Last reviewed: 19 May 2026

Five-Point Summary

• The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, making it the law of England, Wales, Scotland, and Northern Ireland. The Act is not a Bill waiting to pass; it is already enacted.
• The main data protection changes in Part 5 of the DUAA came into force on 5 February 2026. They amend the UK GDPR and the Data Protection Act 2018 and apply to most organisations that process personal data.
• Automated decision-making rules have been rewritten. Organisations may now make solely automated decisions that produce legal or similarly significant effects, provided they put in place specified safeguards, including giving individuals the right to make representations and the right to a human review.
• The Information Commissioner’s Office (ICO) is being renamed the Information Commission. The changeover will take effect once new Board members are appointed under the Act’s provisions; the ICO continues to operate under its existing name until then.
• The DUAA also introduces new Smart Data schemes beyond Open Banking, a statutory basis for digital verification services, and a National Underground Asset Register, alongside targeted amendments to the UK’s data protection framework to remove friction from lawful processing.

Since leaving the European Union, the UK Government has been trying to find a way to make greater use of personal data to support economic growth while keeping the adequacy status that allows free data flows with the EU under the UK GDPR. The Data (Use and Access) Act 2025 is aimed at achieving this balance.

What Does the Data (Use and Access) Act 2025 Cover?

The Data (Use and Access) Act 2025 is structured around eight Parts and sixteen Schedules. Hbju8Its three stated objectives are to kick-start economic growth, support safer streets, and build an NHS fit for the future. The Government projected that better data use could generate £10 billion for the economy and free up millions of police and NHS staff hours.

The eight Parts divide the Act’s subject matter as follows:

• Part 1: Smart Data schemes. Extends the Open Banking model to other sectors by giving Ministers powers to require data holders to share customer and business data with authorised third parties.
• Part 2: Digital verification services. Creates a statutory trust framework, a register of approved providers, an information-sharing gateway, and a trust mark. Most Part 2 provisions came into force on 1 December 2025.
• Part 3: National Underground Asset Register. Places the existing digital map of underground pipes and cables across England, Wales, and Northern Ireland on a statutory footing.
• Part 4: Digital registry of births, deaths, and marriages. Enables electronic registration and modernises the civil registration system.
• Part 5: Data protection. Amends the UK GDPR and the Data Protection Act 2018. The majority of these provisions came into force on 5 February 2026.
• Part 6: The Information Commission. Renames and restructures the Information Commissioner’s Office as the Information Commission, once Board members have been appointed.
• Part 7: Sector-specific data provisions covering health and social care, smart meter communications, public service delivery, and online safety (including new offences relating to intimate images).
• Part 8: Commencement, consequential amendments, and interpretation.

What Changes Did the DUAA Make to UK Data Protection Law?

Part 5 of the Data (Use and Access) Act 2025 is the section most organisations will feel day to day. The Commencement No. 6 Regulations 2026 brought the bulk of these provisions into force on 5 February 2026. The principal changes are set out below.

• Purpose limitation and compatibility: The Act introduces an “assumption of compatibility” for certain re-uses of personal data. Organisations can assume that some secondary processing is compatible with the original purpose without running a separate compatibility test. Disclosures for archiving in the public interest are one example.
• Subject access requests: The Act amends the standard for responding to subject access requests. Controllers must now conduct a “reasonable and proportionate” search rather than an exhaustive one. If your business regularly deals with complex or high-volume requests, this change reduces the cost and effort of compliance. 43Legal’s article on recognising and responding to a GDPR Subject Access Request covers the practical steps in detail and remains relevant under the revised standard.
• Automated decision-making: Article 22 UK GDPR is substantially rewritten. The blanket restriction on solely automated decisions with legal or similarly significant effects is removed. Organisations may now make such decisions using any lawful basis provided they implement specified safeguards: giving the individual information about the decision, the right to make representations, and access to human review. Special category data attracts additional restrictions and must be processed under a Schedule 1 condition of the Data Protection Act 2018.
• Data Protection Officers: The requirement to designate a DPO is modified. The Act retains the obligation for public authorities and for organisations whose core activities require large-scale, regular, and systematic monitoring of individuals or large-scale processing of special category or criminal offence data. However, it replaces the concept of a DPO with a “Senior Responsible Individual” in some contexts, giving organisations greater flexibility over how they structure their accountability function.
• Data Protection Impact Assessments: DPIAs are retained but reframed as “Assessments of High Risk Processing.” The underlying obligation to assess and mitigate risk before carrying out high-risk processing remains unchanged.
• ICO enforcement powers: The Act strengthens and modernises the ICO’s enforcement toolkit, including updated provisions on information notices and assessment notices.
• New ICO objectives: From 20 August 2025, the ICO operates under new statutory objectives introduced by the Commencement No. 1 Regulations. These require the regulator to have regard to economic growth and innovation when carrying out its functions.

How Does the DUAA Differ from the Data Protection and Digital Information (No. 2) Bill?

Critics of the earlier DPDI (No. 2) Bill argued that it eroded privacy and weakened individual rights in four main respects:

• Giving public bodies and companies broader grounds to refuse Subject Access Requests.
• Widening the circumstances in which automated decision-making was permitted with fewer protections.
• Reducing the situations requiring a Data Protection Impact Assessment.
• Narrowing the circumstances in which a Data Protection Officer had to be appointed.

The Data (Use and Access) Act 2025  addressed most of these concerns. Automated decision-making remains subject to mandatory safeguards. Special category data continues to attract heightened protection. The ICO’s powers were strengthened rather than reduced. The overall package was welcomed by the Information Commissioner as a reform that “maintains high standards of data protection and protects people’s rights and freedoms” while also providing “greater regulatory certainty for organisations.”

When Did the Different Parts of the Act Come Into Force?

The DUAA is being brought into force in stages through commencement regulations. The timetable to date is:

• 19 June 2025: Royal Assent. Certain provisions came into force immediately, including those relating to the ICO’s new statutory objectives.
• 20 August 2025: Commencement No. 1 Regulations: technical provisions and the ICO’s new statutory objectives requiring it to consider economic growth when exercising its functions.
• 1 December 2025: Commencement No. 4 Regulations: most of Part 2 (digital verification services), establishing the UK’s statutory digital identity framework.
• 5 February 2026: Commencement No. 6 Regulations: the majority of the Part 5 data protection and e-privacy amendments, including the new automated decision-making regime and the revised SAR standard.
• 6 February 2026: Commencement No. 5 Regulations: Section 138, creating new criminal offences relating to the creation of intimate images without consent.
• Future stages: The Government has confirmed that further provisions, including Section 103 on complaints by data subjects, will be commenced in a later stage approximately 12 months after Royal Assent.

What Happens to the ICO?

Part 6 of the DUAA renames the Information Commissioner’s Office as the Information Commission and establishes a new governance structure with a Board. The transition will not happen automatically upon a commencement date. Board members must first be appointed under Schedule 15 of the Act. Until those appointments are made, the ICO continues to operate under its existing name and the Commissioner retains all current functions. The ICO has confirmed it supports the reform as a step towards a more modern regulatory structure. For guidance on how the DUAA affects the ICO’s role, the ICO’s own DUAA guidance is the authoritative source.

What Does The Data (Use and Access) Act 2025  Mean for UK Businesses?

With Part 5 of the Data (Use and Access) Act 2025 now in force, organisations should review their data protection compliance against the new requirements. The most pressing areas are:

• Automated decision-making policies: If your business uses algorithms or AI tools to make decisions about individuals, whether for credit scoring, recruitment, pricing, or any other purpose, you need to check whether those decisions engage the new provisions and whether your safeguards documentation is adequate.
• Subject access request procedures: Update your SAR response procedures to reflect the “reasonable and proportionate search” standard. This may allow some organisations to reduce the scope of searches, but the change needs to be documented and defensible.
• Data Protection Impact Assessment templates: Rename and where necessary revise your DPIA templates to align with the Act’s reframing as “Assessments of High Risk Processing.” The substance of the obligation is unchanged, but terminology in policies and records should be consistent.
• Privacy notices: Review privacy notices for references to Article 22 UK GDPR if your organisation uses automated decision-making. The new safeguards requirements must be accurately reflected in the information you give to individuals.

If you are unsure whether your current data protection framework meets the new requirements, 43Legal’s virtual in-house legal counsel service can provide a focused compliance review and practical guidance on bringing your policies up to date.

Frequently Asked Questions

Is the Data (Use and Access) Act 2025 already in force?

Yes. The Act received Royal Assent on 19 June 2025 and is law. Different Parts have been brought into force at different dates through commencement regulations. The data protection provisions in Part 5 came into force on 5 February 2026.

Does the Data (Use and Access) Act 2025  replace the UK GDPR?

No. The UK GDPR and the Data Protection Act 2018 remain the primary framework. The DUAA amends both of those Acts but does not replace them. The UK’s data protection regime continues to be built on the same foundations; the DUAA updates and modernises specific provisions.

What changed for automated decision-making under the DUAA?

The previous near-blanket restriction in Article 22 UK GDPR on solely automated decisions with legal or similarly significant effects has been removed for most processing. Organisations can now make such decisions using any lawful basis, provided they implement mandatory safeguards: informing the individual, giving them the right to make representations, and providing access to a human review. Special category data still requires a Schedule 1 condition of the Data Protection Act 2018 and carries additional restrictions.

When will the ICO become the Information Commission?

The ICO will be renamed the Information Commission once Board members are appointed under Schedule 15 of the DUAA. No appointment date has been announced as at May 2026. Until appointments are made, the ICO continues to operate under its existing name and structure.

Do we need to update our DPIA process because of the DUAA?

Your existing DPIA process should remain compliant in substance. The Act renames DPIAs as “Assessments of High Risk Processing,” but the underlying obligation to identify and mitigate risk before high-risk processing begins is unchanged. You should update your templates and policies to use the new terminology and check that your triggers for carrying out an assessment still reflect the current threshold. A review of your data protection compliance arrangements with a specialist solicitor is a practical first step.

Getting Advice on the DUAA 2025

Data protection law has never stood still, and the DUAA represents the most significant set of changes to the UK framework since the UK GDPR was introduced in 2018. For most businesses, the practical impact will be felt most sharply in automated decision-making processes, SAR handling, and the governance arrangements around data protection accountability.

Our team advises businesses on data protection risk management, policy drafting, and regulatory compliance. To discuss how the DUAA affects your organisation, please email info@43legal.com or phone 0121 249 2400. 

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.

“Melissa Danks is the founder of 43Legal. She has over 20 years’ experience as a solicitor working within the legal sector dealing with issues relating to risk management, dispute resolution, and advising in-house counsel in SMEs and large companies. Melissa has extensive expertise in providing practical, valuable, modern legal advice on large commercial projects, joint ventures, data protection and GDPR compliance, franchises, and commercial contracts. She has worked with stakeholders in multiple market sectors, including IT, legal, manufacturing, retail, hospitality, logistics and construction. When not providing legal advice and growing her law firm, Melissa spends her time running, walking in the countryside, reading and enjoying downtime with close friends and family.”