Contributors

Related

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. It introduces changes to UK data protection law with the goal of promoting innovation and economic growth.

The majority of the changes comprise minor relaxations of data protection requirements. However, businesses and stakeholders need to prepare for the upcoming changes.

Simplified data protection regime

DUAA introduces several changes aimed at streamlining data protection laws to make compliance easier while maintaining robust privacy standards.

It does this by making a number of changes to the United Kingdom General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR), including:

  • New lawful ground of 'recognised legitimate interests' where the need to carry out a balancing assessment is removed.
  • Removal of explicit consent requirements for non-intrusive cookies such as statistical data collection and remembering viewing preferences and user locations.
  • Bringing enforcement powers under PECR, including fines, in line with UK GDPR. PECR fines were limited to £500,000.
  • Widening of the grounds that can be relied upon for solely automated decisions – this includes being able to rely on legitimate interests where special category data is not being processed.
  • Simplification of scientific research provisions.
  • Clarifications on dealing with subject access requests such as time limits and the scope of searches.
  • New requirement to help individuals who want to make a complaint to you.
  • Changes to rules on international transfers to make the process easier.
  • Changes to the governance structure of the Information Commissioner's Office (ICO), which is soon to be known as the Information Commission.

The Department for Science, Innovation and Technology (DSIT) has published a summary of the key data protection and privacy changes, which gives further details of the changes. The ICO has also produced an overview of what DUAA means for organisations and how it might make things easier.

Other changes introduced by DUAA

DUAA does not only make changes to the UK's data protection laws. It also makes provision about access to customer data and business data:

  • Smart Data Schemes: new initiatives to enhance data sharing and innovation across industries.
  • Digital Verification Services: establishment of a framework for secure and efficient digital identity verification.
  • National Underground Asset Register: creation of a digital register of underground infrastructure to improve the management and safety of underground assets.

The UK Government press release tells us that these changes are designed to create a modern digital government while still maintaining high standards of data protection.

A Timeline for change

DSIT has published a summary of the Government’s plans for bringing into force provisions in the DUAA. The summary helpfully includes an implementation timeline which breaks down the stages for implementation.

We don't know the exact dates on which all of the changes will come into force. Secondary legislation (in the form of regulations) is needed to bring many of DUAA's changes into force. DSIT has indicated that it will take between 6-12 months from Royal Assent for all of the changes to be brought into force, which takes us to mid-June 2026. The DSIT timeline tells us that the main changes to data protection legislation won't happen until 6 months from Royal Assent (approximately 19 December 2025). 

Below is a summary of what we know so far:

DateAction
19 June 2025

DUAA received Royal Assent.

Section 142(2) specified those provisions which came into force immediately, including:

· Section 78 which relates to reasonable and proportionate searches in response to data subject access requests (DSARs);

· Section 126 which addresses the retention of biometric data and recordable offences; and

· Section 127 which concerns the retention of pseudonymised biometric data.

Our article on the DUA Bill and DSARs notes that Section 78 reflects what has been standard practice in the UK for a number of years.

21 July 2025The Data (Use and Access) Act 2025 (Commencement No 1) Regulations 2025 are made. The Commencement No 1 Regulations provide that certain provisions of DUAA come into force on 20 August 2025 (see below).
19 August 2025Further provisions of DUAA are scheduled to come into force as outlined in section 142(3) of DUAA. These provisions relate to law enforcement processing, new powers for the ICO, and other minor issues.
20 August 2025

The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 bring into force several provisions of DUAA, including sections 74, 84, 91, 92, 93, 95, 102, 104, 106 to 109, 110 (with exceptions), 111, 113, 117 (with exceptions), and Schedule 14.

The provisions of DUAA which come into force on 20 August 2025 are mostly technical provisions and new statutory objectives for the ICO when carrying out its functions. However, sections 109, 110 (with exceptions), 111 and 113 amend PECR and extend the notification period for reporting a personal data breach to the Information Commissioner's Office from without undue delay or within 24 hours to "without undue delay and where feasible, not later than 72 hours after having become aware of it", which mirrors the UK GDPR requirements. In addition, section 117 establishes the Information Commission.

2 September 2025The Data (Use and Access) Act 2025 (Commencement No 2) Regulations 2025 are made. The Commencement No 2 Regulations provide that certain provisions of DUAA come into force on 30 September 2025 (see below).
4 and 5 September 2025

The Data (Use and Access) Act 2025 (Commencement No 3 and Transitional and Saving Provisions) Regulations 2025 are made. The Commencement No 3 Regulations provide that certain provisions of DUAA come into force on 5 September 2025 and 17 November (see below).

On 5 September 2025 section 79 and section 88 of DUAA come into force. They concern exemptions for legal professional privilege and national security respectively.

30 September 2025The Data (Use and Access) Act 2025 (Commencement No 2) Regulations 2025 bring into force section 124 of DUAA concerning the retention of information by providers of internet services in connection with the death of a child.
17 November 2026The Data (Use and Access) Act 2025 (Commencement No 3 and Transitional and Saving Provisions) Regulations 2025 bring into force section 89 (joint processing by intelligence services and competent authorities) and section 90 (joint processing: consequential amendments) of DUAA.
By 19 December 2025The Secretary of State must give Parliament a progress statement with regard to the economic impact assessment and the report, each concerning copyright and AI (section 137 DUAA). See below for further details.
27 December 2025EU/UK adequacy decisions extended until this date.
By 19 March 2026

The Government is required to publish:

· an assessment of the economic impact in the United Kingdom of each of the four policy options described in section B.4 of the Copyright and AI Consultation Paper (section 135 DUAA); and

· a report on the use of copyright works in the development of AI systems (section 136 DUAA).

By Mid-June 2026All of DUAA's changes should be in force. New ICO guidance relating to DUAA changes should be published in final form.

Adequacy of the new data protection regime in the UK

The European Commission is in the process of evaluating the adequacy of the new data protection regime in the UK to decide if it will continue to provide adequate protection for data flowing from the EU to the UK without additional regulatory protections being required. On 22 July 2025 the European Commission issued a press statement which indicates it will approve the UK's new data protection regime post DUAA. The Commission will now send the draft adequacy decisions to the European Data Protection Board for its opinion, in accordance with the adoption procedure. The Commission will also have to seek approval from a committee of representatives of the EU member states. In addition, the European Parliament and the Council will have a right of scrutiny over the adequacy decisions. 

DUAA makes changes to the UK GDPR and PECR. This creates divergence from EU law. Organisations that must also comply with the EU GDPR need to consider the practicalities of updating their policies and procedures for the UK. 

What should UK businesses do next?

DUAA is new legislation and, as we know, not all of it is force yet. The ICO has suggested in new guidance that businesses should apply the existing law until the various parts of DUAA take effect. The ICO has advised that that the law will be applied as it stands at the time an infringement took place, rather than the date any complaint or report was received or when the infringement was detected.

Now is the time for businesses to become familiar with the changes introduced by DUAA and to incorporate them into their privacy programme, compliance plans, processes, and legal terms.

Businesses may feel that it is difficult to prepare for DUAA fully since secondary legislation is still needed to bring many of DUAA's changes into force, and much of the guidance is still to be released. There are steps though that businesses could be taking now to prepare:

  • Engage with the ICO's consultations on its draft guidance on data protection complaints and on the new lawful basis for processing personal data known as 'recognised legitimate interest'. Both of these consultations run into mid-October.
  • Keep an eye out for updated versions of a range of ICO guidance – the ICO will set out its plans on its website as work progresses. These will inform your preparations.
  • When conducting your regular review of your cookies policies, consider the relaxed rules in relation to cookies. Consider any changes that may be necessary and collaborate with the internal teams and system providers who will assist with updating your cookie banners or notices.
  • When conducting your regular review of your DSARs procedures, check whether they reflect the new relaxed rules.
  • Start work on a procedure for data protection complaints that complies with DUAA's requirements. Engage early with stakeholders across the business and think about whether staff training will be required so that your staff know what they need to do if they receive a complaint. Our article on data subject access requests and complaints by data subjects sets out the new requirements for complaint handling and then looks specifically at how to handle DSAR complaints.
  • Knowing that the fines for a breach of PECR are significantly increasing, consider carrying out an audit of your direct marketing activities.
  • Think about whether you need to make any changes to your existing or template data sharing agreements. For example, do you want to include an obligation on your service providers to support with complaints from data subjects. Do you transfer personal data outside of the UK and will you need to update your transfer risk assessments?

Do you want to know more about DUAA and how it might impact on your business? Or want support with updates to your cookies policy, privacy notices, or privacy programme?

Simply reach out to Sheilah Mackie, Andrew Kimble or Sarah Daun.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.

Recommended