The Data (Use and Access) Act 2025 (DUAA) received Royal Assent and became law on Thursday 19 June 2025. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.
The DUAA is a new piece of legislation that updates some existing laws about digital information matters. It amends, but does not replace, the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
Most of the changes offer organisations an opportunity to do things differently, rather than requiring specific changes to comply with the law. There is a requirement for organisations to have a process to help people who want to make complaints about how their personal information is used, but this won’t come into force straight away, so there’s time to prepare and the ICO will further have guidance to help organisations.
The Information Commissioner’s Office (ICO) has published various information to support organisations and the public as these changes are introduced. This includes:
- An outline what the Act means for organisations.
- An outline of what the Act means for law enforcement agencies.
- A detailed summary of the changes for data protection experts.
- New and planned guidance on the website, setting out what guidance to expect and when.
- An outline of how the ICO will continue their regulatory work as the Act is implemented.
- A guide for the public on how the Act will affect them.
When will the changes happen?
The changes will be phased in at different points over the next 12 months. The ICO will be publishing regular updates on their website to give organisations certainty on what they need to do and when.
Where to find more information
Organisations can find out more about the DUAA and understand if any of the changes apply to them by reading the guidance on the ICO website: Data (Use and Access) Act 2025 | ICO
