With us in your corner, the commercial side of your business is in safe hands.

Practical, focused and fast when you need us to be, we pay attention to the detail while keeping things moving – leaving you to stay focused on your next move.

Whether you’re buying, selling, structuring or investing in your business, let us do the heavy lifting so you don’t have to.

Legal expertise that supports your employees and your business. We’re always available and always ready to step in when you need us. 

Our breadth of expertise means you’ll be prepped and ready to handle the unique challenges of this fast-paced and ever-changing sector. 

Your business is unique. We’ll help you keep it that way. 

Our deep level of sector expertise means we’re the go-to law firm for clients leading the way in the low-carbon industry. 

The Data (Use and Access) Act 2025 – Implications for your business

Introduction

The Data (Use and Access) Act 2025 (the “DUAA”) received royal assent last year with the aim of improving people’s lives, making processes easier for both users and businesses, and ultimately growing the economy. One of its key aims is to clarify UK data protection legislation to ensure current law is fit for our digital future.

The DUAA is being implemented in stages which broadly amends current UK data protection laws.

Data processing: ‘Recognised Legitimate Interests’

You must have a valid lawful basis to process personal information. Previously, there were six lawful bases for processing personal data; the DUAA has introduced a seventh: ‘recognised legitimate interests’. This basis allows lawful processing for one of the following pre-approved purposes:

  • safeguarding national security, protecting public security and defence purposes;
  • responding to an emergency;
  • detecting, investigation or prevention of crime;
  • disclosure to a controller that requires the personal data to carry out a public interest task or to exercise its official authority where the controller has requested that data; and
  • safeguarding of vulnerable individuals.

Recommended Action: Review your privacy policy. If the new ‘recognised legitimate interests’ basis is relevant to your business and how you handle personal data, your privacy policy will need to be updated to include the appropriate wording.

Cookie Rules

The DUAA clarifies and narrows the consent requirements for a wider range of cookies under the PECR. Cookies used to collect information for statistical purposes or to improve the functionality of your website no longer require consent in certain circumstances.

Provided users are given clear information about the cookies (transparency) and a clear, free opt-out option, new exemptions to the consent requirement apply to:

  • analytical/performance cookies (no consent required where used to improve services); and
  • functionality cookies (no consent required where related to appearance or functionality).

It is worth noting that:

  • consent is still required for targeting/advertising cookies; and
  • as before, no consent is needed for strictly necessary/essential cookies.

The penalties for breaching cookie rules under PECR have also increased significantly. The most serious infringements can lead to a maximum fine of £17.5m or 4% of global annual turnover, whichever is higher.

Recommended Action: Carry out an audit of cookies used on your website and ensure your cookie banner accurately reflects the changes.

Data Protection Complaints

If you do not already have something in place, the DUAA requires you to take proactive steps in implementing and managing complaints about how you handle personal data. You will be required to offer a complaints form (whether electronic, by post or by phone), acknowledge complaints, and respond to them without undue delay.  This new requirement comes into force on 19 June 2026.

Recommended Action: Ensure you have a DUAA-compliant complaints procedure in place and that all relevant staff are appropriately trained to handle complaints correctly. Update your privacy policy to include the information about your complaints process as required by the new law.

Other changes

  • Scientific research. The DUAA broadens the permitted use of personal data for scientific research and statistical purposes.
  • Automated decision-making. The new law narrows restrictions around the use of automated decision-making (“ADM”) in relation to the processing of special category (or sensitive) data under the UK GDPR. Provided certain safeguards apply, ADM processes can be used in decision making around special category data where certain conditions are met.
  • Children’s protection. The DUAA codifies a requirement for controllers to explicitly consider children’s heightened protection needs when providing online services likely to be accessed by children. In such cases, it is advisable to use clear, child-appropriate language in your privacy notices, in line with the ICO’s age-appropriate design code, the ‘Children’s Code’.

Recommended Action: Visit the ICO website for further guidance on the changes brought by the DUAA, including checklists and other useful resources for businesses. 

Get in touch

We are able to assist with the preparation of data protection complaint handling policies, privacy policies, privacy notices and data protection policies.  If you want to find out more about the services we provide, or require data protection advice, please contact Rebecca Anforth (Legal Director) by email at rebecca.anforth@murrellslaw.com or Emily Eastburn-Pentreath (Trainee Solicitor) at emily.eastburn-pentreath@murrellslaw.com.

Key contacts

Emily Eastburn-Pentreath

Trainee Solicitor

Emily Eastburn-Pentreath

Trainee Solicitor

Emily is a Trainee Solicitor in the Intellectual Property and Commercial team assisting with trade marks, data protection and other commercial matters.

More About Emily
emily.eastburn-pentreath@murrellslaw.com 07873614900 LinkedIn

Rebecca Anforth

Legal Director

Rebecca Anforth

Legal Director

Rebecca leads our intellectual property team and is recognised by the Legal 500 for her in-depth knowledge of intellectual property law.

More About Rebecca
Rebecca.Anforth@murrellslaw.com 07984 692100 LinkedIn

Related news

Murrells secures Leading Partner promotions and firm-wide rankings in Legal 500 UK 2026

Murrell Associates LLP has been ranked across all five of its practice areas in the Legal 500 UK 2026 guide, with partner Henry Maples achieving Leading Partner status for the first time. The Truro-based firm secured rankings in Corporate and Commercial, Commercial Property, Employment, Energy and Projects, and Intellectual Property; the second consecutive year it’s […]

Murrell Associates hit it for six in 2024’s Legal 500

Murrell Associates, the corporate and commercial law firm is celebrating their strongest performance of their 15-year history in the latest edition of legal directory the Legal 500.   Six of Murrells’ lawyers were ranked individually with Rebecca Anforth hitting the top spot, ranking as a Leading Individual for intellectual property advisors across the South West. […]

How marine innovation company Tugdock secured investment to prepare for a global opportunity

Floating offshore wind turbines are located in areas where there is deeper water and higher winds than fixed wind turbine structures, enabling them to generate higher levels of power.