Hero Image


PRIVACY CULTURE

Understanding the Data
(Use and Access) Act 2025

A detailed one-day workshop examining the targeted amendments contained within the
DUA Act, aimed at modernising and streamlining the UK's data protection legal framework

Book Now

Course Features

Short day session 10am - 3pm

Experienced instructor

Record of attendance

Public schedule

In-company options

Course Overview

After years of delays, the Data (Use and Access) Bill (DUA Bill) successfully cleared its final hurdle in the House of Lords and received Royal Assent on Thursday, 19 June 2025. It is now known as the Data (Use & Access) Act 2025.

The DUA Act introduces several amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations (PECR).  

Key changes in the Act cover limitations to Subject Access Requests (SARs), the introduction of recognised legitimate interests, and modifications to rules relating to automated decision-making (ADM). Other UK GDPR amendments include revisions to international data transfers, purpose limitation, scientific research and enhanced protections concerning children's data. The Act also relaxes rules governing the use of cookies and aligns fines for non-compliance with PECR with those of the UK GDPR. In terms of criminal law enforcement processing under Part 3 of the DPA18, the Act clarifies the definition of consent, aligns response times for data subject rights with those of the UK GDPR and introduces additional requirements to codes of conduct for competent authorities. Meanwhile, the Information Commissioner's Office (ICO) will undergo significant organisational changes and will now be known as the Information Commission.

The UK government believes its legislative amendments will encourage innovation and enhance public trust without jeopardising the UK's vital data adequacy status with the European Union. This assumption has yet to be confirmed. While many of the provisions contained within the DUA Act are technical in nature, they are nonetheless significant in several important areas and require careful consideration.   

This one-day course is designed for experienced UK-based practitioners with a solid understanding of the UK GDPR, DPA18 and PECR, and who are required to maintain their expert knowledge of data protection law. 

Course Costs

Book this 1-day course on understanding the Data (Use and Access) Act 2025:

£395 + VAT

Package includes:

Book now

Intended Audience

This one-day Understanding the Data (Use & Access) Act 2025 course is suitable for those individuals with the following roles or responsibilities: 

  • Data Protection Officers (DPO)
  • Chief Privacy Officer (CPO)
  • Data protection practitioners
  • Information governance managers
  • Governance, Risk and Compliance (GRC) professionals
  • Information security, IT security and IT professionals
  • Privacy engineering
  • Solicitors advising on information law
  • AI governance
  • Project management
Course Contents:

Introduction:

  • A brief summary of the Data (Use and Access) Act's passage into law
  • Expected timeframes before most provisions can take effect 

Changes to the UK GDPR & DPA18:

  • Subject Access Requests (SARs)
  • Data subject rights' response times (Part 3 DPA18)
  • Definition of consent (Part 3 DPA18)
  • Recognised legitimate interests
  • Automated Decision Making (ADM)
  • International data transfers
  • Children's data
  • Purpose limitation
  • Research, archive, and statistical (RAS) purposes
  • Codes of conduct for competent authorities (Part 3 DPA18)

Changes to the PECR:

  • Low-risk cookies and similar tracking technologies 
  • Personal data breach reporting
  • Charities' fundraising activities and the soft-opt in
  • Codes of Conduct

Changes to the Information Commissioner's Office (ICO):

  • Information Commission (IC)
    • New board structure consisting of executive and non-executive members
  • Enhanced investigatory powers to:
    • Compel witnesses to attend interviews
    • Require organisations to produce technical reports
  •  Powers to issue fines under PECR of up to £17.5 million or 4% of global turnover in line with UK GDPR

Implications for UK Adequacy:

  • UK divergence from EU GDPR and Law Enforcement Directive standards
  • Upcoming re-evaluation of the UK's two adequacy decisions

Given that the amendments contained within the DUA Act further diverge the UK from EU standards, practitioners with responsibilities in both legal jurisdictions will find this course particularly beneficial for maintaining compliance with both GDPR frameworks.  

Book now

Our clients