How the Data (Use and Access) Act 2025 impacts on vulnerable customer data

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, becoming law. The Act aims to update aspects of data protection law to make it more streamlined and less costly for businesses whilst maintaining common sense protections for data subjects.

For financial services firms the Act has an impact on the processing of vulnerable customer data. This article explores the impact on vulnerable customer data.

Recognised legitimate interests

To process vulnerable customer data, firms need a legal basis to do so under Article 6 (and Article 9 if the data happens to be special category data). Article 6 enables firms to choose from a range of bases, such as consent, contractual performance, vital interests or legitimate interests. The latter is most often used as it is the most flexible, for example, vital interests is limited to literally keeping a person alive and where consent cannot be obtained.

Until the 2025 Act, firms processing data using legitimate interests needed to undertake a legitimate interest assessment where the rights and freedoms of the data subject (i.e. privacy) were balanced against the legitimate reasons the data controller has to process the data. The DUAA introduces a list of “recognised legitimate interests” where firms can process personal data without a full assessment. This includes safeguarding vulnerable people. As such, we now have certainty that vulnerable customer data falls in this category.

Purpose Limitation

Another UK GDPR technicality often preventing the use of data to support customers was purpose limitation which required controllers to only use data for the reason that it had been collected for. The 2025 Act enables controllers to ‘add’ an additional purpose for one of a number of specific reasons set out in the Act, one of which is safeguarding vulnerable individuals at economic risk. Again, the Act removes a barrier to the use of data as long as it is used to support vulnerable customers.

How can we help?

Need help reviewing your data protection policies, practices or basis for processing data? Simply contact us and we would be happy to discuss the support we can provide: robert.bell@rbcompliance.co.uk

Other key points to note:

1. The Act allows broader use of sole-ADM, even for credit scoring or account management—provided no special category data is involved

2. DUAA extends open banking-style schemes to open finance, enabling secure sharing of data with third parties on request

3. The Act relaxes PECR rules to allow analytics cookies without explicit consent

4. Firms must now provide a robust complaints route—including acknowledgement within 30 days and resolution “without undue delay” before escalation to the ICO