Data protection – are you aware of the recent changes?

The Data Use and Access Act 2025 (DUAA) became law in June 2025 and aims to make things easier for organisations, while still protecting people and their rights.

The changes are being phased between June 2025 and June 2026, but key updates include:

• ‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object.

• Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.

• Children and online services: if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO Age appropriate design code (AADC).

• Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.  

You can read more here: The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations? | ICO