If you've noticed an increase in articles about the Data (Use and Access) Act 2025 (DUAA), there's a good reason for it.
While the Act received Royal Assent in 2025, a number of important provisions take effect on 19 June 2026. As a result, businesses are being encouraged to review their data protection arrangements and ensure they are ready for the changes.
Before anyone panics, this is not a complete rewrite of UK data protection law. The UK GDPR and Data Protection Act 2018 remain in place. Instead, the DUAA introduces a number of updates aimed at making compliance more practical while strengthening certain rights and enforcement powers.
So, What Are the Key Changes?
Several changes will be relevant to businesses, but three areas are likely to have the biggest practical impact.
1. Privacy Complaints Procedures
One of the most important and often overlooked changes is the increased focus on how organisations handle privacy-related complaints.
Businesses should have a clear process that allows individuals to raise concerns about how their personal data is being used. Privacy notices should explain how complaints can be made, and organisations should be prepared to investigate and respond appropriately.
For many businesses, this may require updates to both privacy documentation and internal procedures.
2. Subject Access Requests
The DUAA introduces a more proportionate approach when responding to Subject Access Requests (SARs).
Rather than carrying out exhaustive searches in every possible location, organisations are expected to undertake searches that are reasonable and proportionate in the circumstances. This provides greater clarity and reflects a more practical approach to compliance.
3. Marketing and Data Privacy Compliance
The rules around electronic marketing remain an important area of risk.
The Information Commissioner's Office (ICO) now has stronger enforcement powers, meaning organisations should ensure their email marketing, cookie practices and online data collection methods remain compliant.
What Should Businesses Check?
The upcoming implementation date provides a useful opportunity to carry out a data protection health check.
Ask yourself:
- Is your Privacy Policy up to date?
- Does it explain how individuals can raise a privacy complaint?
- Do you have an internal process for handling those complaints?
- Are staff aware of how Subject Access Requests should be managed?
- Are your marketing activities and cookie practices compliant?
- Do your data protection policies accurately reflect how your business operates today?
For many organisations, small updates now could help avoid larger compliance issues later.
The DUAA is not about starting again. For most businesses, it is about reviewing existing arrangements and making sure they remain fit for purpose.
The organisations that are likely to benefit most from these changes are those that take the opportunity to assess their current policies, procedures and privacy documentation before the new provisions take effect.
If you are unsure whether your Privacy Policy, data protection procedures or marketing practices need updating, Grace Legal can help you identify any gaps and ensure your business is ready for the changes taking effect on 19 June 2026.
Get in touch below.