The DUAA received Royal Assent in June 2025, ushering in a new era in data governance and refining previous data laws to make life simpler for all organisations and public bodies processing personal data under UK jurisdiction.
Taking the right approach will be key to enable your organisation to align innovation with evolving legal obligations, and to reduce the compliance burden while continuing to manage data privacy risk.
Here's how to take the DUAA on board in your business.
A new chapter in UK data regulation
The DUAA aims to modernise the UK's approach to data governance, recognising the shortfalls in previous legislation and the large administrative effort involved in staying compliant. Rather than replacing existing laws – such as the UK General Data Protection Regulation (GDPR) or the Data Protection Act (DPA) 2018 – the DUAA refines them to reduce complexity, support innovation, and maintain public trust.
The legislation also brings more flexibility to how organisations handle personal data, particularly in areas such as automated decision making and cookie usage. These updates are designed to ease compliance burdens while preserving the privacy rights of individuals. For a detailed breakdown of what’s changed, see the ICO’s summary of the DUAA or the full text on Gov.uk.
And it provides an opportunity to streamline data use, boost customer trust, and accelerate digital transformation. The challenge lies in aligning this flexibility with robust governance and ethical responsibility.
Embedding DUAA compliance into your strategy
For many organisations in the UK, the DUAA may seem like another layer of regulatory complexity –but there’s no cause for panic. The changes are real yet manageable and, in many cases, aim to address frustrations with existing regulations. The key is to treat the DUAA not as a legal hurdle but as an approach to support innovation, build trust, and improve how data is used across the business.
For most, a complete overhaul is not necessary. Instead you need to be smart about how you apply the new rules. A great example is the introduction of “recognised legitimate interests” as a new lawful basis for processing personal data. In specific cases – such as crime prevention, safeguarding vulnerable individuals, or emergency response – you'll no longer be required to carry out a balancing test to justify the processing of personal data. This change is relevant for certain sectors such as financial services and real estate, where timely and responsible data sharing is essential for fraud prevention or protection of vulnerable tenants.
Similarly, if your business relies on digital engagement – through online retail, client portals or service platforms, for example – you can now simplify the process of gathering consent for cookies. By embedding clear opt-out mechanisms and transparent messaging into the user journey, compliance becomes part of the customer experience, not a barrier to it.
Under the DUAA, those organisations already using AI tools in their operations, such as to streamline decisions or improve customer experience, can now operate these tools with greater flexibility, depending on their specific application. This is contingent on establishing clear communication, offering a human oversight on a decision made by an automated system, and allowing individuals to challenge outcomes. The objective of this change is for businesses to quickly innovate without compromising the trust of data subjects.
How to make the DUAA work for your business
To turn policy into practice, you need to start by ensuring all stakeholders understand their responsibilities. Legal, data and product teams need to work together to apply the DUAA's changes consistently, especially when it comes to fast-paced areas such as AI tools.
Next, focus on clarity and transparency with users. Using plain language in privacy notices, explaining how decisions are made by AI, and giving people easy ways to opt out or ask for human review continue to be crucial regulatory requirements – and, importantly, they build trust with customers.
Lastly, leverage the DUAA’s flexibility to pilot innovative approaches. The law gives you more room to innovate – as long as you do it responsibly. While the DUAA changes offer greater operational freedom, it demands stronger internal coordination to avoid inconsistency, reputational risk or regulatory scrutiny.
Seven questions to step up your data strategy
There are lots of areas where the DUAA makes changes. These practical questions will help guide your next steps:
1. Where is personal data collected, reused or automated?
Review your data practices to identify where personal data is collected, processed and reused, especially in automated decision making and research contexts.
2. Where can we move faster, without losing control?
Assess DUAA applicability to looks for parts of your current data protection framework where DUAA exemptions or streamlined processes might apply. Assess whether adopting them aligns with your organisation’s objectives.
3. Are we still covered – and clear about it?
Revise privacy notices and cookie policies to reflect any changes you’ve made as a result of the DUAA. Ensure transparency remains a priority.
4. What about making decisions using AI?
Enhance governance frameworks to introduce or strengthen safeguards for automated decisions, where applicable, including human review and appeal mechanisms.
5. Do our people understand what’s changed?
Educate staff on DUAA provisions, where applicable, especially those in legal, compliance, and data management roles.
6. Are we tuned in to the regulator?
Monitor guidance from the Information Commissioner’s Office (ICO) and seek support where needed.
7. Where can we now innovate?
Pilot innovation projects and explore opportunities to leverage the DUAA’s flexibility for testing new data-driven initiatives, while staying connected with your compliance or legal teams.
From compliance to competitive edge
Change brings uncertainty but also opportunity. The DUAA is more than a regulatory update – it’s a signal of where data governance is heading. Organisations that act early, align their teams, and embed compliance into innovation will be best positioned to lead in a data-driven future.
The DUAA is being implemented in phases from August 2025 through early 2026. Key provisions – including updates to the ICO’s objectives, changes to UK GDPR and DPA 2018, and reforms around automated decision making and cookies – will come into force gradually. This phased approach gives organisations a practical adjustment period to review and align internal practices.
Your next move?
Initiate internal discussions. Bring your leadership team together to explore how the DUAA can support smarter, faster and more ethical innovation. With the right mindset and governance, compliance becomes a source of resilience and competitive edge.
For more insight and guidance, get in touch with Chris Williams or Charley Wright.
