Data Use and Access Act 2025: What Changed for DSARs in the UK

Overview of the Data Use and Access Act 2025 and its impact on DSARs in the UK, including reasonable search limits, refusing and charging for requests, and what businesses need to update.

Last updated: 2026-07-05

The UK's Post-Brexit Data Protection Overhaul

The Data Use and Access Act 2025 (DUA Act) received Royal Assent on 19 June 2025, marking the most significant change to UK data protection law since the UK left the European Union. The Act amends the UK GDPR and the Data Protection Act 2018, introducing changes that directly affect how organizations handle data subject access requests.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. The Data Use and Access Act 2025 received Royal Assent in June 2025, but many of its provisions are being brought into force on a phased basis through commencement regulations. You should consult a qualified attorney and check the latest commencement orders to determine which provisions are currently in effect. The information here is based on the Act as passed and publicly available ICO guidance as of the date of publication.

If you handle DSARs for a UK business, you need to understand what has changed, what is staying the same, and what you need to update in your processes. This guide covers the key DSAR-related changes and their practical implications.

For the current DSAR deadlines and process under UK law, see our DSAR response deadlines guide.

Background: Why This Act Exists

The DUA Act is the successor to the Data Protection and Digital Information Bill, which was introduced by the previous UK government and went through multiple iterations before being dropped ahead of the 2024 general election. The new government revived many of the same provisions under a different name, with some modifications.

The stated goals include reducing compliance burdens on businesses, clarifying ambiguous areas of the UK GDPR, and enabling greater use of data for economic and research purposes — while maintaining what the government describes as "high standards" of data protection. Whether it achieves that balance depends on who you ask.

For organizations handling DSARs, the relevant changes fall into three main areas: what counts as a reasonable search, when you can refuse or charge for requests, and how the ICO will approach enforcement.

Key Change 1: The "Reasonable Search" Standard

What Changed

The DUA Act introduces a clearer framework for what constitutes a reasonable search when responding to a DSAR. Under the pre-existing UK GDPR, Article 12(1) required organizations to take "reasonable steps" to verify identity and locate data, but the law did not define what "reasonable" meant in the context of searching for data.

The DUA Act codifies the principle that a controller is not required to conduct searches that are disproportionate to the nature of the request. When assessing whether a search is proportionate, controllers can consider:

  • The cost of the search relative to the size and resources of the organization
  • The nature and volume of data likely to be found
  • The state of the technology available for conducting the search
  • Whether the requester has provided information that would help narrow the search (such as date ranges, specific systems, or types of data)

What This Means in Practice

This does not give organizations a blank check to perform cursory searches and call it a day. The obligation to provide personal data in response to a SAR remains. What it does is provide a statutory basis for not turning every system upside down when a more targeted approach would locate the relevant data.

For example: if a former customer makes a SAR and you know their data is in your CRM and email system, you are not necessarily required to also search archived backup tapes from five years ago that would cost thousands of pounds to restore — unless there is a specific reason to believe relevant data exists there that is not held anywhere else.

The key word is "disproportionate." A search that skips obvious data sources is not proportionate, regardless of cost. A search that declines to restore corrupted archives when the same data exists in active systems may be.

What to Update

Review your DSAR search procedures. Document the systems you search for each type of request, the criteria you use to decide which systems are in scope, and how you assess proportionality. If you are relying on the reasonable search standard to exclude certain systems, record your reasoning. You will need it if the decision is challenged.

Key Change 2: Refusing and Charging for Requests

What Changed

The DUA Act clarifies the existing framework for refusing DSARs and charging fees. Under the UK GDPR, controllers can refuse or charge for requests that are "manifestly unfounded or excessive." The DUA Act retains this threshold — notably, the earlier Data Protection and Digital Information (DPDI) Bill had proposed replacing it with a broader "vexatious or excessive" test, but that proposal was dropped from the final legislation.

What the DUA Act does introduce is additional statutory guidance on how to assess whether a request is manifestly unfounded or excessive. Section 75 amends section 53 of the DPA 2018 to clarify factors controllers may consider, including:

  • Whether the request is repetitive in nature
  • Whether the request overlaps substantially with a previous request to which the controller has already responded
  • Whether the request appears to have no serious purpose or value
  • The volume of data and effort involved relative to the purpose of the request

What This Means in Practice

The threshold for refusing or charging for DSARs has not materially changed. The "manifestly unfounded or excessive" test remains in place. What has changed is that controllers now have statutory factors to point to when making that assessment, rather than relying entirely on ICO guidance and case law.

This provides slightly more certainty for controllers, but it does not lower the bar. An organization that uses the clarified factors as an excuse to routinely refuse inconvenient requests will face the same enforcement consequences as before. The core principle remains — the default position is that you must respond to DSARs, and refusal is the exception.

If you receive requests that you believe are manifestly unfounded or excessive, see our detailed guide on handling vexatious and excessive DSARs.

What to Update

Review your DSAR policy to ensure it reflects the statutory factors now set out in the DUA Act. If your internal guidance on refusing requests was based solely on ICO guidance, update it to incorporate the legislative criteria. Ensure your decision-making process is documented — the statutory factors give you clearer language to use when recording your reasoning.

Key Change 3: ICO Enforcement and Guidance

What Changed

The DUA Act restructures the ICO's governance and enforcement approach. Key changes include:

  • A new governance structure for the ICO, replacing the Information Commissioner with a commission-style board. This changes the internal decision-making process but should not directly affect how individual DSAR complaints are handled.
  • A duty to consider the impact on innovation and competition when exercising regulatory functions. This does not override data protection obligations, but it signals a shift in regulatory philosophy.
  • Updated powers for the ICO to issue reprimands, enforcement notices, and penalties, with some procedural changes to the enforcement process.

What This Means in Practice

The ICO's ability to investigate DSAR complaints and take enforcement action remains intact. The changes are more about the ICO's internal structure and strategic priorities than about the substance of enforcement.

However, the duty to consider innovation and competition could influence how the ICO prioritizes enforcement resources. Organizations should not assume this means less enforcement — but it may mean the ICO is more willing to accept reasonable, proportionate approaches to DSAR compliance rather than insisting on the most exhaustive possible response in every case.

Key Change 4: Senior Responsible Individual

What Changed

The DUA Act introduces a new requirement for certain organizations to designate a senior responsible individual (SRI) for data protection compliance. This is an additional role — the existing requirement to appoint a Data Protection Officer (DPO) where applicable is retained. The earlier DPDI Bill had proposed replacing the DPO with an SRI, but the final DUA Act keeps both.

The SRI must be a member of the organization's senior management team, responsible for overseeing data protection compliance at a strategic level. Unlike the DPO — who serves as an independent advisor — the SRI is embedded in the management structure with direct accountability for ensuring the organization meets its obligations.

What This Means for DSARs

The SRI must ensure the organization has adequate processes for handling data subject rights, including DSARs. If your DSAR process is currently ad hoc or undocumented, this is the push to formalize it.

Organizations that already have a DPO do not lose that role. Where both are required, the DPO continues to provide independent advice while the SRI takes management responsibility for ensuring that advice is acted upon. For smaller organizations that were not previously required to appoint a DPO, the SRI requirement may be the first formal accountability assignment for data protection.

What Stayed the Same

Not everything changed. Several core DSAR principles remain intact:

  • The one-month response deadline for standard requests is unchanged
  • The right to extend by up to two months for complex requests is unchanged
  • The obligation to provide data free of charge for the first copy remains the default
  • The requirement to verify identity before disclosing data is unchanged
  • The right to complain to the ICO and seek judicial remedies is preserved
  • The scope of personal data covered by the right of access is not narrowed

The fundamental right of access — the ability of individuals to obtain a copy of their personal data — remains robust. The DUA Act adjusts the mechanics and introduces some flexibility for controllers, but it does not diminish the right itself.

What Businesses Need to Do Now

1. Review Your DSAR Policy

Check whether your policy addresses the statutory factors for assessing manifestly unfounded or excessive requests introduced by the DUA Act. Ensure the policy reflects the reasonable search standard and the clarified refusal/charging criteria.

2. Update Search Procedures

Document which systems you search for different types of requests and how you assess whether a search is proportionate. This documentation will be your evidence if a decision is challenged.

3. Assign the Senior Responsible Individual

Identify who in your organization will take on this role and ensure they have visibility into the DSAR process.

4. Train Your Team

Anyone involved in handling DSARs needs to understand the changes. This does not need to be extensive — a briefing covering the key differences is sufficient for most teams. For a structured approach, see our DSAR training guide.

5. Monitor Commencement Orders

Not all provisions of the DUA Act are in force immediately. Check the latest commencement regulations to confirm which changes apply to your processing today and which are still pending.

6. Watch for Updated ICO Guidance

The ICO is expected to update its guidance to reflect the DUA Act's provisions. Monitor the ICO website for updated right-of-access guidance and incorporate it into your processes.

The EU Adequacy Question

One consideration that looms over the DUA Act is the UK's adequacy status with the European Union. The EU's adequacy decision for the UK — which allows personal data to flow freely from the EU to the UK — is subject to periodic review. If the EU determines that the DUA Act has lowered UK data protection standards below the threshold required for adequacy, the decision could be revoked, creating significant disruption for UK businesses that receive personal data from EU customers, partners, or employees.

The UK government has stated that the DUA Act maintains high data protection standards. The European Commission will make its own assessment. For businesses that rely on EU-UK data flows, this is worth monitoring closely.

For more on handling requests that span multiple jurisdictions, see our guide on cross-border DSARs.

References

Last reviewed: July 2026. The DUA Act's provisions are being brought into force on a phased basis. Verify the latest commencement orders and ICO guidance to determine which changes are currently in effect. Consult qualified legal counsel before making compliance decisions for your business.

Related Guides

Stay Ahead of the Changes

Our DSAR Compliance Guide is updated to reflect the DUA Act's provisions, with practical checklists and process templates designed for small businesses navigating UK data protection requirements.

Read the DSAR Compliance Guide