Data Use and Access Act 2025 Changes - Employer Guide

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being brought into force in stages. It updates UK data protection law rather than replacing it, so the UK GDPR and Data Protection Act 2018 still apply, with changes layered on top.

This guide summarises the changes most likely to affect employers and the documents you may need to review. It is an overview, not legal advice, and the detail of each area is still being finalised through ICO guidance.

The New Complaints Duty

From 19 June 2026, every controller must have a process for handling data protection complaints from individuals. You must facilitate complaints, acknowledge receipt within 30 days, and respond without undue delay.

This is the most immediate change with a fixed deadline, and there is no small business exemption. Our data protection complaints procedure guide covers the duty in full, and the small business checklist gives you a fast route to compliance.

Subject Access Requests

The DUAA confirms that the search you carry out in response to a subject access request needs to be reasonable and proportionate. It also clarifies the ability to pause the response clock while you seek information needed to identify the requester or clarify the request.

For employers who regularly receive access requests from staff and former staff, this is a helpful clarification, but the underlying right of access remains.

Recognised Legitimate Interests

The Act introduces recognised legitimate interests, a defined list of purposes you can rely on as a lawful basis without carrying out the usual balancing test. The list includes purposes such as responding to certain requests from public bodies.

If you rely on one of these, record it accurately in your records of processing and your privacy notice.

Automated Decision-Making

The DUAA adjusts the rules on solely automated decisions that have a significant effect on people. The restrictions remain tightest for decisions based on special category data, while allowing more scope elsewhere with appropriate safeguards.

If you use automated tools in recruitment or performance management, review how decisions are made and what human oversight you provide.

What Has Not Changed

The core principles of UK data protection are intact. You still need a lawful basis to process personal data, you still owe transparency to individuals, and you still have to keep personal data secure and report serious breaches.

The DUAA refines the regime, it does not remove the baseline obligations.

The Changes at a Glance

Area	What employers should do
Complaints duty	Put a compliant complaints process in place by 19 June 2026
Subject access	Confirm your process reflects reasonable and proportionate searches and the stop-the-clock rules
Lawful bases	Check whether recognised legitimate interests apply and record them accurately
Automated decisions	Review automated tools and the human oversight around them
Privacy notice	Update it to reflect the new complaints route and any lawful basis changes

How Policy Pros Can Help

We help employers bring their data protection documentation in line with the DUAA, from the new complaints procedure to privacy notices and records of processing.

Our GDPR consultancy, data protection and confidentiality policy and privacy policy writing services cover the areas the Act touches. Start with the complaints duty, since that is the change with a fixed 19 June 2026 deadline.