.svg)
On June 19, 2025, the UK passed the Data (Use and Access) Act (DUAA). The legislation is intended to create a flexible, business-friendly framework for data sharing, instilling a smart data culture in the UK while supporting the transition from open banking to open finance and maintaining consumer protection.
Most of the provisions of the DUAA will come into force within two or six months of its passage, although some may take up to 12 months.
The DUAA is the Labour government’s version of its predecessor’s Data Protection and Digital Information (DPDI) Bill, which was lost in the “wash-up” prior to the 2024 general election.
The act aims to give payments firms new opportunities to innovate by legitimising data-driven services, enabling open finance and empowering greater automation.
However, it also requires greater transparency and imposes enhanced user safeguards, meaning firms will need to review their processes and ensure they can meet their new obligations.
The act amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
It introduces provisions for digital verification services, facilitates the sharing of customer and business data and establishes a new public register of underground infrastructure.
One of its aims is to increase consistency across the whole of the UK’s data privacy landscape by aligning the financial penalty for non-compliance with those in place under the UK GDPR.
This means an increase in the maximum penalty from £500,000 to £17.5m, or 4 percent of worldwide turnover.
This should prompt payments firms to review the DUAA to determine how it applies in practice and what steps they need to take to avoid the risk of such severe penalties.
The bigger picture
A key feature of the DUAA is its effort to build on open banking by enabling customers to request secure data sharing via authorised third-party providers (ATPs).
This may create opportunities for payments firms to become ATPs, offering richer services through enhanced access to customer data, such as integrating account information across platforms. At the same time, they may be required to share their own proprietary datasets, potentially reducing their competitive advantage.
The act also introduces “recognised legitimate interests” as a simpler legal basis for processing personal data without requiring a balancing test. This applies in particular to areas such as fraud prevention and security.
This means payments firms will be able to use customer data more confidently in essential operations such as fraud detection and network security, streamlining their compliance activities.
In addition, the DUAA eases the rules for automated decision-making (ADM) in areas such as algorithm-based loan approvals and transaction flagging.
The provisions of the act allow ADM beyond what was previously permitted, provided users can challenge decisions and request human review.
This will enable payments firms to accelerate their automation of decision-making processes, which will increase efficiency, provided they maintain key safeguards.
Another related easing of the rules introduced under the DUAA concerns data subject access requests (DSARs). Firms are now only required to conduct “reasonable and proportionate” searches in response to these requests, rather than exhaustive ones.
This codifies existing Information Commissioner's Office (ICO) guidance, and will reduce the administrative burden for firms. However, they must still ensure that they make genuine efforts to locate and provide the requested data.
Firms will also need to implement a formal complaints mechanism, with an accessible channel, acknowledgement within 30 days and a prompt response process.
Overall, the updated rules on DSARs and complaints should provide practical relief for payments firms.
However, organisations will need to invest in complaint-handling infrastructure and update their privacy policies to comply.
The DUAA is also intended to make international data transfers smoother by introducing a more flexible data protection test. Other countries’ data protection regimes need only be “not materially lower” than the UK standard, rather than meeting the “essential equivalence” applied under EU law. In practice, a third country’s data protection regime must be comparable to, although not identical with, UK standards to be considered adequate.
Cross-border transactions with partners outside the EU are likely to be smoother under the new rules, although data adequacy with the EU could be jeopardised, potentially complicating transfers with EU-based clients.
As noted, the act also has implications for compliance relating to privacy and the PECR, including aligning the potential fines for breaches with those in place under the UK GDPR.
This will require payments firms to tighten their policies on cookie tracking, especially for marketing and analytics, adjusting their consent mechanisms to mitigate regulatory risks.
Why should you care?
The DUAA’s goal of creating a flexible, business-friendly framework for data sharing represents an opportunity for payments firms to develop the next generation of services through secure, interoperable data use.
Offering cutting-edge open banking and open finance services naturally involves a deep reliance on data, including in compliance, risk management, client service and product innovation.
Firms should, therefore, ensure that they closely review the details of the act to assess their compliance obligations.
The new requirements introduced under the legislation are intended to improve data accessibility and security, while boosting public trust in the processes behind new services.
Although the new compliance obligations may be seen as an additional burden, they should prove worthwhile in the long run as operations become more streamlined.
Payments firms operating in the UK should consider the following steps to ensure they are in compliance with the terms of the DUAA:
- Review their data-sharing strategy, determining whether they intend to operate as ATPs under smart data schemes and preparing for potential compulsory data-sharing obligations.
- Update their documentation, revising privacy notices, processing inventories and records of processing activities (ROPAs) to reflect the use of recognised legitimate interests.
- Enhance their transparency and ADM controls, ensuring all automated decision systems allow both user contestation and human review, and include plain-language explanations of decisions.
- Build or improve their complaint frameworks, including accessible complaint portals, training teams on the new timelines.
- Assess their cookie and marketing practices, implementing appropriate consent mechanisms and evaluating existing tools to ensure transparency requirements are met.
Organisations that get to grips with the obligations and opportunities of the DUAA will be well placed to thrive in the evolving environment of open banking and open finance.
