Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 amends and supplements the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It introduces new rules on data sharing, access, and use, aiming to facilitate responsible data use while maintaining strong privacy protections.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
Automated Decision-Making and Profiling
Regulates the use of automated systems for decision-making that significantly affects individuals, with new transparency and accountability obligations.
| Code | Title |
|---|---|
| DUAA.AD.1 | Transparency in Automated Decision-Making |
| DUAA.AD.2 | Right to Human Intervention |
Data Retention and Post-Mortem Data Handling
Rules on data retention, particularly concerning the handling of data after the death of an individual, including special provisions for children.
| Code | Title |
|---|---|
| DUAA.RT.1 | Retention of Data Following Death of a Child |
| DUAA.RT.2 | Data Minimization and Retention Schedules |
Data Sharing and Joint Processing
Rules governing data sharing between organizations, including joint processing arrangements and new provisions for intelligence services collaboration.
| Code | Title |
|---|---|
| DUAA.SH.1 | Joint Processing Agreements |
| DUAA.SH.2 | Data Sharing for Public Interest Purposes |
Data Subject Rights and Access Requests
This domain governs data subject access rights, including DSAR procedures, timelines, and the new right to complain directly to data controllers.
| Code | Title |
|---|---|
| DUAA.DS.1 | Data Subject Access Requests (DSARs) |
| DUAA.DS.2 | Right to Complain to Data Controller |
| DUAA.DS.3 | Internal Complaint Handling Procedures |
Direct Marketing and Electronic Communications
Amendments to the Privacy and Electronic Communications Regulations 2003, particularly around consent requirements for electronic marketing.
| Code | Title |
|---|---|
| DUAA.DM.1 | Relaxed Consent Rules for Direct Marketing |
| DUAA.DM.2 | Transparency in Electronic Marketing |
International Data Transfers
This domain outlines the revised regime for transferring personal data outside the UK, including the new 'data protection test' for assessing recipient countries.
| Code | Title |
|---|---|
| DUAA.IT.1 | Data Protection Test for International Transfers |
| DUAA.IT.2 | Transfer Impact Assessments (TIAs) |
Lawful Data Processing and Legitimate Interests
This domain covers the legal basis for processing personal data, with updated rules on legitimate interests, including exemptions for specific sectors and purposes such as fraud prevention and intra-group administration.
| Code | Title |
|---|---|
| DUAA.LP.1 | Legitimate Interests Assessment (LIA) Exemptions |
| DUAA.LP.2 | Transparency in Lawful Processing |
Frequently Asked Questions
What is Data (Use and Access) Act 2025?
Data (Use and Access) Act 2025 is a compliance framework from United Kingdom with 7 domains and 15 controls. The Data (Use and Access) Act 2025 amends and supplements the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It introduces new rules on data sharing, access, and use, aiming to facilitate responsible data use while maintaining strong privacy protections. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Data (Use and Access) Act 2025 have?
Data (Use and Access) Act 2025 has 15 controls organised across 7 domains. The largest domains are Data Subject Rights and Access Requests (3 controls), Automated Decision-Making and Profiling (2 controls), Data Retention and Post-Mortem Data Handling (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Data (Use and Access) Act 2025 map to?
Data (Use and Access) Act 2025 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with Data (Use and Access) Act 2025 compliance?
Start your Data (Use and Access) Act 2025 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Data (Use and Access) Act 2025 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 693 frameworks.
Get Started Free →Free forever — no credit card required