The Data (Use and Access) Bill (now the Data Use and Access Act 2025) received Royal Assent on 19 June 2025 after a lengthy gestation. Here we look at when it will apply and what guidance to expect from the ICO (soon to be the IC). To read more about what took so long and the impact of the DUA Act on data transfers, see here.

When will the DUA Act come into effect?

The majority of the DUA Act will be brought in by secondary legislation, however the following sections are now in force:

• s66 (meaning of “the 2018 Act” and “the UK GDPR”)

• s78 (searches in response to data subjects’ requests)

• Part 1 of Schedule 16 (grant of smart meter communication licences) and section 122 so far as relating to that Part of that Schedule

• s126 (retention of biometric data and recordable offences)

• s128 (retention of pseudonymised biometric data)

• s129 (retention of biometric data from INTERPOL)

• Part 8

• any other provision which confers the power to make secondary legislation.

The following provisions come into force at the end of the period of two months (19 August 2025):

• s69 (consent to law enforcement processing)

• s82 (logging of law enforcement processing)

• s96 (notices from the Information Commissioner)

• s97 (power of the Information Commissioner to require documents).

Part 2 of Schedule 16 (grant of smart meter communication licences), and s122 so far as relating to that Part of that Schedule, come into force on the day on which the first regulations under s91A(1) of the Energy Act 2008 (inserted by 1 of Schedule 16) come into force.

The ICO currently expects some of the remaining provisions (which we anticipate will cover changes to the UK GDPR and PECR) to come in within six months, and the remainder to be introduced within a year.

Changes to the UK GDPR and DPA18

The ICO has responded to the enactment of the DUA Act highlighting the following changes to the UK's data protection regime as some of the key innovations:

• clarification of how personal data can be used for research

• changes to the rules on automated decision making (ADM)

• allowing the use of some specified cookies without consent

• allowing charities to send electronic marketing without consent under certain circumstances

• requiring organisations to have a data protection complaints procedure

• the introduction of a new lawful basis of recognised legitimate interests.

The ICO has also published a range of guides to help organisations understand the changes to the law and the ICO's new powers. Particularly helpful is the 'Detailed summary of the changes for data protection experts'. This goes through the impact of the DUA Act on the UK GDPR and Data Protection Act 2018 in a way that is easy to understand compared with the Act itself which often amends provisions in the earlier legislation by reference to section numbers which in some cases are themselves amendments of the original GDPR, rather than reproducing the new or incoming version of a section in full. 

Planned guidance

As a result of the DUA Act, the ICO explains that it is having to de-prioritise some of its previously planned guidance in order to work on new or updated guidance related to changes being brought in by the new legislation. A full schedule is available in the ICO's new and planned guidance web page setting out what guidance to expect and when. In terms of guidance relating to general data protection, PECR, technology and online safety, the ICO plans the following for publication or consultation (as the case may be). As it is unclear when relevant secondary legislation will be published, this timetable may change but for now, arguably the most interesting guidance will be published in Winter 2025/26:

Spring 2025

• disclosing documents to the public securely: hidden information and how to avoid accidental breach

• substantial public interest conditions – interactive tool.

Summer 2025

• right of access detailed guidance

• eIDAS – revisions to eIDAS guide.

Autumn 2025

• Codes of Conduct and Certification Guidance update

• research, archiving and statistics update

• encryption guidance

• profiling for online safety.

Winter 2025/26 

• complaints guidance for organisations

• guidance on the new lawful basis of recognised legitimate interests

• legitimate interests update

• update to direct marketing PECR guidance

• ADM and profiling guidance update

• cloud computing guidance

• distributed ledger technology guidance

• consumer IoT guidance

• DUA updates to draft guidance on storage and access technologies Part 1

• sharing information to safeguard children – sector guidance.

Spring 2026

• international transfers guidance

• SME data essentials.

Additional materials

The ICO has also published:

• an outline of what the Act means for organisations

• an outline of what the Act means for law enforcement agencies

• an outline of how the ICO will continue its regulatory work as the Act is implemented

• a guide for the public on how the Act will affect them. 

AI and copyright

The much discussed amendments relating to AI and copyright are in ss135-138. These require the Secretary of State to publish an assessment of the economic impact of the four options proposed in the consultation on AI and copyright within nine months of the DUA Act's date of Royal Assent. The Secretary of State must also publish a report on the use of copyright works in the development of AI systems and consider the four consultation options. This report must consider and make proposals in relation to:

• the technical measures and standards that may be used to control the use of copyright works to develop AI systems and the accessing of those works for that purpose

• the effect of that access on a range of stakeholders

• the disclosure of information by developers of AI systems about the use of copyright works to develop those systems and how they access such works

• the granting of licences to developers of AI systems to use copyright works

• ways of enforcing requirements and restrictions relating to the use and access of copyright works to develop AI systems, including enforcement by a regulator.

Considerations must cover the impact on stakeholders on access from outside the UK, and take into account consultation responses. The Secretary of State must also publish a progress report within six months of the DUA Act getting Royal Assent.

What to do now

Perhaps the only notable change to the UK GDPR currently in force is under s78 which relates to searches in response to data subject access requests (DSARs). It specifies that when responding to a DSAR, an organisation only has to carry out reasonable and proportionate searches for relevant information.

Nonetheless, this is the time to begin preparing for changes to the UK GDPR, DPA 18 and PECR. The ICO's summary of changes is the easiest place to start for the first two. It's important to note, however, that you cannot act on the changes until they are brought in to effect so for now there are no changes to, for example, legitimate interests, purpose limitation, direct marketing and ADM.

What's important at this stage is to work out whether you will want to take advantage of any of the changes and what impact that may have on your processes, policies and contracts. Please do get in touch if you'd like advice on this.