The Data (Use and Access) Act 2025 (DUAA) new rules will cause the biggest shake-up to UK Data Protection Since GDPR. Your trustees need to know!
Blog by Simon Hinks, Eastside People consultant.
What do charities need to know about new Data use & Access rules GDPR rules?
While the Act strengthens the UK’s existing data framework, building on UK GDPR and introduces sharper rules on accountability, clearer expectations for transparency, and greater rights for individuals to question and challenge how their data is used, it also makes things easier for charities by:
- Allowing a ‘soft opt in’ for charities where electronic mail marketing can be sent to people whose personal information you collect when they support, or express an interest in, your work, unless they object
- Allowing you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website
- Allowing an assumption of compatibility: you can assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test. This includes disclosing personal information for the purposes of archiving in the public interest, even if you originally only got consent for a different purpose
- Making it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information (subject access request (SAR)).
Data use and access
Picture this. A donor complains about how you’ve used their data. The Information Commissioner’s Office (ICO) begins asking questions. Your trustees want to know why no one saw this coming.
It might sound dramatic, but this is precisely the kind of scenario the Data (Use and Access) Act 2025 (DUAA) is designed to address. And charities are very much within its scope. This is why the DUAA is the most significant change to be implemented since the GDPR was first introduced in 2018.
Many in the voluntary and not-for-profit sector still see data protection laws as something that only affects large organisations. Yet if your charity collects or stores personal data, whether it belongs to donors, volunteers, beneficiaries, or staff, the DUAA directly affects how you must operate.
The Act strengthens the UK’s existing data framework, building on UK GDPR, but introduces sharper rules on accountability, clearer expectations for transparency, and greater rights for individuals to question and challenge how their data is used.
Understanding what’s changing and when
The DUAA is not something that will arrive all at once. Instead, its impact will build in stages over the coming months, giving charities a window to prepare. Having said that, the introduction of this new legislation has already started and has formally become law.
This might be something you weren’t aware of. It’s not been given any airtime and is probably news to many charities. However, this is now an opportunity for you to gain a deeper understanding of what it means.
June 2025 was when regulators such as the ICO expected to see evidence that charities were beginning to align their practices with the new standards. It was the starting gun for what will become a significant shift in how personal data must be managed.
In August 2025, the ICO introduced new strategic objectives, placing greater scrutiny on how organisations, including charities, use analytics, profiling, and artificial intelligence within fundraising and service delivery.
Those privacy notices, which have been sitting quietly on your website or in a drawer since 2019, will almost certainly need rewriting. They will have to be clear, accessible, and written in plain English so that donors and beneficiaries can genuinely understand how their information is being used.
The real weight of reform arrives in December 2025. This is when the most substantial new requirements take effect, covering records of processing, data protection impact assessments, and the contractual obligations that bind you to your suppliers.
Every charity that works with external agencies or technology platforms will need to review its contracts carefully to ensure they meet DUAA standards. Trustees and managers will also need to retrain staff and volunteers to ensure everyone understands their responsibilities under the new framework.
By mid-2026, a new rule will come into force, requiring every charity to comply with it. The requirement is to have a formal, documented process for handling data-related complaints.
Whether a donor questions how you used their information, a volunteer wants to withdraw consent, or a beneficiary raises concerns about confidentiality, you must be able to respond swiftly and fairly. Without such a process, you risk reputational harm and possible regulatory intervention.
Why this matters for charities
Charities hold some of the most sensitive data imaginable, including personal financial details, Gift Aid declarations, and deeply personal stories from individuals in vulnerable situations. The DUAA raises the bar for how that information must be protected, managed, and explained.
Consider a few common scenarios. Your fundraising software profiles donors based on their previous giving or estimated wealth, but you have not obtained clear consent for that profiling. Under the DUAA, that could constitute a breach.
You rely on a third-party cloud provider, marketing agency, or fundraising platform, but the contract you signed with them years ago does not meet the new legal requirements. If they mishandle data, you could still be held responsible.
Or perhaps a donor makes a complaint about how their information has been used, and your charity has no formal procedure to address it. That complaint could quickly escalate to the ICO.
These examples highlight a really crucial point. For small and medium-sized charities in particular, the risks are real. Many do not have dedicated data protection staff, and yet the DUAA expects the same level of governance and accountability from them as from any other organisation. The resource challenge is significant but ignoring it is not an option.
What charities should be doing now
The positive news is that most charities can begin preparing without major cost or upheaval. The first step is to ensure that trustees and senior leaders understand the DUAA and their responsibilities.
Data protection is not an IT issue. It is a governance matter that sits firmly within board oversight. Once that understanding is in place, take a clear look at your current practices. Conduct a simple gap analysis.
An honest assessment of where you stand today. Are your privacy notices outdated? Do your consent forms clearly explain how personal data will be used? Are your supplier contracts still aligned with GDPR? That’s even before we get to the DUAA.
Next, focus on getting the basics right. Rewrite privacy notices to ensure they are transparent, friendly, and easy for anyone to understand. Check that marketing and fundraising consents are explicit and properly recorded.
Review your supplier relationships to ensure their contracts meet the new legal standard. Begin planning training for your team. Even a half-hour session can make a major difference in preventing mistakes that could later become costly.
One of the most significant shifts under the DUAA is the increased emphasis on accountability through documentation. It is no longer enough to say you comply. You must be able to show how.
Keep written records of decisions, risk assessments, and changes you make to data processes. When a regulator calls, being able to demonstrate that you took proactive, well-documented steps will be your best protection.
The cost of waiting
The harsh truth is that the worst time to find out your charity’s data practices are inadequate is when a complaint lands on your desk. By that stage, it’s too late. You’re reacting rather than preventing, and the damage to your reputation, donor confidence, and operational focus can be immense.
The DUAA offers a rare opportunity to get ahead of the curve. It gives charities a clear timeline to review, rebuild, and strengthen their data governance. Those who act early will not only stay compliant but also build stronger trust with donors, volunteers, and partners.
Getting the help you need
Preparing for the DUAA does not have to be overwhelming. The key is to start small, stay consistent, and seek help where you need it. Whether it’s reviewing your privacy documentation, setting up a complaints process, or training your staff, there is still time to prepare, but only if you start today.
If you’re unsure where to begin, you can ask the experts for guidance. The team at Eastside People can help you strengthen your data protection frameworks. We can review your data practices, update your documents, and train your staff to help you get DUAA ready before the deadlines arrive.
Glossary of Terms – Data (Use and Access) Act 2025 (DUAA)
| Term |
Meaning (Plain English) |
Why It Matters / Example |
| DUAA (Data Use and Access Act 2025) |
A new UK law that updates and expands data protection rules, building on the GDPR. |
It sets stricter rules for how charities, businesses, and public bodies handle personal data. |
| UK GDPR |
The UK version of the EU’s General Data Protection Regulation, which still applies after Brexit. |
DUAA updates and extends the UK GDPR rules rather than replacing them. |
| ICO (Information Commissioner’s Office) |
The UK’s data protection regulator. It enforces laws like GDPR and DUAA and provides guidance. |
Charities may face ICO investigations or fines if they misuse personal data. |
| Royal Assent |
The formal approval from the King that turns a Bill into law. |
DUAA received Royal Assent on 19 June 2025 — this marks its official start. |
| Commencement Regulations |
The stages that ‘switch on’ different parts of the Act over time. |
DUAA comes into force gradually, with major rules starting from December 2025 and mid-2026. |
| Accountability |
Being able to show evidence of how your organisation protects data. |
It’s not enough to say “we comply” — you must have written proof (e.g., policies, training, records). |
| Transparency |
Being open and clear about how you collect and use people’s data. |
Privacy notices must now be written in plain English so anyone can understand them. |
| Privacy Notice |
A document that explains what data you collect, why, how long you keep it, and who you share it with. |
Under DUAA, every charity must update theirs to be simpler and clearer. |
| Gap Analysis |
A check-up that compares your current practices against what the law requires. |
Helps identify where your charity needs to improve to meet DUAA standards. |
| Consent |
Permission from an individual for you to use their data for a specific purpose. |
Must be freely given, specific, and recorded — e.g., for marketing or profiling donors. |
| Profiling |
Automatically analysing or grouping people’s data to predict behaviour or preferences. |
If you profile donors for fundraising without consent, it may breach DUAA. |
| DPIA (Data Protection Impact Assessment) |
A risk assessment for projects that involve using personal data in new or potentially risky ways. |
Required for new systems, fundraising tools, or data-sharing initiatives. |
| Records of Processing |
A formal log of all the ways your organisation uses personal data. |
Under DUAA, this must be up to date and available if the ICO asks for it. |
| Supplier Contracts |
Agreements with external organisations that handle data on your behalf. |
Must include DUAA-compliant clauses — otherwise you could be liable for their mistakes. |
| Complaints Process (Section 103) |
A required, written procedure for dealing with data-related complaints. |
By mid-2026, every charity must have a documented way to respond to data concerns or withdrawals of consent. |
| AI (Artificial Intelligence) |
Computer systems that analyse or make decisions using large sets of data. |
DUAA links AI use with data protection and copyright, meaning extra checks if your charity uses AI tools. |
| Legitimate Interests |
A lawful basis for processing data when it’s necessary for your organisation’s work and doesn’t override individuals’ rights. |
DUAA may change how legitimate interests are justified and recorded. |
| Retention Schedule |
A document showing how long different types of data are kept before deletion. |
DUAA expects charities to update and follow these consistently. |
| Governance |
Oversight by trustees and senior management to ensure compliance. |
DUAA reinforces that data protection is a board-level responsibility, not just IT’s job. |
| Accountability Documentation |
Written evidence of policies, assessments, decisions, and reviews. |
Needed to show you have taken responsible steps if the ICO investigates. |
| National Underground Register / Digital Records (Infrastructure Rules) |
Future data initiatives related to utilities and public infrastructure. |
Mainly affects public bodies, but charities delivering services for government may be included. |
| Enforcement |
The process by which the ICO checks compliance and issues fines or corrective actions. |
The ICO will have a new board and stronger powers from 2026 under DUAA. |
| Plain English Requirement |
A new emphasis by the ICO for all data policies and notices to be easily understood. |
Charities must rewrite legal-sounding text into clear, accessible language. |
