Navigating the Data (Use and Access) Act 2025: What UK Charities and SMEs Need to Know

For many charities and SMEs, the reality is the same: you handle sensitive personal data (donor records, service users, employees, volunteers), yet work within tight budgets and limited capacity. DUAA is intended to modernise and clarify aspects of the UK data framework, without replacing UK GDPR, by amending UK GDPR, the Data Protection Act 2018 (DPA 2018) and PECR. 

Below we unpack the key DUAA changes most relevant to you, highlight practical steps, and explain why investing in SAR Support and an Outsourced SAR model can dramatically reduce risk and overhead, especially in an era of rising SAR volumes and AI‑generated requests.

Why This Matters for Charities and SMEs

Charities and SMEs often carry disproportionate compliance risk: high sensitivity of data, lean teams, and limited tooling. DUAA seeks to simplify compliance while strengthening protections, including clearer lawful bases in specific scenarios, proportional SAR searching, and an emphasis on internal complaints handling before matters escalate to the regulator.

The trend is clear: UK organisations report rising SAR volumes, including complex employee‑related requests and increasingly AI‑assisted submissions that push breadth and scope. The ICO’s own reporting shows sustained high complaint volumes year‑over‑year, and practitioners note that AI tools are now commonly used by individuals to draft DSARs, increasing complexity for responders. 

DUAA introduces recognised legitimate interests, providing clarity for certain processing activities where a full balancing test is no longer required—such as safeguarding vulnerable individuals, crime prevention, national/public security, and emergency response. This makes it easier to justify necessary processing in well‑defined circumstances, particularly for charities working with public bodies or vulnerable communities. 

Action: Review your lawful bases and update privacy notices where RLI applies, ensuring internal documentation (e.g., ROPAs) reflects these changes. 

A significant reform under DUAA is the modified soft opt‑in for charities under PECR. Charities will be permitted to send electronic marketing (email/SMS) to supporters who have expressed interest in or offered support for the charity’s purposes, provided messages solely further the charity’s mission and opt‑out is offered at collection and in each communication. Timing and detailed conditions are subject to commencement regulations and ICO guidance, but the direction is set. 

Action: Plan now: map supporter data sources, implement robust opt‑out controls, and segment lists based on consent vs. soft‑opt‑in eligibility when provisions commence. 

DUAA places established ICO guidance and case law onto a statutory footing, clarifying that organisations need only carry out “reasonable and proportionate” searches when responding to SARs, and can pause the response clock in certain circumstances (e.g., pending identity verification or clarification of scope). Proposals to refuse “vexatious” requests were dropped; the “manifestly unfounded or excessive” threshold remains. 

Action: Define SAR search parameters by system/data likelihood, document scope decisions, and deploy specialist tooling with deduplication to consolidate records into redactable formats. (See our dedicated SAR Support Services page.)

DUAA relaxes certain restrictions on significant automated decision‑making (not involving special category data), subject to safeguards—transparency, the ability to seek human review, and challenge. This provides greater flexibility for resource‑limited organisations using digital tools while maintaining data subject protections. 

Action: Where ADM is used (e.g., triage or eligibility decisions), ensure you have clear notices, rights mechanisms, and documented safeguards.

A core DUAA shift is formalising internal complaints handling: organisations must offer clear, accessible procedures and acknowledge within 30 days, take appropriate steps “without undue delay,” and communicate outcomes—before complaints escalate to the ICO. Draft guidance is in consultation, but the practical direction is clear. 

Action: Publish a data protection complaints route (web + email/post), embed service levels, train staff, and keep auditable records of investigations and resolutions

Rising SAR Volumes and the Impact of AI

Across sectors, organisations report more SARs and increasingly sophisticated, AI‑generated requests (read more). Practitioners note templated DSARs can be broader than necessary, include irrelevant legal citations, and trigger excessive search expectations unless controllers apply proportionality and request clarification early.

The public sector (including NHS trusts) also reports surging volumes, adding further pressure on teams already stretched by record‑keeping and redaction demands. 

What this means for you: Build a defensible SAR playbook: triage, clarify scope, apply reasonable and proportionate searches, use deduplication to cut noise, and capture decisions in a search log to evidence compliance.

Practical Steps for Compliance

1. Update Privacy Notices
   Reflect RLI, changes in SAR handling (proportional searches; stop‑the‑clock), and complaints procedures.
   → See: Data Protection Services

2. Refresh Data Collection Forms & Email Journeys
   Prepare for a charity soft opt‑in by building opt‑out at collection and in each message; ensure the message clearly furthers the charity’s purposes.
    (secure comms, opt‑out integrity)

3. Train Staff on SAR & Complaints Handling
   Run simulations for HR and customer‑facing teams; train on proportional searches, redaction, timelines, and complaints resolution before escalation.
   → Explore: SAR Support Services

4. Audit Automated Systems
   Where ADM exists, confirm safeguards (transparency; human intervention) and ensure no special category data is used in prohibited ways.
   → See: Cybersecurity Services

5. Strengthen SAR Operations with Specialist Tooling
   Adopt deduplication and conversion to redactable PDFs to reduce manual burden; build QA steps to check redactions and ensure secure disclosures. (GRC Hub can provide end‑to‑end Outsourced SAR handling.)
   → See: SAR Support Services

Q1: Can my charity now send fundraising emails without prior consent?
Yes, subject to DUAA’s modified soft opt‑in, where supporters have expressed interest or offered support, the communication solely furthers charitable purposes, and a clear opt‑out is offered at collection and in every message. Check commencement dates and ICO guidance before rollout, and remember this does not apply retrospectively to existing lists collected under different terms.

Q2: What does “reasonable and proportionate” mean for SAR searches?
It recognises practical limits: you’re expected to search systems likely to contain relevant data, not exhaustively trawl every archive. Controllers can pause the response clock while awaiting clarification or identity verification. Keep a contemporaneous search log to evidence scope judgements.

Q3: Do DUAA changes affect GDPR compliance?
DUAA amends the UK regime; the core structure of UK GDPR remains. Many reforms are clarificatory (e.g., RLI; SAR proportionality; complaints) aimed at easing compliance while preserving adequacy alignment with the EU.

Q4: Who should handle SARs internally?
Employee SARs often sit with HR, while external SARs (clients, service users, tenants) typically route via Customer Services or a Data Protection function. Your DPO should provide oversight, monitor risk, and advise on proportional searches, redaction standards, and complaints handling. (GRC Hub can act as your outsourced SAR partner to absorb spikes and complex cases.)

Q5: We don’t have a formal complaints process, do we need one?
Yes. DUAA requires organisations to maintain and operate a complaints process: provide a route to complain, acknowledge within 30 days, investigate without undue delay, and communicate outcomes, before escalation to the ICO.

Q6: Are AI‑generated SARs a real issue?
Practitioners and the ICO have noted AI‑assisted DSARs as an emerging trend: comprehensive, sometimes over‑broad, and quick‑fire. Proportionality and early scope clarification are essential to avoid unnecessary effort and risk.