Unlocking Growth: A Guide to the UK Data Use and Access Act 2025

The UK’s data landscape has officially shifted. The Data Use and Access Act 2025 (DUAA) isn’t just another regulatory update; it’s the most significant refresh of our national data laws since the GDPR.

For agency leaders and their clients—from lean start-ups to established Enterprises—this is a strategic opportunity to cut through the red tape and leverage data more aggressively for growth. While much of the Act went live earlier this year, the final transition period wraps up on 19 June 2026. By that date, every organisation must have their final internal procedures, such as mandatory complaints handling, fully locked in.

The 5 Strategic Shifts You Need to Know

As we help our clients navigate this new era, I’m focusing on these five critical changes to the commercial landscape:

1. Killing the Friction: A Softer Touch on Cookies Consent is no longer the gatekeeper for ‘low-risk’ cookies used for basic analytics, site appearance, or essential tools like shopping carts.

• The Commercial Play: We can now help clients strip away those conversion-killing pop-ups for functional purposes, immediately improving User Experience (UX) and site performance.

  
  

2. Direct Marketing with Confidence The Act defines ‘Recognised Legitimate Interests’, which means we can stop performing complex, time-consuming ‘balancing tests’ for certain activities.

• The Commercial Play: This includes direct marketing, fraud prevention, and network security. SMEs can now engage existing customers with far greater legal certainty and significantly less paperwork.

  
  

3. Ending the SARs Nightmare Responding to Subject Access Requests used to be an administrative drain. Now, businesses are only required to conduct a ‘reasonable and proportionate’ search.

• The Commercial Play: This is a win for sanity. It protects smaller businesses from ‘weaponised SARs’ designed specifically to overwhelm your team with administrative burdens.

  
  

4. Real-World AI Integration Restrictions on Automated Decision-Making (ADM) have been eased, provided they don’t involve sensitive ‘special category’ data.

• The Commercial Play: Agencies can more freely integrate AI-driven tools—like automated recruitment or credit scoring—into their service offerings, as long as users can still contest significant outcomes.

  
  

5. New Frontiers in ‘Smart Data’ Following the success of Open Banking, the DUAA is opening the door for ‘Open Finance’ and ‘Open Energy’.

• The Commercial Play: For those of us with Enterprise clients in these sectors, there is a massive new market for building apps and services that leverage this newly accessible consumer data.

The Final Countdown: June 2026

While the innovation-friendly rules are already in play, the 19 June 2026 deadline brings the final layer of accountability.

• Mandatory Complaints Handling: By this June, every organisation must have a formal, statutory process for handling data protection complaints.

• Full Alignment: This date marks the end of the transition; we must ensure our own operations and our clients’ businesses are fully aligned with the Act’s final guidance.

  
  

Action Plan for Agencies

If I were sitting in your shoes today, here is how I’d prioritise the work:

• Audit Privacy Policies: Update client documentation to reflect the new ‘recognised legitimate interests’.

• Review Tech Stacks: Identify where ‘consent-free’ cookies can be implemented to boost website performance.

• Implement Complaints Procedures: Ensure clients have the necessary internal workflows to meet the June 2026 deadline for formal data complaints.

• Watch for ‘Trust Marks’: Advise clients to look for certified Digital ID partners to reduce fraud and onboarding friction.

Andy Hayes is a Guide for The Agency Adventure. With over 30 years of experience on the commercial side of the creative industries—including 12 years at board level—he brings a pragmatic, real-world view to risk and compliance. Andy served as the Data Controller at Quietroom from 2018 through 2025.

Want to talk through how these changes affect a specific client? You can book an appointment with Andy here to discuss data protection and the broader aspects of risk compliance.