Rebalancing Privacy and Progress: GDPR Changes Under the Digital Use and Access Act

In June 2025, the UK Parliament passed the Data (Use and Access) Act, a sweeping update to digital governance that subtly—but significantly—reshapes the contours of UK GDPR. While the Act doesn’t replace existing legislation, it introduces targeted amendments designed to foster innovation, streamline compliance, and recalibrate the balance between privacy and utility.

Let’s unpack the key changes and what they mean for organisations, designers, and data strategists alike.

1. Automated Decision-Making: More Room to Move

The Act introduces a more permissive framework for automated decision-making (ADM). Organisations can now make legally or significantly impactful decisions based solely on automated processing in broader circumstances—provided they implement safeguards like meaningful human review.

✨ Strategic Insight: This opens doors for AI-driven services and personalization engines, but demands thoughtful UX design to ensure transparency and trust.

📬 2. Subject Access Requests: A Touch More Flexibility

Controllers can now request clarification from individuals before responding to subject access requests, effectively extending the response timeline. This helps manage complex queries without compromising rights.

💡 Tip: Consider designing intuitive request forms and dashboards to streamline this interaction and reduce friction.

🧠 3. Scientific Research: Broad Consent and Reduced Burden

The Act clarifies that individuals can give broad consent for scientific research, including commercial projects. Organisations may reuse personal data without issuing new privacy notices if doing so would involve disproportionate effort—provided rights are protected and notices are published online.

🌱 Wellness and innovation sectors can benefit here, especially when designing longitudinal studies or user behavior analytics.

🍪 4. Cookie Rules: A Softer Approach

Certain cookies—like those used for statistical analysis or improving site functionality—no longer require explicit consent. This simplifies compliance for UX teams and analytics platforms.

🎯 Design Opportunity: Use this shift to create cleaner, less intrusive cookie banners that still respect user autonomy.

🛡️ 5. Recognised Legitimate Interests: A New Lawful Basis

A new category called Recognised Legitimate Interests (RLI) allows data processing without the usual balancing test. This applies to areas like public security, crime prevention, and safeguarding vulnerable individuals.

⚖️ While this reduces friction for certain public-interest tasks, it’s vital to maintain ethical boundaries and clear communication with users.

📁 6. Complaints and Accountability: Codifying Best Practice

Organisations must now facilitate complaints and respond within 30 days. This likely means creating formal complaint channels and maintaining logs.

🧩 Consider integrating this into your account management dashboards or client portals to reinforce trust and responsiveness.

🚨 7. PECR Fines: A Bigger Stick

Fines under the Privacy and Electronic Communications Regulations (PECR) now align with UK GDPR—up to £17.5 million or 4% of global turnover. This raises the stakes for non-compliance in areas like direct marketing and cookie misuse.

Final Thoughts: Designing for Dignity and Innovation

The DUAA is less a revolution than a recalibration. It invites organisations to rethink how they handle personal data—not just to comply, but to build systems that feel human, trustworthy, and emotionally intelligent.

For those of us crafting digital experiences, this is a chance to lead with empathy while embracing the efficiencies of automation and data-driven design.