Blog

The Act came into force as at 19 June 2025 and it is being brought in piecemeal.  The provisions which are in force now are:

Sections 69 and 82 relate to law enforcement processing.

Section 78 clarifies that Data Controller is only required to conduct reasonable and proportionate searches when responding to DSAR.  It limits the scope of information that must be provided to what can be reasonably and proportionately searched for by the controller.

Section 79 which introduces a legal professional privilege exemption.

Section 88 which provides a national security exemption.

Section 96 revises the procedures for issuing notices by the Information Commissioner.  It allows notices to be delivered by hand, post or email and specified the individual entities to whom such notices may be addressed including officers of corporate bodies and partners of partnerships.

Section 97 expands the Information Commissioner’s powers to require not only information but documents broadening the scope of regulatory enforcement.

Sections 89 and 90 which come into force on 17 November 2025, aim to enhance collaboration between intelligence services and designated authorities while maintaining compliance with data protection laws.

Section 111 which imposes a duty to notify the Commissioner of personal data breaches within specified time periods.

DUAA is being implemented on a provision by provision basis and further regulations will determine when other sections come into force. The best way to keep track is to obtain a DUAA Tracker from the Department for Science Innovation and Technology.

The Information Commissioner’s Office (ICO) will be replaced by an Information Commission (IC) with stronger governance and a more proactive approach.  The recruitment process is underway but an opening date has not been specified.

What you need to do now

You have to check your systems, policies and training against stricter rules that will be imposed by DUAA and what you need to do now is:

1.      Databases must be accurate, up to date with trails showing updates corrections and safeguards.

2.      Check your Data Subject Access Request (DSAR) processes and response times.  It’s essential for you to comply if you process personal data in the UK, with the Privacy and Electronic Communications Regulations (PECR).  It’s the bench mark against which you have to measure privacy rules for electronic marketing and communications.

3.      Review any contracts you have for the transfer of data; following the legislation, the test is now that the legislation has to be not materially lower than UK GDPR.

4.      Review supplier contracts, data processing agreements and any processing arrangements where you have sub-contractors.

5.      Review existing Privacy Notices

6.      Review Legitimate Interests as your lawful basis for processing.

·       Fraud prevention

·       Safeguarding vulnerable children

·       Security for network and information

·       National Security Protection

7.      Check your cookie notices.  See if there are any for which you still need consent but most will now fall outside the consent regime.

8.      Plan refresher training for those in your organization who deal with data protection.

Have a copy of the DUAA Tracker that contains commencement timetable.  You can obtain it from the Department of Science Innovation and Training.

The main change in DUAA will be to balance trust in data protection and having regard to the requirement of business to innovate.

The Information Commission has a duty to balance data protection with innovation, competition and wider economic growth while effectively maintaining privacy safeguards.  The Commission has stronger enforcement powers e.g. to compel individuals to attend interviews and produce detailed reports.

The Commission will be more assertive in enforcement and you must therefore take care that your records and your staff are ready for examination.

DUAA lists certain items that automatically qualify as a legitimate interest so you can make quicker decisions about processing data without having to carry out a balancing test.

·       Fraud prevention

·       Safeguarding children

·       Security for network and information

·       National Security Protection

This has particular relevance in the areas of medical research, public health and other social benefit e.g. protecting children’s personal data, and affects organisations such as schools, charities, youth services or health care.

Individual’s data can now flow between NHS, hospitals, GPs and other care providers. Public authorities can delegate data responsibilities to third party operators.

The Commission can scrutinise AI and profiling tools and the requirement is fairness, transparency and safeguards against discrimination. That means you must be aware of heightened risks of profiling, discrimination or manipulation in the event of neuro data whether provided by AI or not.

If you are an AI developer, there is no obligation to disclose how or what data the developer uses for training however there are growing concerns about copyright infringement e.g. web-scraping, large scale data ingestion and third party models.

DUAA updates the rules for online marketing, cookies and direct marketing and introduces border exemptions for certain low risk analytic cookies so that consent is no longer required.  The maximum penalties for direct marketing and cookie breaches have been increased to £135m or 4% of global turnover, whichever is the greater.

There is therefore a strong push to deter unlawful tracking, nuisance calls and intrusive advertising so review cookie banners, opt in processes, consent records.  DUAA will bring ePrivacy rules so that they take account of modern tracking technologies and use modern tracking technologies.  DUAA covers ePrivacy in relation to data automatically provided, such as IP addresses and device identifiers.

DUAA prohibits remote tracking methods that help data collection and there will be user detection and oversight.  There are exemptions where the risk to privacy is minimal but you must provide people with clear information and give them a real ability to object.

If you transfer data DUAA gives government legal powers to build and regulate a digital identity eco-system.  This includes the areas of anti money laundering and counter terrorist financing.

Public authorities can delegate data responsibilities to third party operators.

DSARs

You are only required to carry out searches that are reasonable and proportionate so you don’t need to search every system.

If requests are genuinely impossible or unreasonably burdensome to fulfill, time can be stopped if you need further information from the person who has served the DSAR about what they want.  You can require the DSAR person to keep their requests targeted and you should use this ability if the DSAR is too broad or unfocused.

DUAA changes the complaints process. Data subjects are required to raise their complaint directly with the Data Controller i.e. you and will allow you a chance to resolve it before the dispute is taken to the Commission.

If you wish to keep in touch on the issue of DUAA 2025, contact Lynne Brooke on 07921 587341 or Michael Brunker, who is our expert collaborator on cyber security and DUAA.  Other organisations are presenting DUAA as complicated but the fact is that it is relatively straightforward; follow the guidelines set out in the Act, summarised in this post and track implementation on your DUAA Tracker.

The Brooke Law Group