While the Employment Rights Bill has dominated headlines, the Data (Use and Access) Act 2025 (DUAA) quietly received Royal Assent earlier this year.
It doesn’t replace existing data protection law – it tweaks and simplifies it. These changes will be introduced in stages over the next 12 months.
Here’s what matters most for employers, and what our data protection expert, Denise Almeida, says you should be thinking about now.
#1 “Stop the clock” on subject access requests
What’s changed – the DUAA now explicitly allows you to pause the clock on responding to a subject access request (SAR) if you need to ask the requester to clarify which data or processing they mean (if their request is vague or unclear).
Why it matters – I’ve seen a steady increase in SARs being made by employees, so having clearer ability to seek clarification helps you manage your response time and reduce risk of missing deadlines.
What to do – review your SAR policy and process. Have a clear template or procedure for asking for clarification, set internal deadlines for responding once the clarification arrives, and train your team who manage SARs effectively.
#2 Reasonable and proportionate searches
What’s changed – the DUAA clarifies that you only have to carry out ‘reasonable and proportionate’ searches when responding to SARs. You don’t have to go on exhaustive, resource-heavy hunts for data that may be irrelevant.
Why it matters – I regularly support employers struggling with very broad or vague data requests, which can be costly and labour intensive. This change gives more clarity and relief to be more specific in what data is being searched for.
What to do – update your SAR response process to include a stage where you assess whether further search is reasonable/proportionate (and ensure you document your decision-making).
#3 Recognised legitimate interests
What’s changed – the DUAA introduces a list of “recognised legitimate interests” that organisations can rely on without needing to carry out a full balancing test each time (such as crime prevention, safeguarding vulnerable people, responding to emergencies).
Why it matters – employers often rely on legitimate interests for processing employee data (for example, internal investigations, health and safety monitoring, safeguarding). Having a clearer basis reduces risk and simplifies compliance.
What to do – I recommend reviewing your lawful basis for each personal data processing activity. For those that fall into the “recognised legitimate interests” list, document that basis and consider whether you need to update your privacy notices or internal policy. For those that don’t, maintain the full legitimate interest assessment (and document your reasoning).
#4 Complaints process
What’s changed – the DUAA creates clearer requirements for employers’ internal data protection complaint handling. For example, providing an electronic complaint form, acknowledging complaints within 30 days, and responding without undue delay.
Why it matters – it will mean a review and update of existing complaints procedures to ensure they meet the new statutory standard.
What to do – audit your data protection complaint policy and process, and update your internal training to ensure everyone is on the same page. You’ll need to create an electronic or digital form, commit to acknowledging within 30 days, and ensure you have a process and timeline for substantive response.
#5 Ai and automated decision-making
What’s changed – the DUAA encourages use of AI and automated decision-making (ADM) tools, particularly where special category data is not processed, but maintains a requirement for human oversight when it comes to ‘significant decisions’.
Why it matters – because it wouldn’t be a data protection update without mentioning AI, right? This change opens up more opportunity but also underscores a responsible approach to Ai.
What to do – if you use AI/ADM tools for employee-related decisions, review your framework – ensure you have a Data Protection Impact Assessment (DPIA), confirm when human oversight kicks in, document how decisions are made, and ensure transparency.
How can we help with your data protection compliance?
Don’t wait for a request to land. We can review your SAR process, deliver practical training, or carry out a full data protection audit so you’re ready for the DUAA changes. Get in touch to have a chat about how we can help.
This update is accurate on the date it was published but may be subject to change which may or may not be notified to you. This update is not to be taken as advice and you should seek advice if anything contained within affects you or your business.
