The Data (Use & Access) Act 2025 (DUAA) introduces significant changes to the UK’s data protection framework bringing both opportunities and new compliance requirements for membership organisations.

What the DUAA means

The DUAA, which received Royal Assent on 19th June 2025, introduces significant updates to UK data protection laws, affecting how membership organisations handle personal data. Set to roll out between June 2025 and June 2026, these changes aim to balance innovation and growth with robust privacy safeguards.

For membership bodies, the DUAA presents both opportunities to streamline operations and new compliance requirements to navigate. Here’s a breakdown of its key implications and how your organisation can prepare.

Key changes introduced by the DUAA

Simplified Direct Marketing Rules

  • Direct marketing, like sending newsletters, is now a “legitimate interest” under the UK GDPR, with a balancing test required. You benefit from relaxed “soft opt-in” rules, allowing electronic marketing to members without explicit consent, provided an opt-out is included.
  • What it means for you: Update marketing policies, ensure clear opt-outs, and comply with PECR to avoid fines.

Cookies Without Consent

  • Cookies for analytics and content optimisation can be used without consent in low-risk cases, if an opt-out is provided.
  • What it means for you: Update website cookie banners to include opt-outs and revise cookie policies.

Data Subject Access Requests (DSARs)

  • A “stop the clock” rule pauses the one-month DSAR response deadline if clarification is needed. Searches must be “reasonable and proportionate.”
  • What it means for you: Update DSAR procedures to use the new rule and align searches with the standard.

Mandatory Complaints Process

  • Organisations must have a formal data protection complaints process, including an electronic form, with complaints acknowledged within 30 days.
  • What it means for you: Set up an online complaints form and train staff to respond promptly.

Stronger ICO Enforcement

  • The ICO gains powers to compel interviews, request reports, and issue fines up to £17.5m or 4% of turnover under PECR.
  • What it means for you: Prioritise compliance, especially for marketing and cookies, to avoid penalties.

Opportunities for Membership Organisations

The DUAA’s changes offer several benefits for membership bodies:

  • Operational Efficiency: Simplified data processing and sharing rules can reduce administrative overheads, allowing your team to focus on delivering value to members.
  • Enhanced Member Insights: Easier data reuse for research or analytics can help you better understand member needs, driving engagement and retention.
  • Innovation and Growth: The Act supports innovation by clarifying when data can be used for research or service development, enabling you to create tailored offerings for members.

Compliance Considerations

To align with the DUAA, membership organisations should take proactive steps:

  • Review Data Practices: Assess how you collect, store, and use member data to ensure compliance with the new lawful basis and data-sharing rules.
  • Update Privacy Notices: Reflect changes in data reuse or cookie policies in your privacy notices to maintain transparency with members.
  • Strengthen Complaints Processes: Implement or refine systems for handling data-related complaints, ensuring they meet the DUAA’s requirements.
  • Protect Children’s Data: If your services are accessible to children, review your data protection measures to align with the Act’s child-focused provisions.
  • Monitor ICO Guidance: The Information Commissioner’s Office (ICO) will release updated guidance as the DUAA’s provisions take effect. Stay informed to ensure ongoing compliance.

The DUAA brings significant changes that membership organisations must navigate to ensure compliance while seizing opportunities for growth. By reviewing data practices, updating privacy policies, and strengthening member engagement processes, you can adapt effectively to the new regulations. Stay informed about ICO guidance and consider investing in robust data management systems to streamline compliance and enhance member experiences. Preparing now will position your organisation to thrive in a data-driven future.

Wattle work strategically with membership organisations, through the deployment of integrated website, CMS and CRM solutions,  to help them significantly increase membership acquisition, drive deeper member engagement, and demonstrate compelling gains in member value

Andrew Vance
Andrew VanceChief Commercial Officer, Wattle