Data Use and Access Act (DUAA) 2025 - Data Protection Policy Updates

We have reviewed and updated all versions of our Data Protection Policy templates in the Business folder to reflect the Data (Use and Access) Act 2025 and the latest practical requirements of the UK GDPR.

These updates do not replace the existing UK GDPR framework. Instead, they refine and enhance the policies so that businesses can continue to manage personal data responsibly, transparently, and in line with current data protection law.

What Has Changed?

The updated Data Protection Policy templates include revised and expanded wording covering several important areas of compliance, including:

• Subject access requests, including clearer wording on reasonable and proportionate searches and requests for clarification;
• Further processing, helping businesses assess when personal data may be used for a new purpose;
• Recognised legitimate interests, reflecting the new lawful basis introduced by the Data (Use and Access) Act 2025;
• Automated decision-making and profiling, with updated wording on safeguards and data subject rights;
• Data protection complaints, including new controller-side complaint handling requirements;
• International data transfers, with updated references to UK transfer safeguards and risk assessment requirements; and
• Data security, with practical enhancements reflecting modern working practices, cloud services, remote access, and the increased use of AI tools.

Why Have These Updates Been Made?

The Data (Use and Access) Act 2025 makes a number of practical changes to UK data protection law. For most businesses, the most important changes are not wholesale reforms, but targeted updates to everyday compliance processes.

The revised Data Protection Policy templates are designed to help businesses document how they collect, use, store, protect, retain, and dispose of personal data. They also help businesses show how they respond to data subject rights, complaints, security risks, and other key compliance issues.

Practical Business Focus

As with our wider range of UK GDPR and data protection templates, these policies are designed for business use. They focus on the provisions most relevant to private-sector organisations and do not fully incorporate rules that apply specifically to public authorities, official bodies, or specialist public-interest processing.

The updated wording is intended to be practical and adaptable, helping businesses put appropriate internal rules in place without overcomplicating day-to-day data protection compliance.