Data (Use and Access) Act 2025 (DUAA): What UK Financial Services Firms Need to Know
The Data Use and Access Act 2025 (DUAA) marks a significant evolution in the UK’s data protection landscape. Building on the foundations of the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), the DUAA introduces targeted reforms aimed at balancing innovation with robust privacy safeguards.
The DUAA reflects the Government’s ambition to position the UK as a global leader in data-driven innovation, while maintaining high standards of privacy and security. It also aligns with international trends, including the EU’s Data Act, though with notable UK-specific differences. The DUAA also strikes an important balance between fostering growth and innovation on the one hand, with the maintenance of high data protection and data privacy legal standards on the other. This is important, as the UK needs to demonstrate that its data laws are essentially equivalent to those of the EU to be deemed ‘adequate’ to receive frictionless flows of personal data from the EU.
- The DUAA received Royal Assent in June 2025 and is being phased in during 2026. It does not replace existing data protection laws but introduces reforms to:
- Simplify compliance for organisations
- Enable responsible data sharing and innovation
- Strengthen enforcement and regulatory oversight
Financial services firms depend heavily on data for governance, risk, compliance, customer experience and product innovation.
In this article, we look at some of the challenges and opportunities that the DUAA is likely to present for businesses in the financial services industry.
Key takeaways (for financial services)
- The DUAA 2025 (phased in during 2026) updates the UK GDPR/DP Act 2018/PECR framework and will affect how financial services firms share, verify and market using data
- Open Finance: new foundations for wider, regulated customer and business data-sharing beyond Open Banking (including possible FCA interface rules)
- Digital Verification Services (DVS): a statutory trust framework and register that will influence onboarding, KYC and fraud controls
- Recognised legitimate interests: potential compliance simplification for specific activities (including fraud prevention and intra-group transfers), subject to careful governance
- Direct marketing and cookies: significantly higher PECR fines mean firms should review consent, preferences and cookie compliance, even where the DUAA relaxes consent for certain analytics cookies
- DSARs: a clearer statutory basis for “reasonable and proportionate” searches can reduce burden if procedures are updated
From open banking to open finance
The DUAA lays the legal foundations for Open Finance, enabling regulators to design new sector-wide data-sharing schemes beyond payments. This will encourage the development of secure data sharing schemes across areas such as pensions, investments, and insurance. It also creates the opportunity for firms to provide more tailored services to their customers and a better chance for new market entrants to compete.
This increased sharing of data will accordingly entail greater emphasis on data governance. The DUAA contains provisions that will allow the Treasury either to enable the FCA to make interface rules regarding customer data and/or business data and to enforce those rules.
Our Recommendation
We recommend that firms monitor emerging Open Finance standards to help them take advantage of the opportunities of this more liberal data sharing landscape without encountering compliance pitfalls.
Digital Verification Services (DVS): new statutory trust framework
The DUAA also seeks to further encourage the adoption of Digital Verification Services (“DVS”). It does this by establishing a statutory framework for DVS. The aim is to create a secure, trustworthy, and consistent digital identity ecosystem, which will allow individual to open accounts with service providers and execute transactions more quickly and easily.
The new DVS regime comprises five key elements:
- DVS Trust Framework: The Secretary of State, in consultation with the Information Commissioner’s Office, publishes and maintain strict rules and standards for the operation of DVS providers
- DVS Register: This is a publicly available, statutory register that lists all DVS providers that have been certified as compliant with the Trust Framework
- Accredited Certification: To be listed, providers must hold a certificate from an accredited conformity assessment body, verifying they meet the required standards
- Trust Mark: Only certified providers on the DVS register can display a specific "Trust Mark," allowing users to identify secure, compliant services
- Information Gateway: The Act allows public authorities to share, upon request from an individual, data with registered DVS providers to verify identities and attributes (e.g., age, right to work)
Our Recommendation
We recommend that service providers consult the latest Trust Framework, Supplementary Codes and DVS Register, all of which are available on the UK.Gov website. Organisations should also conduct thorough due diligence on third-party digital identity suppliers.
Recognised legitimate interests: reduced burden for certain processing
Where an organisation relies on ‘legitimate interests’ to process personal data, it is normally required to identify the legitimate interest and undertake a high-level balancing test against the rights and interests of data subjects. The DUAA introduces a statutory category of ‘recognised legitimate interests’, removing the need for a balancing test for certain purposes, including:
- Fraud prevention
- Intra-group data transfers; and
- Direct marketing
The intention behind this reform is to simplify compliance for routine processing activities and reduce administrative burden while maintaining accountability.
Our Recommendation
We recommend consider using these recognised legitimate interests for new processing activities they undertake in these fields.
Direct marketing (PECR): higher fines and higher stakes for FS firms
The DUAA increases fines for breaches of e-Privacy rules. It does so by increasing the current fine ceiling under PECR to align with the UK GDPR regime. This means an increase in potential fines from a current maximum of £500,000 to £17,500,000/4% of turnover for the most egregious infringements.
Whilst this change ‘tidies up’ the current disparity between the two regimes, it “raises the stakes” for financial services firms that send electronic direct marketing to individual customers.
Our Recommendation
It remains to be seen how the Information Commission exercises this new fining power. We recommend that financial service businesses who rely heavily on electronic direct marketing and cookies for marketing and advertising monitor the Information Commission’s output for future guidance on regulatory policy and enforcement actions in this area.
Cookies and analytics: less red tape, but enforcement risk increases
The DUAA also relieves a bit of the compliance burden on businesses that use website cookies. It now provides an exception to the need for website operators to obtain prior opt-in consent for non-essential cookies. This exception covers cookies whose sole purpose is to collect information for statistical purposes about how an online service or website is used with a view to making improvements.
It is still necessary for a website operator to:
- Provide privacy information to website users in respect of such cookies; and
- Provide an ‘opt-out’ to users in relation to the placing of such cookies
Whilst this change eases some regulatory ‘friction’ for organisations, we refer to our comments above regarding the Information Commission’s increased powers to fine where use of cookies is non-compliant with PECR.
Our Recommendation
We recommend that firms review their cookies usage, to see if they can take advantage of the relaxation in the rules regarding certain types of cookie. Businesses should also check that they use of cookies is compliant, given the potential for increased sanctions.
DSARs: “reasonable and proportionate” searches now in statute
We have seen a considerable increase in clients receiving data subject access requests (“DSARs”) from individuals since GDPR’s inception in 2018. This trend has been boosted further by the widespread availability of generative AI.
The DUAA brings some relief to firms that are faced with very broad DSARs. Businesses are now only required to “reasonable and proportionate” searches for information in response to them.
Whilst this position has been part of UK caselaw for some time, it is the first time it has been codified in legislation.
Our Recommendation
We recommend that financial services firms revisit their DSAR response procedures, to ensure that they are taking advantage of this change and conduct sensible and practicable search exercises.
Regulator update: the Information Commission and enhanced enforcement
The DUAA replaces the Information Commissioner’s Office with the Information Commission, giving it a more “corporate” structure. The newly minted Information Commission will get enhanced powers, including the ability to compel witness attendance and request technical reports and an expanded authority to issue GDPR-level fines for PECR breaches (as noted above).
How we can help
If you are a bank, insurer, asset manager, fintech or payments business, the DUAA changes are an opportunity to simplify compliance and enable new data-driven propositions, but only if governance, privacy and e-privacy controls keep pace.
- DUAA readiness assessments and implementation roadmaps (UK GDPR, DPA 2018 and PECR alignment)
- Open Finance and data-sharing governance (including contractual models, accountability mapping and policy updates)
- DVS supplier due diligence, onboarding/KYC journeys, and identity-data risk assessments
- Direct marketing and cookie compliance reviews, consent and preference management, and enforcement-response support
- DSAR process optimisation and playbooks (including “reasonable and proportionate” search protocols)
If you would like a short, no-obligation call on the DUAA’s impact for your financial services business, please contact Luke Dixon.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Related news & articles
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.