Governance and Legislation Under the DUAA
A new regulator: IC replaces ICO
The ICO will become the Information Commission (IC). This new regulator will be governed by a board. John Edwards, the current Information Commissioner, will act as Chair for its first term. This move creates a body with broader oversight, signalling a shift towards more collective accountability in data governance.
For businesses, this change matters. The IC will bring a fresh approach to enforcement and compliance monitoring. Companies should expect more emphasis on governance structures, transparency, and proactive compliance.
International data transfers
Under GDPR, transfers outside the UK and EEA require strict safeguards. The DUAA will give the UK government more flexibility. It will decide which countries are “not materially lower” in their data protection standards than the UK.
This flexibility could make global data transfers smoother. However, it may also affect the UK’s adequacy agreement with the EU, which allows free data flows between the UK and EU. If the EU questions UK standards, businesses could face additional compliance hurdles.
For updates, check the UK Government’s data protection guidance.
Recognised legitimate interests
The DUAA changes how organisations can rely on “legitimate interests.” Under GDPR, businesses must balance their interests against the impact on individuals. The DUAA introduces “recognised legitimate interests” where this balancing test is not needed.
These include:
- Preventing and detecting crime.
- Safeguarding.
- Protecting national security.
The DUAA also recognises direct marketing as a legitimate interest. This means organisations can rely on legitimate interest rather than consent in some cases. However, businesses must still comply with the Privacy and Electronic Communications Regulations (PECR), and individuals retain the right to object.
Soft opt-in for charities
Charities will benefit from relaxed rules. They can now use an “opt-out” rather than “opt-in” approach to electronic marketing. This applies where an individual has previously supported or shown interest in the charity’s cause, unless they object. This change supports fundraising while still respecting individual rights.
The Rights of Individuals
DSARs become manageable
Subject Access Requests (SARs) have been a challenge under GDPR, often requiring organisations to search through vast amounts of data. The DUAA brings relief by turning existing ICO guidance into law:
- The one-month response time only starts once the requester’s identity is verified.
- Organisations need only conduct a “reasonable and proportionate” search.
This change should reduce excessive workload. However, businesses must still show that their searches meet the test of being proportionate.
If information is withheld, for example due to legal privilege or confidentiality, organisations must now clearly explain which exemption applies and why.
The right to complain
The DUAA formally introduces the right for individuals to complain. Organisations will need to make this process easy and transparent, for example by offering online complaint forms.
Businesses must acknowledge complaints within 30 days and respond without undue delay. This change pushes organisations to resolve complaints internally, rather than leaving them to escalate to the IC.
At Radcat, we can help you design and document clear complaint-handling processes. This ensures compliance and strengthens trust with your customers.
Online and Digital Changes
DUAA and artificial intelligence
GDPR restricts automated decision-making, especially where it has a significant impact on individuals. The DUAA relaxes some of these restrictions, but only when sensitive data—such as health information or biometrics—is not involved.
The Act introduces the concept of “meaningful human intervention.” This means businesses must show that important decisions involving personal data have real human oversight.
For many organisations, this offers more freedom to use AI tools, provided safeguards are in place. For example, AI may be used to filter job applications, but final hiring decisions must involve human review.
The Information Commissioner’s Office will publish detailed guidance on AI and the DUAA as the rollout continues.
Digital Verification Services
The DUAA supports the growth of Digital Verification Services (DVS). These services could reduce the need for physical ID checks in sectors like finance, law, and government.
This aligns with government plans to create a new national digital identity framework, potentially replacing physical passports and driving licences with digital alternatives. The goal is to reduce fraud and streamline verification processes.
Businesses in regulated industries should prepare for this shift. Adopting DVS early may provide both compliance and competitive advantage.
Cookies and e-privacy
Cookie consent has long frustrated both businesses and users. The DUAA proposes to ease the rules. Operational cookies—such as those used for functionality or analytics—may no longer require explicit consent.
However, businesses must still:
- Be transparent about how cookies are used.
- Provide instructions on enabling or disabling cookies.
For digital marketers, the DUAA strengthens fines for non-compliance with PECR. Penalties will now match those under GDPR, underscoring the importance of lawful digital marketing.
What This Means for Your Business
The DUAA is not about tearing up the rulebook. It is about making data protection more workable. It simplifies some processes while tightening others. For organisations, the challenge is staying prepared.
Here’s what your business should focus on now:
- Update governance frameworks for the shift from ICO to IC.
- Review international transfers if you move data across borders.
- Revisit direct marketing strategies to ensure they align with legitimate interests and PECR.
- Adjust policies on subject access requests.
- Prepare complaint-handling systems to meet the new rules.
- Assess the role of AI and digital verification in your operations.
- Refresh cookie policies and update privacy notices.
At Radcat, we support businesses through these steps. We provide practical, hands-on guidance tailored to your operations. Find out more about how we can help.
RADCat Round-up
The Data Use and Access Act signals a shift towards smarter, more streamlined data governance. It balances innovation with individual rights. For businesses, it is not just about compliance. It is about readiness.
With the DUAA set to roll out over the coming year, now is the time to prepare. The future of data in the UK is evolving fast. Businesses that act early will be best placed to stay compliant, protect their reputation, and make the most of new opportunities.
At Radcat, we specialise in helping organisations understand and apply data law. Whether it’s GDPR, PECR, or the DUAA, we translate regulation into action. Contact us today to see how we can help your business stay secure, compliant, and ready for the future.
Visit Radcat.co.uk to learn more about our compliance services.
