- People
- Expertise
Our expertise
We are a team of more than 600 professionals, with the depth of experience which makes us genuine experts in our fields. Together, gunnercooke’s people have strength across just about every corporate discipline and sector. We provide legal, commercial and strategic advice that delivers real value to the clients we work with, which span from multinational enterprises through to not-for-profit organisations. Our breadth of expertise also covers specialist and emerging disciplines charity, crypto, sports and competition law.
Search by practice areaDispute ResolutionDispute Resolution OverviewMeet the Dispute Resolution TeamIntellectual Property DisputesFinancial Services & FinTech OverviewProceeds of CrimeEmployment TribunalTax InvestigationProperty Dispute ResolutionInsolvency DisputesMediationCivil Fraud & Asset TracingHealth & SafetyBusiness Crime & InvestigationsLitigation & ArbitrationInternational Arbitration - International
International Offices
The gunnercooke group has 16 main global offices across England, Scotland, the US, Germany and Austria, with further plans for growth in the coming years. These offices enhance the existing in-house capability of our dedicated international teams and dual-qualified experts that cover Spain, France, Italy, Portugal, Brazil, China, India, Poland and Hungary. Our team have clients across 126 jurisdictions, speak 46 languages and are dual-qualified in 22 jurisdictions. Our expertise means we can offer large teams to carry out complex cross-border matters for major international clients.
- Our story
Our story
gunnercooke is a top commercial law firm. We comprise a rapidly growing number of experts spanning legal and other disciplines. Clients benefit from flexible options on fees to suit their needs, access to a wider network of senior experts throughout the relationship, and legal advice which is complemented by an understanding of the commercial aspects of running a business.
- Reading Room
- News & Insights
The Data Use and Access Act 2025 (DUAA) is an updated version of the previous Government’s DPDI Bill. It introduces targeted reforms to UK data protection law while maintaining compatibility with UK GDPR and EU standards.
Understanding the Data Use and Access Act 2025 (DUAA)
The stated goals of the Data Use and Access Act are to enable responsible data use that grows the economy, improves public services, and simplifies people’s lives. Rather than introducing radical reform that might put frictionless international data flows at risk, the Act is nuanced. It modernises UK data protection law whilst preserving essential compatibility with EU adequacy standards.
The implementation is phased. Many provisions of the Data Use and Access Act 2025 are not yet in force and will require secondary legislation before taking effect.
The Act performs a number of important functions, including:
- Reforming and amending aspects of UK GDPR
- Laying the foundations for future “smart data” schemes
- Facilitating more efficient business and customer data sharing
That said, the new legislation introduces practical changes that all data controllers and processors need to understand and implement.
Some of these changes are business-friendly. For example:
- Greater flexibility on DSARs, with only “reasonable and proportionate” searches required
- Broader use of AI and automated decision-making for non-sensitive data
- An exemption from cookie consent for certain analytics purposes
However, there are also significant compliance implications:
- Mandatory internal complaints procedures
- Strengthened investigatory powers for the regulator
- A substantial increase in PECR fines – from £500,000 to UK GDPR levels (up to £17.5m or 4% of global turnover)
For many organisations, the risk profile has shifted.
What reactions are we seeing to the Data Use and Access Act?
The structural changes to the ICO, with the new Information Commission replacing the information commissioner role, alongside strengthened PECR enforcement powers bringing fines to GDPR levels, mean compliance priorities are shifting.
Some organisations using algorithmic or agentic tools for recruitment or performance management are reviewing systems to ensure they include mechanisms for human oversight. But the ICO is working on a new AI and automated decision-making code of practice and many are holding fire on significant action until the guidance is in place.
Early movers are reviewing data protection programmes and policies to ensure compliance while seeking opportunities to use the freedoms the DUAA provides to leverage data more effectively. This includes stablishing complaints procedures, revising DSAR protocols and documenting rationale.
What Does the Data Use and Access Act Mean for My Organisation?
The impact of the Data Use and Access Act 2025 depends on your risk profile, sector and operational model. However, several areas require attention.
DSAR Search Scope Refresh
The “reasonable and proportionate” search standard, previously found in guidance, is now on a statutory footing.
You are required to search where personal data is most likely to be found, taking into account:
- The nature of your organisation
- The specific request
- Available systems and resources
This offers welcome flexibility – but decisions must be documented and defensible.
Complaints Mandatory
For consumer-facing organisations, this is significant.
You can no longer direct dissatisfied data subjects straight to the ICO. Under the Data Use and Access Act, you must handle data protection complaints internally first.
Failure to inform individuals of this right may itself constitute a breach.
This requires:
- Clear complaint channels
- Defined acknowledgement procedures
- Staff training to recognise data protection complaints
Integrated complaint investigation workflows
AI Adoption and ADM Controls
The Act makes it easier to deploy automated decision-making (ADM) involving standard personal data, such as in:
- Recruitment screening
- Performance reviews
- Shift scheduling
Restrictions on special category data remain unchanged.
Safeguards must still ensure individuals can:
- Make representations
- Contest decisions
- Obtain meaningful human intervention
PECR in the Spotlight
Under the Data Use and Access Act, penalties for marketing and cookie violations now align with UK GDPR limits. The ICO has confirmed that online tracking practices are a key enforcement priority. We are seeing increased board-level attention on:
- Email marketing consent records
- Soft opt-in reliance
- Cookie banners and consent mechanisms
- Analytics and third-party tracking tools
The perception of marketing compliance risk is shifting rapidly.
Court Oversight on DSAR Disputes
New court procedures allow judges to inspect disputed data before ruling in DSAR disputes.
This introduces a new dimension to litigation strategy and disclosure management.
What Should I Do About the Data Use and Access Act?
The Data Use and Access Act does not require wholesale redesign of your governance framework. However, it does require targeted, documented action.
Review DSAR Search Protocols
Revise your DSAR procedures to leverage the “reasonable and proportionate” standard – define which systems will typically be searched based on data likelihood, establish clear exclusions for legacy archives, and document your methodology to justify narrower scope.
Codify “Stop the Clock” Procedures
Formalise processes for pausing DSAR timeframes when requesting clarification or identity verification – ensure staff understand they must inform requesters promptly and document when the clock stops and restarts to avoid breaching response deadlines.
Elevate PECR to Board-Level Risk
Conduct urgent audits of email marketing, cookie consent mechanisms, and telemarketing practices – with maximum fines now aligned with UK GDPR at £17.5m or 4% of turnover, PECR compliance demands immediate strategic attention
Get Set for Complaints
Handling complaints internally is no longer optional. If you’re a consumer-facing businesses, you’ll want to put in place accessible complaint mechanisms (website forms, dedicated email addresses) and train staff on the mandatory 30-day acknowledgement requirement. You may also need to look at how any data protection complaints procedures will interface or integrate with existing complaints procedures, and also ensure you’re clear what will constitute a data protection complaint. Staff will also need training to ensure they’re able to recognise data protection complaints.
Establish readily accessible complaint mechanisms (website forms, email addresses), train staff on the acknowledgement requirement, and create investigation workflows that respond without undue delay.
PECR Compliance
Take a fresh look at email marketing, cookie consent mechanisms, and telemarketing practices in view of the increase in fining powers and the ICO’s stated focus on enforcement in this area.
Unlock Analytics Cookie Flexibility (Carefully)
Evaluate whether your website analytics can operate under the new low-risk cookie exemption for functionality, analytics, and personalisation cookies (consent no longer required but opt-out must be provided). For multinationals, consider whether a unified consent-based approach across UK and EU jurisdictions is more pragmatic than managing divergent technical implementations.
Map Children’s Digital Touchpoints
Assess which information society services you provide are “likely to be accessed by children” under the new “children’s higher protection matters” framework.
Leverage Recognised Legitimate Interests
Review your processing activities against the narrow list of “recognised legitimate interests” in Annex 1 (national security, emergency response, safeguarding vulnerable individuals, crime prevention). This only applies to specific public interest categories, but for qualifying organisations, particularly in public safety, healthcare, or security sectors these bases eliminate the balancing test documentation burden entirely.
Formalise ADM Safeguards
For automated decision-making systems using non-special category data, document safeguards enabling data subjects to make representations, contest decisions, and obtain meaningful human intervention.
Restructure Research Consent
If you conduct scientific research (now expressly including commercial research), restructure consent frameworks to utilise “broad consent” provisions allowing consent to general research areas without specifying every future use. This reduces barriers for research organisations and life sciences companies using personal data for innovation.
Prepare for Enhanced IC Powers
Establish protocols for Information Commission interview notices (the regulator can now compel staff attendance during investigations) and forensic reporting obligations (the IC can mandate controller-funded technical reports).
Streamline International Transfers
Re-evaluate transfer impact assessments and documentation using the new “materially lower” standard rather than the EU’s “essential equivalence” test.
Final Thoughts On The Data Use and Access Act
The Data Use and Access Act 2025 represents evolutionary change rather than regulatory upheaval.
For well-governed organisations, it provides:
- Greater clarity
- Some operational flexibility
- Reduced unnecessary burden in specific areas
However, it also strengthens enforcement powers and elevates marketing compliance risk.
Understanding where the Act tightens expectations – and where it introduces opportunity – is now essential for organisations handling personal data in the UK. If you are unsure how the Data Use and Access Act affects your organisation, a structured readiness review can provide clarity and confidence.
If you would like a clear starting point, our DUAA Readiness Checklist provides a structured framework to assess your current position and prioritise action. It is designed to help you identify gaps quickly and move forward with confidence. You can download this on the TKM Consulting website here.
This article originally appeared on TKM Consulting.
For more support, contact gunnercooke Data Protection, Privacy and AI Partner Chris Elwell-Sutton.