top of page
Search

Data (Use and Access) Act (DUAA) in 2026: What UK Law Firms Should Pay Attention to Now.

A single person walking across a sunlit open space in front of a large modern building façade, with strong geometric lines and dramatic shadows creating a sense of structure and scale.
A single person walking across a sunlit open space in front of a large modern building façade, with strong geometric lines and dramatic shadows creating a sense of structure and scale.

The Data (Use and Access) Act 2025 (DUAA) marks the most meaningful adjustment to the UK data protection framework since Brexit. While it does not replace the UK GDPR, the Data Protection Act 2018, or PECR, it does change how parts of those laws operate in practice.


For law firms, these changes land at a moment of heightened regulatory scrutiny, accelerating use of legal technology and growing client expectations around confidentiality, transparency and governance. The DUAA is not about radical reform. Instead, it subtly but materially shifts where regulatory risk sits and how compliance is assessed.


This article highlights what the DUAA is, why it matters to law firms, and where firms should be focusing their attention now.


What Is the DUAA (and Why Does It Exist)?

The Data (Use and Access) Act 2025 (DUAA) is a targeted reform package introduced following the UK’s post‑Brexit review of its data protection regime.


Rather than rewriting the rulebook, the DUAA amends how certain aspects of existing law operate, specifically parts of:


  • The UK GDPR.

  • The Data Protection Act 2018.

  • The Privacy and Electronic Communications Regulations (PECR).


The government’s stated aim is to reduce unnecessary friction, introduce flexibility in lower‑risk areas, and modernise how UK data protection law works alongside evolving technology — while maintaining high standards of protection for individuals.


For law firms, the DUAA is therefore less about headline change and more about shifting expectations, thresholds and regulatory emphasis.


What the DUAA Is Not.

Equally important is what the DUAA does not do.

  • It does not remove the need to comply with UK GDPR or PECR.

  • It does not create a lighter‑touch regime for legal or professional services firms.

  • It does not reduce accountability or governance expectations.


Most law firms will continue to operate under familiar principles - lawfulness, fairness, transparency, data minimisation and accountability, but how those principles are tested, evidenced and enforced is becoming clearer and more exacting.


Why the DUAA Matters Specifically to Law Firms.


Law firms typically occupy a distinctive position under data protection law. They routinely process:


  • Large volumes of sensitive and confidential information.

  • Personal data relating to vulnerable individuals and children.

  • Data subject to professional secrecy and ethical duties.


The DUAA intersects directly with how firms manage risk across marketing activity, digital infrastructure, technology adoption and regulatory engagement.


One of the most significant practical shifts is the alignment of PECR fines with UK GDPR levels, meaning potential exposure of up to £17.5m or 4% of worldwide annual turnover. For many firms, that alone reframes cookies and electronic marketing as a partnership‑level governance issue, not a peripheral operational concern.


Key Areas Law Firms Should Be Reviewing Now.


Cookies, Analytics and Law Firm Websites:


The DUAA introduces limited flexibility in relation to low‑risk cookies, which will be relevant to many law firm websites using analytics or functional tools.


For law firms, key considerations include:


  • Certain cookies may now be used without consent in narrowly defined circumstances.

  • Transparency requirements still apply, including clear information and the ability to opt out.

  • Any reliance on exemptions must be justifiable and documented.


With materially increased PECR penalties, law firm websites should be treated as a regulatory risk surface, not simply a marketing asset.


Children’s Data and Safeguarding Considerations:


The DUAA strengthens the focus on children’s data protection. Law firms may be affected even where children are not their intended audience, for example, where:


  • Services or online content are publicly accessible.

  • Practice areas involve family, education or safeguarding work.


Firms are expected to demonstrate that children’s higher protection matters have been considered as part of their design and decision‑making. What constitutes a proportionate response will depend on the firm’s services, audience and risk profile.


Automated Decision‑Making and Legal Technology:


As firms increasingly rely on technology to support onboarding, risk assessment and operational efficiency, the DUAA’s changes to automated decision‑making (ADM) are particularly relevant.

While some restrictions have been relaxed, law firms should approach automation carefully. Key considerations include:


  • Identifying where decisions are solely automated.

  • Ensuring appropriate safeguards and oversight are in place.

  • Maintaining transparency and the ability for human intervention.


For professional practices, this is as much about professional judgment and accountability as it is about strict legal compliance.


Lawful Bases and Legitimate Interests.


The introduction of 'recognised legitimate interests' may simplify compliance in limited areas, such as safeguarding or crime prevention.


For most law firms, however, the practical impact will be modest. Routine processing activities will continue to rely on established lawful bases, supported by appropriate assessments and internal documentation.


A Critical Change Still to Come: Complaints Handling.


From 19 June 2026, firms will be legally required to have a clear, accessible and effective mechanism for handling data protection complaints.


This will require firms to think beyond policy statements and consider how complaints operate in practice, including:


  • How staff identify and escalate complaints.

  • Who has responsibility for responses and decision‑making?

  • How complaints intersect with wider regulatory and professional conduct obligations.


Firms that delay preparation risk scrambling to implement processes under scrutiny, rather than designing proportionate and workable systems in advance.


Taking a Proportionate, Strategic Approach.


The DUAA does not require law firms to start again, but it does require a clear‑eyed review of where risk and regulatory attention have shifted.


The most effective next step for many firms is not wholesale change, but asking the right questions, including:


  • Where has our regulatory exposure increased?

  • Which assumptions no longer hold?

  • What does good governance look like for our firm in practice?


Those judgments are inherently firm‑specific, and they are where general guidance ends.


Final Thought.


The DUAA reinforces a broader theme: data protection is now inseparable from professional credibility, client trust and good governance within law firms.


Firms that engage thoughtfully with these changes, rather than treating them as a technical compliance exercise, will be better placed to manage risk, adopt technology responsibly and meet rising expectations from regulators and clients alike.


How StudioDMK Can Support You.


If you’re a law firm partner, practice lead, or operations lead asking What does this actually mean for us?', you’re not alone.


The DUAA is not a tick‑box exercise. Its impact depends on how your firm operates in practice - from marketing and digital infrastructure to technology choices, governance and risk appetite.


At StudioDMK, we work with law firms to:


  • Identify where data protection risk has genuinely shifted under the DUAA.

  • Prioritise issues that warrant partner‑level attention.

  • Translate regulatory change into practical, proportionate actions aligned with your firm’s strategy.


Our work sits at the intersection of regulatory awareness, operational reality and commercial decision‑making. We don’t offer generic checklists - we help firms ask the right questions before deciding what needs to change.


If you’d like to explore how the DUAA may affect your firm specifically, or would value a structured conversation about risk, readiness or governance, you can get in touch via StudioDMK to discuss next steps.


This article is intended as general guidance and commentary only. It does not constitute legal advice and should not be relied on as such. Specific obligations depend on individual circumstances, and firms should seek tailored legal advice where appropriate.



Comments

A Selection Of Our Clients And Endorsements.

Contact.

If you're looking for a partner who understands your world and can help you stand out in it, let’s connect. 

Email DeborahKelly@StudioDMK.com.

Call 0800 861 1795.

Follow us on social media to stay inspired and informed.

Sign up for regular inSights to gain access to strategies and standout ideas for law firm growth.

 

StudioDMK: Where insight meets imagination.

​​

Registered address: StudioDMK Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE.​​​

Registered company number: 16599093.

Complete the form, and one of our team will get back to you shortly.

bottom of page