Think of it like this:

• Asking for your data (Subject Access Requests): Before, if you asked a company for all the information they had on you, they had to search everything. Now, the law says they only have to make a “reasonable and proportionate” effort. This means they don’t have to spend a ridiculous amount of time or money looking for every last detail.
• Sharing your data: The law makes it easier for a company to share your information with another company in the same group (like a parent company and its child company) or to send it to countries outside the UK.
• Automated decisions: Companies can now use computer programs and AI more freely to make important decisions about you (like approving you for a rental property), as long as they have a way for a real person to review the decision if you ask.
• Complaints: The law now requires companies to have a clear and simple way for you to complain if you think they’ve mishandled your data. They have to respond to you within 30 days.
• Big fines: The penalties for breaking direct marketing rules (like sending you junk mail you didn’t ask for) have been massively increased.

Essentially, the new law gives property businesses more freedom to use data to run their operations more efficiently, but also puts new requirements on them to be more transparent and have clear procedures in place for handling your requests and complaints.

Businesses should take immediate action by reviewing and updating their privacy notices, establishing formal complaints procedures, and exploring opportunities to use the new “recognised legitimate interests” basis. In the medium term, they should evaluate their automated systems, review international data transfer arrangements, and train staff on the new procedures. Overall, the DUAA is seen as a move toward a more pragmatic data protection environment, creating opportunities for more efficient business processes.