BOSS Today    #62  DOWN TO BUSINESS                                                      BOSS Today      #62










 DATA   will make some changes to them to make   Organisations will still be


 the rules simpler for organisations.
 The DUAA clarifies the time limits
 PROTECTION   access requests (requests by individuals   able to refuse manifestly
 for organisations to respond to subject
          unfounded or excessive
 to access and receive a copy of their
 personal data). It includes a “stop the
          requests.
 clock” rule, allowing organisations to
 & SUBJECT   more information from the requester.
 pause the response time if they need
 Once they get the information they need,
 the response time continues. The new
 act also clarifies that organisations need
 ACCESS   searches when responding to requests
 to make reasonable and proportionate
 from Data subjects for access to their
 personal information. This means they
 must make genuine efforts to locate the
 REQUESTS   requested data but are not obligated to
 conduct exhaustive searches that impose
 an excessive burden.
 Organisations will still be able
 to refuse manifestly unfounded or
 NEW   excessive requests.

 New Cookie rules
 There are new Cookie rules that allow
 you to set some types of cookies without
 GUIDANCE   having to get consent, such as those
 you may use to collect information for
 statistical purposes and improve the
 functionality of your website.
 There is a new requirement for
 organisations to establish a complaint
 handling process for data subjects. If you
 don’t already do so, the DUAA requires
 you to take steps to help people who
 he Data (Use and Access) Act 2025   want to make complaints about how you
 THE DUAA CLARIFIES THE TIME   T(“DUAA”, “the Act”) received Royal   use their personal information, such as
 LIMITS FOR ORGANISATIONS TO   Assent on 19 June 2025. This is a wide-  providing an electronic complaints form.
 RESPOND TO SUBJECT ACCESS   ranging Act which includes provisions to   You also must acknowledge complaints
 within 30 days and respond to them
 enable the growth of digital verification
 REQUESTS.  services, new Smart Data schemes   ‘without undue delay’.
 like Open Banking and a new National   Amongst other notable changes,
 Underground Asset Register. It also   the Act also introduces a statutory
 includes some important changes to   exemption from Subjects Access
 the UK’s data protection and privacy   Requests for information protected by
 legislation.   legal professional privilege.
 The DUAA will not replace the UK
 General Data Protection Regulation (“UK   For further information or if you’re
 GDPR”), Data Protection Act 2018 or the   unsure regarding the above, please
 Privacy and Electronic Communications   contact our legal department via
 (EC Directive) Regulations 2003, but it   hello@bossfederation.co.uk


 24                                                         25