[author: Rachel de Souza]
In response to the UK’s new Data (Use and Access) Act 2025 (DUA Act) coming into force, the UK Information Commissioner (ICO) has launched two public consultations. The consultations, which aim to shape final guidance on amendments introduced by the DUA Act, address the new lawful basis of “recognised legitimate interests” and the requirement for organisations to implement a data protection complaints process.
Background
The DUA Act received Royal Assent on 19 June 2025 and introduces a number of amendments to the UK’s data protection regime (see our previous Privacy Matters blog for more information on the changes). Although some of the DUA Act’s provisions came into force automatically, many of the Act’s provisions will need to be commenced via secondary regulations. The government plans to commence these provisions in stages, with the majority of the data protection provisions expected to enter into force this year (with the exception of those provisions that may require a longer lead-in time, such as the complaints process).
Recognised Legitimate Interest
The DUA Act introduces the concept of ‘recognised legitimate interests’. This new lawful basis will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as:
- Crime prevention
- Public security
- Safeguarding
- Emergency response
- Sharing personal data to help other organisations perform their public tasks.
The ICO’s draft guidance is aimed at large organisations and data protection officers and aims to provide practical examples and clarity as to how this basis differs from the existing “legitimate interests” basis. The guidance confirms that a public interest purpose must be present and advises public authorities to continue to use the public task lawful basis for official functions.
Data Protection Complaints
Under the DUA Act, organisations should first try to resolve complaints before going to the ICO. To assist with this, all organisations must have a formal process in place to handle data protection complaints by June 2026. The ICO’s draft guidance sets out the new requirements and informs organisations of the steps for compliance.
Next Steps
The ICO consultations will assist in providing clarity and certainty to businesses navigating the new legal landscape. Feedback to the consultations can be submitted via the following links:
[View source.]
