.
Does the DUAA replace UK GDPR?: No. It amends the UK GDPR, the Data Protection Act 2018 and the PECR cookie and marketing rules, rather than replacing them. The familiar framework still stands; the Act reforms specific parts of it.
Do I still need a Record of Processing Activities (ROPA)?: Yes. The Act did not remove the Article 30 duty to keep records of your processing. The idea of cutting records back to high-risk processing only came from the earlier Data Protection and Digital Information Bill, which did not become law. If anything, the new lawful bases and transfer rules give you more to keep your records current about.
What should a small business do first?: Make sure your records reflect the new options accurately, review your cookie banner against the relaxed low-risk rules, put a clear complaints route in place, and check whether any processing can now rely on a recognised legitimate interest. A current ROPA makes each of those a quick check rather than a project.

This guide is general information, not legal advice. For the official position, see the ICO’s guidance on the Data (Use and Access) Act 2025.

Keep your records current through the change

The Data Protection Register keeps your ROPA and assessments built from one set of facts, so when the rules or your business change, your records keep up. See where you stand with our free check.

Take the free GDPR check Get started