30 September 2025
5 min
Head of Information Governance
In June this year, The Data (Use and Access) Act 2025 (DUAA) received Royal Assent. There’s a staged approach to commencement, with most changes likely to come into effect from December this year, and the rest in early 2026. Here’s our take on the measures which are likely to be of most interest to pension schemes and funds.
This isn’t another GDPR, and the provisions are largely positive for organisations, while maintaining protections for individuals. Some action will be needed, including updating privacy notices, amending complaints processes and reviewing internal policies, procedures and guidance.
Other changes won’t require immediate action, but may present some opportunities for innovation, with updated rules on scientific research and automated decision-making.
DUAA contains wide-ranging measures, some of more interest than others.
Parts 1-4 of DUAA deal with things like Smart Data schemes, Digital Verification Services and national registers. Part 5 contains the data protection changes and part 6 deals with the Information Commissioner.
Parts 7 and 8 contain additional data-related measures and final provisions.
Perhaps the most interesting changes are in parts 5 & 6:
Data Subject Access Requests (DSARs): Controllers need only conduct a search for data and other information that is “reasonable and proportionate”.
Complaints: An additional, statutory right for individuals to complain to the controller, and monetary penalties for organisations who don’t meet their complaints obligations.
International transfers of personal data: Controllers must apply a new “data protection test” instead of carrying out a Transfer Risk Assessment when transferring data from the UK to some countries.
Cookies exemptions and changes to fines under the Privacy and Electronic Communications Regulations (PECR): New exemptions for analytics and website presentation cookies, and increased monetary penalties for infringing PECR, including electronic marketing rules.
Automated decision-making (ADM): ADM will be generally permitted subject to certain safeguards, unless special category data is involved.
‘Recognised legitimate interests’ and purpose limitation changes: A list of five recognised legitimate interests, which may remove some uncertainty. Clarification that scientific research (which can include technology development) is generally compatible with the original purpose of processing.
Changes to the regulator: A new Information Commission will be established, which will be a corporate body similar to other regulators like the Financial Conduct Authority. The current Information Commissioner (John Edwards) will be the new Commission’s first Chair.
Most of the changes are expected to come into effect in December 2025. You can check the current timetable for updates.
We also expect updated guidance from the Information Commissioner’s Office (ICO) over the coming months. The ICO has provided a summary of the changes in DUAA.
Now is the time to start thinking about what changes you might need to make to your own data protection compliance arrangements, including complaints processes, changes to privacy notices and other internal documentation. You may want to ask your legal advisers for guidance.
If you'd like more details on what we're doing to prepare, please ask your usual Hymans Robertson contact for a copy of our brochure on the topic.
Lastly, if you have any questions or would like to discuss further, please get in touch.
This communication has been compiled by Hymans Robertson LLP® (HR) as a general information summary and is based on its understanding of events as at the date of publication, which may be subject to change. It is not to be relied upon for investment or financial decisions and is not a substitute for professional advice (including for legal, investment or tax advice) on specific circumstances. HR accepts no liability for errors or omissions or reliance on any statement or opinion. Where we have relied upon data provided by third parties, reasonable care has been taken to assess its accuracy however we provide no guarantee and accept no liability in respect of any errors made by any third party.
We pride ourselves on being thought leaders and are constantly discussing the many issues facing and shaping our industry. Sign up to find our current thinking on topical issues.
Opens in new window Subscribe
