The Data (Use and Access) Act 2025: Key Implications for Businesses as the New International Transfer Regime Takes Effect (Part 1)

This update follows on from our previous articles – From Parliamentary Ping‑Pong to Policy Pillar: The Data (Use and Access) Bill Becomes Law and Key Dates to Diarise: DUAA Implementation Timeline – and forms Part 1 of an ongoing series from Burges Salmon’s Commercial & Technology team on the Data (Use and Access) Act 2025 (“DUAA”).  

This article looks at how DUAA changes the rules on international data transfers and what businesses need to be aware of.

New rules on international data transfers now in force

The Government’s latest commencement regulations bring into force on 5 February 2026 the majority of data protection changes under Part 5, including the new ‘data protection test’ and the other changes to the UK’s international transfers regime. This is a key milestone in the DUAA’s implementation - organisations now need to ensure their cross‑border data transfer arrangements are aligned with the updated legal framework.

In parallel, the ICO has already issued updated guidance on international transfers, published on 15 January 2026 (see further details below). 

The new “not materially lower” data protection test

The DUAA introduces a new ‘data protection test’ for international transfers. When transferring personal data outside of the UK, organisations most commonly rely on either the recipient country being covered by a UK adequacy decision or another safeguard, such as the International Data Transfer Agreement (“IDTA”) or UK Addendum. 

When relying on appropriate safeguards, exporters are required to conduct a transfer risk assessment (“TRA”). Pre-DUAA, this meant demonstrating that personal data transferred outside of the UK is protected in a way that is “essentially equivalent” to the UK GDPR. The DUAA changes the threshold from “essentially equivalent” to “not materially lower” than the standard of protection provided under the UK GDPR.

The data protection test must be applied in two circumstances: (1) when UK Government is making an adequacy decision in respect of a third country or international organisation; and (2) when an organisation is conducting a TRA.

Other changes to the international data transfers regime

The DUAA also codifies the requirement to conduct a TRA for transfers subject to appropriate safeguards. It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”. The previous obligation to conduct a TRA arose under Schrems II.

Other changes include:

• some terminology changes (‘adequacy arrangements’ will now be referred to as ‘transfers approved by regulations’ and all others as ‘transfers subject to appropriate safeguards’);
• specifying the factors the Secretary of State must consider when applying the data protection test to transfers approved by regulations;
• replacing the four year adequacy review cycle with ongoing monitoring of approved countries; and
• granting the Secretary of State a new power to recognise additional transfer mechanisms.

What does this mean for organisation in practice?

The overall regime restricting international transfers remains broadly the same. The reforms under DUAA are intended to enable a more flexible, risk‑based approach to international data transfers, which should make it easier for organisations to carry out TRAs when relying on appropriate safeguards.

When conducting TRAs, the assessment should consider the nature, volume and sensitivity of the data and the actual risks associated with the transfer, rather than undertaking detailed comparisons of foreign legal systems to assess equivalence.

This may be a slightly lower standard than the "essentially equivalent" test, but it remains to be seen whether this will prove a meaningful distinction in practice.

ICO updated guidance 

The ICO has published an update to its international transfers guidance to help organisations navigate the UK GDPR transfer regime post DUAA. The guidance introduces a more structured three‑step test for identifying restricted transfers. It also clarifies the division of responsibilities between controllers and processors, particularly in relation to onward transfers and situations where processors initiate the transfer themselves. 

The ICO has also addressed how responsibility for international transfers should be allocated. Instead of the original approach of establishing who both ‘initiated and agreed’ the transfer, the guidance now focuses only on who is initiating it. In practice, this means organisations can no longer assume that the entity physically receiving the data is the one responsible for complying with the transfer rules, because responsibility may instead rest with the party that set the transfer in motion, even if another group company or subsidiary is the one that actually receives the data.

In relation to TRAs, the ICO states that the organisation is not required to complete a TRA when the receiver of the restricted transfer further transfers the information to a third party (which the ICO refers to as an ‘onward transfer’). However, it stresses that contractual protections for onwards transfers should be included in data protection clauses in contracts. Additionally, the ICO confirms that the IDTA or UK Addendum can be incorporated into contracts by reference provided the requirements set out in its guidance here are met.

The ICO has signalled that further guidance is forthcoming, including more detailed material on TRAs, the IDTA and cloud‑specific issues. 

Next steps

Organisations should consider the following steps now to ensure alignment with the new rules: 

• when conducting TRAs, you should consider whether your processes and TRA templates will need to be updated to reflect the new ‘data protection test’;
• proactively monitor ICO guidance and developments, noting that the ICO are planning to update the IDTA and UK Addendum in the course of this year to reflect the DUAA changes; and
• updating your policies and procedures for international data transfers to reflect the changes, including terminology changes.

For queries or advice on the content of this article, please contact Hamish Corner, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Ruadhán Ó Gráda and Amanda Leiu.