The Data (Use and Access) Act 2025, which received Royal Assent and became law on 19 June 2025, represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation.
The Data (Use and Access) Act 2025 (the "DUAA"), received Royal Assent and became law on 19 June 2025 following its introduction to Parliament in October 2024. This landmark piece of legislation represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation, marking a significant step in the Government's approach to data protection regulation.
The DUAA introduces reforms to the UK's data protection regime and changes to the powers and composition of the regulator; measures for increasing the breadth of possibilities for pursuing smart data initiatives; improvements in public sector data sharing; data-enabled infrastructure initiatives such as the National Underground Asset Register; a new statutory scheme for digital identity verification services; and more besides.
The Government is hoping that the detailed provisions contained in the DUAA will contribute towards three overarching strategic objectives:
Besides these objectives, the Government also placed significant emphasis on maintaining the UK's data protection adequacy status with the EU. This explains many of the differences between the DUAA and the previous Government's attempts at reforming the UK's data protection regime under the previous Data Protection and Digital Information Bill (the "DPDI Bill"), which never passed into law owing to the calling of the July 2024 UK general election.
There had been concerns that certain divergences from the EU GDPR under the DPDI Bill could end up costing the UK its adequacy decisions. Instead, the Government implemented a more targeted reform through the DUAA, aimed at clarifying legal uncertainty and streamlining compliance, while retaining the core protections offered by the UK GDPR. The Government was successful in its goal: the European Commission’s adequacy decisions were renewed on 19 December 2025, ensuring continued free flow of personal data between the EU/EEA and the UK until 27 December 2031.
We have prepared a high-level PDF summary of the key changes introduced by the DUAA for you to read and share here.
Implementation of the DUAA is taking place in phases. Certain provisions, such as the requirement for “reasonable and proportionate” searches when responding to data subject access requests (“DSARs”), came into force immediately on 19 June 2025. The substantive data protection changes entered into force on 5 February 2026. Provisions that rely on appropriate technology being in place have been given a longer lead-in period.
We are monitoring the changes introduced by the DUAA, and tracking the ICO’s progress in updating its guidance to reflect these changes, in our DUAA implementation tracker.
You can also read our article series, each taking a deeper look at a particular aspect of the DUAA, at the links below (note that articles published before the DUAA received Royal Assent refer to the "DUA Bill"):
Key reforms to the UK's data protection regime – including:
Changes to the ICO's powers, structure and composition - including:
Laying the groundwork for smart data schemes – including:
A new register of digital ID verification services – including:
Data (Use and Access) Act 2025: A comparison with its predecessor, the Data Protection and Digital Information Bill – including:
A round-up of the miscellaneous provisions in the Data (Use and Access) Act 2025 - including:
