General Insurance Article - The Data Use and Access Act what are the key impacts


In June this year, The Data (Use and Access) Act 2025 (DUAA) received Royal Assent. There’s a staged approach to commencement, with most changes likely to come into effect from December this year, and the rest in early 2026. Here’s our take on the measures which are likely to be of most interest to pension schemes and funds.

 By Brian Taylor, Head of Information Governance, Hymans Robertson

 Don't panic
 This isn’t another GDPR, and the provisions are largely positive for organisations, while maintaining protections for individuals. Some action will be needed, including updating privacy notices, amending complaints processes and reviewing internal policies, procedures and guidance.

 Other changes won’t require immediate action, but may present some opportunities for innovation, with updated rules on scientific research and automated decision-making.

 What are the key changes?
 DUAA contains wide-ranging measures, some of more interest than others.

 Parts 1-4 of DUAA deal with things like Smart Data schemes, Digital Verification Services and national registers. Part 5 contains the data protection changes and part 6 deals with the Information Commissioner.

 Parts 7 and 8 contain additional data-related measures and final provisions.

 Perhaps the most interesting changes are in parts 5 & 6:

 Data Subject Access Requests (DSARs): Controllers need only conduct a search for data and other information that is “reasonable and proportionate”.

 Complaints: An additional, statutory right for individuals to complain to the controller, and monetary penalties for organisations who don’t meet their complaints obligations.

 International transfers of personal data: Controllers must apply a new “data protection test” instead of carrying out a Transfer Risk Assessment when transferring data from the UK to some countries.

 Cookies exemptions and changes to fines under the Privacy and Electronic Communications Regulations (PECR): New exemptions for analytics and website presentation cookies, and increased monetary penalties for infringing PECR, including electronic marketing rules.

 Automated decision-making (ADM): ADM will be generally permitted subject to certain safeguards, unless special category data is involved.

 ‘Recognised legitimate interests’ and purpose limitation changes: A list of five recognised legitimate interests, which may remove some uncertainty. Clarification that scientific research (which can include technology development) is generally compatible with the original purpose of processing.

 Changes to the regulator: A new Information Commission will be established, which will be a corporate body similar to other regulators like the Financial Conduct Authority. The current Information Commissioner (John Edwards) will be the new Commission’s first Chair.

 Timescales and guidance
 Most of the changes are expected to come into effect in December 2025. You can check the current timetable for updates.

 We also expect updated guidance from the Information Commissioner’s Office (ICO) over the coming months. The ICO has provided a summary of the changes in DUAA.

 Now is the time to start thinking about what changes you might need to make to your own data protection compliance arrangements, including complaints processes, changes to privacy notices and other internal documentation. You may want to ask your legal advisers for guidance.

  

Back to Index


Similar News to this Story

9 in 10 firms interested in insurance cover for Gen AI risks
Businesses worldwide are rapidly embedding Generative AI (Gen AI) into products, services and internal operations. While this brings significant oppor
The Data Use and Access Act what are the key impacts
In June this year, The Data (Use and Access) Act 2025 (DUAA) received Royal Assent. There’s a staged approach to commencement, with most changes likel
Lessons in implementing board level AI governance
Effective leaders have shifted from traditional risk management protocols to more dynamic and responsible governance models for managing AI. AI govern

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.