Get Ready for 2026… Data Management

The Data Use and Access Act (DUAA) 2025 amends the Privacy and Electronic Communications Regulations (PECR), allowing charities to send direct marketing about their charitable purposes without consent.

This charitable purpose soft opt-in can only be used if specific conditions are fully met. These are:

You’re a charity – as defined under the law in England, Scotland or Northern Ireland.

• The sole purpose of your direct marketing is to further one or more of your charitable purposes.

• You obtained the contact details directly from the recipient.

• You obtained the details in the course of the recipient either expressing an interest in one or more of your charitable purposes or offering or providing support to further one or more of your charitable purposes.

• You gave an opportunity to refuse or opt out when you collected the details.

• You give an opportunity to refuse or opt out in every subsequent communication.

You’ll still need to have a laeful basis for processing, and you’ll need to update your privacy notices if you choose to use this mechanism.

The concept of ‘recognised legitimate interests’ is to be introduced, whereby organisations will not be required to conduct a balancing test (i.e. Legitimate Interests Assessment) when relying on this lawful basis – but only for specific, recognised purposes. The list of recognised legitimate interests includes the following:

■ Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
■ Disclosures for national or public security or defence purposes, emergencies.
■ Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.

The DUAA will include extending the exceptions to consent from only ‘strictly necessary’ to include other specific types of ‘low risk’ cookies and similar technologies. The exemption will be permitted for certain statistical purposes and optimising website appearance, as long as clear information is provided and users are given a straight-forward ability to opt-out.

The DUAA introduces a statutory requirement for all organisations to implement a formal data protection complaints process by June 2026.

The regime imposes two core duties:

1. Creating and publicising a complaints process

2. Operating that process effectively in practice

The ICO’s draft guidance expands on these requirements and stresses that organisations must:

• Make the complaints process easy to locate (e.g. linked prominently from privacy notices and websites);

• Explain clearly how complaints will be handled, including timeframes; and

• Ensure the process is available to all individuals, not only customers or employees.

• Facilitate the making of complaints, including by providing an electronic complaint form and alternative routes (e.g. email and post).

The ICO also states organisations should provide multiple channels (such as online forms, email, or postal options) and could offer dedicated contact points or FAQs to guide complainants. The emphasis is on accessibility and clarity, avoiding unnecessary procedural hurdles.