Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025, which received Royal Assent and became law on 19 June 2025, represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation.

The Data (Use and Access) Act 2025 (the "DUAA"), received Royal Assent and became law on 19 June 2025 following its introduction to Parliament in October 2024. This landmark piece of legislation represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation, marking a significant step in the Government's approach to data protection regulation.

The DUAA introduces reforms to the UK's data protection regime and changes to the powers and composition of the regulator; measures for increasing the breadth of possibilities for pursuing smart data initiatives; improvements in public sector data sharing; data-enabled infrastructure initiatives such as the National Underground Asset Register; a new statutory scheme for digital identity verification services; and more besides.

The Government is hoping that the detailed provisions contained in the DUAA will contribute towards three overarching strategic objectives:

To harness the power of data to grow the economy;
To improve public services and enable and support modern digital government; and
To make peoples' lives easier.

Besides these objectives, the Government also placed significant emphasis on maintaining the UK's data protection adequacy status with the EU. This explains many of the differences between the DUAA and the previous Government's attempts at reforming the UK's data protection regime under the previous Data Protection and Digital Information Bill (the "DPDI Bill"), which never passed into law owing to the calling of the July 2024 UK general election.

There had been concerns that certain divergences from the EU GDPR under the DPDI Bill could end up costing the UK its adequacy decisions. Instead, the Government implemented a more targeted reform through the DUAA, aimed at clarifying legal uncertainty and streamlining compliance, while retaining the core protections offered by the UK GDPR. The Government was successful in its goal: the European Commission’s adequacy decisions were renewed on 19 December 2025, ensuring continued free flow of personal data between the EU/EEA and the UK until 27 December 2031.

We have prepared a high-level PDF summary of the key changes introduced by the DUAA for you to read and share here.

Implementation of the DUAA is taking place in phases. Certain provisions, such as the requirement for “reasonable and proportionate” searches when responding to data subject access requests (“DSARs”), came into force immediately on 19 June 2025. The entry into force of substantive data protection changes is expected in early 2026, with provisions that rely on appropriate technology being in place being given a longer lead-in period.

We are monitoring the changes introduced by the DUAA, and tracking the ICO’s progress in updating its guidance to reflect these changes, in our DUAA implementation tracker.

You can also read our article series, each taking a deeper look at a particular aspect of the DUAA, at the links below (note that articles published before the DUAA received Royal Assent refer to the "DUA Bill"):

Key reforms to the UK's data protection regime – including:

A new "recognised legitimate interests" processing basis and some statutory examples of "regular" legitimate interests;
A new regime for international transfers;
The potential for ministers to add further special categories of data;
Important clarifications to the "purpose limitation" principle; and
An expansion of the types of decisions that can be made on a "solely automated" basis.

Changes to the ICO's powers, structure and composition - including:

New investigatory powers, including being able to require individuals to attend an interview when a data breach is being investigated;
Greater fining powers for breaches of PECR;
A new requirement that controllers must establish a direct complaints procedure for data subjects; and
A new structure, a new board, and a new name for the regulator itself – the "Information Commission".

Laying the groundwork for smart data schemes – including:

New regulation-making powers to create schemes for sharing "customer" and "business" data with third parties;
Provisions to create accreditation and approval requirements for third parties wishing to have such data with them;
Provisions to empower certain bodies as "decision-makers" as to which third parties are accredited and/or approved;
Regulation-making powers allowing the creation of new "interface" bodies to manage and set the standards for new smart data schemes; and
Powers to require data-holding organisations and data-receiving third parties to assist, including financially, these new decision-making and interface bodies.

A new register of digital ID verification services – including:

Powers for the Secretary of State to create a "framework" of rules for providing digital ID verification as a service;A new statutory register, on which providers of these services can apply to be listed;
An "information gateway" permitting public authorities to share information with registered providers to verify an individual's identity; and
Including the use of registered digital ID service providers as a valid means of satisfying right-to-work and right-to-rent checks.

Data (Use and Access) Act 2025: A comparison with its predecessor, the Data Protection and Digital Information Bill – including:

Retention of the DPDI Bill's dilution of the prohibition on solely automated decision-making;
A new "data protection test" for international data transfers, mirroring the DPDI Bill
Changes to DPOS, RoPAs and DPIA requirements all dropped; and
Removal of the ability to refuse a DSAR on the basis of a "vexatious or excessive" request.

A round-up of the miscellaneous provisions in the Data (Use and Access) Act 2025 - including:

The implementation of a mandatory National Underground Asset Register;
A new Electronic Register of Births and Deaths; and
The criminalisation of creating or requesting the creation of an intimate image of an adult, commonly referred to as a "deepfake".

Related Expertise