A Changing Framework for Data Protection
The Data (Use and Access) Act 2025 (DUAA) became law in June 2025 and is being implemented in stages over the following year. In response, the ICO has released updated guidance to help organisations understand what’s changing and how to prepare.
Under the UK GDPR, organisations already had to think about data protection and privacy from the very start when designing systems and services. This principle, data protection by design and by default, ensures privacy is built in, not added later.
The DUAA introduces several changes, meaning organisations will need to update how they approach data protection in their designs.
Enhanced Duties for Online Services Used by Children
One major change introduced by the DUAA relates to children’s higher protection matters. If your organisation provides online services likely to be accessed by children, you must now comply with strengthened duties within the data protection by design framework.
These duties build on the ICO’s Children’s Code, thereby requiring heightened privacy protections. The ICO expects organisations familiar with this Code will already be aligned with much of what the DUAA now requires.
Organisations must demonstrate that they have actively considered children’s developmental needs, their reduced understanding of risks and the vulnerabilities they face when interacting with digital services.
What Organisations Need to Do in Practice
As children may not fully understand the risks of sharing personal information or know what their rights are, organisations must design any online service that children are likely to use with a child centred approach from the beginning – creating interfaces, settings and practices that put safety and clarity first.
Organisations must be able to evidence the steps taken, e.g. documenting how design choices were made, how risks were assessed/mitigated, and how they ensured that children’s best interests were central to the decision-making process.
How Hope & May Can Support
If your organisation offers online services that children may use, and you are unsure how the DUAA affects your obligations, we can help.
We provide tailored advice on:
- understanding new DUAA requirements
- embedding data protection by design and default into your services
- assessing risks and evidencing accountability
- aligning your practices with the ICO’s guidance and the Children’s Code
We support organisations at every stage of compliance, helping you create services that are safe, transparent and fully aligned with the new legal landscape.
