Patroklos PatroklouAs of February 2026, the UK’s data landscape has officially shifted. While the Data (Use and Access) Act (DUAA) 2025 builds on the foundation of the UK GDPR, it introduces critical reforms designed to reduce “red tape” while maintaining high standards of protection.
For UK businesses, this means updating compliance frameworks to reflect:
New Lawful Bases: The “Recognised Legitimate Interests” list now streamlines processing for crime prevention, safeguarding, and emergency response—removing the need for traditional balancing tests in these areas.
Permissive Automated Decision-Making (ADM): New provisions allow for broader AI integration in decision-making, provided organizations offer a clear path for “meaningful human involvement” upon appeal.
Vexatious Request Thresholds: The shift from “manifestly unfounded” to “vexatious” for refusing Subject Access Requests (SARs) provides significant relief for high-volume data processors.
The Enactia Edge: Don’t manually rewrite your Record of Processing Activities (ROPA). Enactia’s UK-specific library includes the latest DUAA 2025 derogations. Map your existing GDPR controls to the new UK standards with a single click.
FAQ: Understanding the DUAA 2025
Does the DUAA 2025 replace the UK GDPR? No. It amends the UK GDPR and the Data Protection Act 2018 to modernize how the UK handles data.
Will this Act affect my EU Data Adequacy? The Act was designed to maintain high standards so that data can continue to flow freely between the UK and the EEA. Enactia helps you monitor any divergence that might put adequacy at risk.
What defines a “Vexatious” request now? The ICO provides clearer criteria for requests intended to cause disruption or harassment, allowing DPOs to protect resources from bad-faith SARs.
