Unlocking opportunity with the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA) marks an important moment for the UK’s data and marketing industry. It creates new opportunities for growth driven by improved customer and donor engagement, supported by clearer rules around legitimate interests and updates to GDPR and PECR.

The amendments open new avenues for acquisition and retention across the economy, allowing brands to use third‑party data more effectively and confidently, to deliver more relevant and timely experiences.

What DUAA means for marketers

The DUAA marks an evolution in the UK’s data protection landscape. For marketers, it provides more clarity and flexibility while maintaining the core standards of responsible data use.

The DUAA updates the Data Protection Act (DPA) 2018, UK GDPR, and the Privacy and Electronic Communications Regulations (PECR). These targeted updates modernise how data can be used in practice to help businesses innovate, grow and build stronger relationships with customers and donors.

Key changes include:

• Clearer and more flexible rules on processing personal data, including strengthened guidance on legitimate interest and reuse of data.
• Updated cookie provisions setting out when consent is not required.
• A new soft opt-in for charities sending electronic direct marketing.
• An increase to PECR fines, now raised to UK GDPR levels
• Alignment of UK GDPR with current guidance to support a broad interpretation of the concept of scientific research.
• Allowing data subjects to complain directly to controllers.
• Updated rules for Automated Decision Making, removing many of the restrictions, except when special category data is involved.
• Changes to international data transfer requirements.

Together, these changes aim to unlock responsible innovation, strengthen customer engagement while protecting individuals’ rights, and provide clarity and opportunity for the data and marketing industry. 

For more information about the positive impact of these changes on direct marketing, head to our blog.

What are the opportunities?

The DUAA enables organisations to refine how they use data, but making the most of it requires a proactive, customer-first approach. Here are three practical steps to get started:

1. Review your data practices

Audit your data and marketing preferences, and cleanse and update where necessary. This includes:

• suppression and screening
• merging and purging
• checking goneaways
• de-duping
• screening against relevant files such as deceased records.

2. Put privacy at the heart of decisions

Follow the DMA Code’s customer-first principles and document your decisions to maintain transparency and trust.

3. Update policies and put training in place

Make sure marketers, analysts and customer-facing colleagues understand what the DUAA means in practice. The DMA offers training for both members and non-members (more information is available on the DMA website).

Legitimate interest: What’s changing?

Legitimate interest is one of six lawful bases under the UK GDPR. The DUAA strengthens confidence in relying on it for direct marketing activities while still requiring organisations to protect individuals’ rights.  

It will continue to be central to direct marketing, except where consent is required (for example, for certain electronic marketing under PECR). Importantly, individuals retain an absolute right to object to any direct marketing that relies on legitimate interest. 

Legitimate interest in direct marketing

The success of any business relies heavily on the ability to attract customers and build relationships with their audiences. There is arguably no better way of achieving this than with direct marketing.

Examples of direct marketing activities where legitimate interest may apply include:

• Direct mail
• Profiling
• Sourcing third-party data
• B2B email
• Live telemarketing (where an individual is not registered with the TPS)
• Email to existing customers (soft opt in)

Demonstrating legitimate interest

Under the updated UK GDPR text, direct marketing “may be considered a legitimate interest”. To rely on it, two conditions must be met:

1. The processing of personal data is necessary for the activity.
2. The processing of personal data does not override individuals’ rights and freedoms.

Legitimate interest is therefore about balancing the needs of the business with the rights and expectations of individuals. The way to demonstrate this is through a Legitimate Interest Assessment. 

Completing a Legitimate Interest Assessment (LIA)

An LIA consists of 3 parts:

Purpose: Define the activity, audience and objective. 

Necessity: Define what personal data will be used and why it is required.

Balancing: Consider people’s reasonable expectations, explain how their rights and freedoms will be protected and set out how any risks are mitigated.

The DMA offers a free LIA template for members.

Explaining legitimate interest to your audiences

Transparent communication isn’t only a compliance requirement, it’s an opportunity to build trust.

At data capture, clearly explain

• What data you collect.
• How you will use it.
• What people can expect to receive.
• How to opt out.
• Where to find more information.

In privacy notices, clearly explain:

• What activities rely on legitimate interest.
• Why they qualify as a lawful basis.
• How individuals can object at any time.

Respecting people’s preferences

Make it easy for people to tell you what they want, whether that’s opting out entirely or choosing preferred channels. For example, some people may be happy to receive post, but not telemarketing. The right to object to direct marketing is “absolute”, meaning you have no grounds to refuse when an individual tells you that they do not want you to use their personal data in this way.

Using third-party data

Third-party data can play an important role in growth, helping organisations reach new audiences or enrich understanding of existing customers. 
Examples of third-party data sources include:

• Purchased prospect lists.
• The Open Electoral Register (OER).
• Public sources such as social media.

Even non-personal data, such as demographic or geographic information, becomes personal data if it can identify an individual when combined with other information.

Understanding when the law applies

UK data protection law applies when you process personal data. This includes any information that relates to an identified or identifiable person, directly or indirectly. For example, a job title alone may not identify someone, but a job title combined with company or age might.

Complying with the law

Before processing third-party data you must:

• Establish the correct lawful basis.
• Ensure the data is accurate.
• Confirm it was lawfully collected.
• Conduct due diligence and document.

Being transparent

When using third-party data, transparency is vital because individuals have not shared their data directly with you. You must provide your own privacy information (unless an exemption applies), stating what categories of data you obtained, the source, and any new purposes or lawful bases. This must be done within one month.

Your privacy information should also cover any transfers of personal data to another organisation.

Respecting preferences

If the third-party data provider hasn't already done so, you must screen against the following as appropriate:

• Telephone Preference Service (TPS).
• Corporate TPS.
• Mail Preference Service (MPS).
• Fundraising Preference Service (FPS).

You must also screen against your internal suppression file before using data for direct marketing. Respecting people’s preferences is more than an obligation, it strengthens customer confidence and brand trust, ensuring your business thrives and your customers benefit.

Further information

ICO guidance on direct marketing
ICO guidance on UK GDPR 
Upcoming ICO update post-DUAA
The DMA Code
DMA training and professional development opportunities