If you are a woman building, scaling, or advising in tech, the UK’s new Data (Use and Access) Act 2025 isn’t just a policy update. It is a reset of how you can use personal data across industries, writes Marina Danielyan of digital and information law firm Gerrish Legal.
Data (Use & Access) 2025: now in force
Formally known as the Data Protection and Digital Information Act, the new Data (Use and Access) Act (or ‘DUAA’ for short) received royal assent on June 19th 2025, meaning this bid to modernise data protection is now law in the UK.
What are the DUAA’s aims and objectives?
The DUAA aims to reduce red tape, support innovation, especially in AI and R&D, and provide organisations with more flexibility in how they collect and use data — all while staying close enough to the EU’s GDPR to ensure the data flow remains uninterrupted.
For women working in product, engineering, legal, or leadership roles in tech, here are 5 things you need to know about the DUAA, and why it matters.
Top 6 DUAA must-knows as a woman in tech
1. Expanded grounds for data processing
The DUAA makes it much easier to rely on “legitimate interest” as a legal basis for data processing, without needing a user’s explicit consent.
How? Well, the act introduces a predefined list of “recognised legitimate interests” (e.g. fraud prevention, internal business transfers, security), which skips the GDPR-style balancing test.
Therefore, women in tech can now process personal data in many everyday scenarios, from product analytics to internal admin, with less friction.
However, if you are handling data on EU users, the GDPR rules remain unchanged.
2. Broadened definition of scientific research to include commercial innovation
Elsewhere, the DUAA redefines “scientific research” to include commercial innovation, not just academic or publicly funded projects.
This opens the door for startups and private companies to:
- Reuse data for new research purposes;
- Keep data longer for training models or testing products, and;
- Access public sector datasets under new legal gateways.
Are you a woman who works in healthtech, AI, or experimental features? Well, you therefore now have a clearer legal footing, as long as you follow privacy safeguards, such as pseudonymisation and ethical review.
3. Targeted relaxation of cookie and direct marketing rules
The DUAA relaxes rules around cookie consent.
Under the act, Analytics and UI performance cookies no longer require a pop-up, as long as they are non-intrusive.
So-called ‘soft’ opt-in rules for marketing emails have also been expanded, meaning charities and non-profits can contact users more easily.
However, these changes only apply to the UK.
So if you’re contracting as a woman in tech and your client’s platform reaches EU users, you still need full GDPR-style consent mechanisms.
4. New framework for automated decision-making and AI regulation
The UK has moved away from the GDPR’s near-ban on fully automated decisions with “legal or significant effects.”
Instead, AI-driven decisions are allowed under the DUAA if you implement proper safeguards, such as:
- Informing users about the logic;
- Giving users a way to contest the outcome, and;
- Providing human oversight.
For women in tech teams building AI tools, especially in HR, banking, or insurance, this new allowance means more flexibility – but also responsible design.
In fact, fairness, explainability, and the ability for users to contest decisions should be key considerations when designing automated systems.
5. Reform of the Information Commissioner’s Office
The UK’s data protection and information rights watchdog, the Information Commissioner’s Office, is being restructured as the Information Commission (IC).
The watchdog (the IC) has a revised legal framework and an expanded mandate that includes not only upholding privacy rights, but also supporting economic growth and innovation.
In practice, this is a shift toward more business-oriented guidance, swifter engagement with scaleups, and a regulatory approach that may be less inclined to adopt a restrictive stance by default.
6. Implications for EU-UK data transfers and adequacy status
The EU currently recognises the UK’s data protection regime as “adequate,” allowing for free data flows.
However, the DUAA introduces further divergence from the GDPR, which could put that status at risk.
Women in tech working for, or at, organisations handling EU user data should maintain dual compliance, as the UK’s more flexible rules may not reduce overall complexity.
DUAA now in force: top five steps for women in tech to take
- Review your data practices. Determine, for example, whether ‘legitimate interest’ can replace ‘consent.’
- Identify where your data subjects are located — the UK, EU, or both.
- Ensure AI systems include human oversight, transparency, and appeal mechanisms.
- Monitor regulatory guidance. New rules may offer strategic opportunities.
- Maintain strong ethical standards. A more flexible law does not justify weaker governance!
TLDR: The DUAA is a future-proof set of tech rules women can leverage…
The DUAA is about more than compliance — it signals that the UK wants to be a global hub for AI and data-driven innovation.
And the women shaping this space, whether you write code or policy, have an opportunity to lead, not just follow.
In a world where privacy, trust, and tech are increasingly entangled, understanding the legal frameworks is no longer optional. It’s a superpower.
Gerrish Legal
Gerrish Legal is a digital commercial law firm based in London, Stockholm and Paris. Gerrish Legal gives contractors the trusted legal support they need to run their business in all areas of commerical, contract, intellectual property and data protection law. Unlike traditional law firms, we follow your legal matter from A to Z. From the moment contractors partner with us, they can rest assured their legal needs will be looked after with the utmost care. We stay on top of the latest trends, embrace innovation, and provide flexible legal advice in accordance with our contractors’ budgets and deadlines.
