Getting ready for the DUA Act – what happens when?

What's the issue?

The UK's Data (Use and Access) Act (DUA Act) became law on 23 June 2025, however, much of it is to be implemented and fleshed out by secondary legislation.

What's the development?

At the end of July 2025, the government published the first set of commencement regulations with two more following in September. It has also laid out a timetable for implementation of different elements of the Act. Meanwhile, the ICO has begun publishing (draft) guidelines on the changes to the UK GDPR.

What's in force?

The following sections came into force with Royal Assent:

• s66 (meaning of “the 2018 Act” and “the UK GDPR”) 

• s78 (searches in response to data subjects’ requests) 

• Part 1 of Schedule 16 (grant of smart meter communication licences) and section 122 so far as relating to that Part of that Schedule 

• s126 (retention of biometric data and recordable offences) 

• s128 (retention of pseudonymised biometric data) 

• s129 (retention of biometric data from INTERPOL) 

• Part 8 

• any other provision which confers the power to make secondary legislation.

The following provisions came into force on 19 August 2025:

• s69 (consent to law enforcement processing) 

• s82 (logging of law enforcement processing) 

• s96 (notices from the Information Commissioner) 

• s97 (power of the Information Commissioner to require documents). 

Part 2 of Schedule 16 (grant of smart meter communication licences), and s122 so far as relating to that Part of that Schedule, come into force on the day on which the first regulations under s91A(1) of the Energy Act 2008 (inserted by 1 of Schedule 16) come into force. 

The Data (Use and Access) Act (Commencement No.1) Regulations 2025 came into force on 20 August 2025. They brought into force a number of provisions (to the extent they were not already in force by virtue of s142(2) of the DUA Act) which focus largely on administrative and procedural issues. In particular, they brought in Part 1 of the DUA Act. This confers various powers on the Secretary of State to make secondary legislation in connection with sharing of business and customer data, and smart data schemes, (with similar objectives to the EU's Data Act) but it does not include any detail about how this will work. The government launched a call for evidence on Smart Data opportunities in digital markets on 28 July 2025 which closed on 15 September. The call sought views on whether and how to introduce a Smart Data scheme. The government envisages this could cover a wide range of platforms including e-commerce sites, subscription services, and online marketplaces. It is looking to reduce barriers to data sharing and switching and unlock data portability to enhance competition and benefit consumers.

Two further commencement regulations were laid in early September:

• The Data (Use and Access) Act 2025 (Commencement No.2) Regulations 2025 were made on 2 September 2025. They bring s124 DUA Act into force on 30 September to the extent that it was not already in force (part of it came in on the day of Royal Assent). S124 DUA Act amends the Online Safety Act. It means that online platforms must retain information about deceased children when required to do so on notice by Ofcom. 

• The Data (Use and Access) Act 2025 (Commencement No.3 and Transitional and Saving Provisions) Regulations 2025. These were made on 4 September. They bring into force s79 (legal professional privilege exemption), s88 (national security exemption), s89 (joint processing by intelligence services and competent authorities) and s90 (joint processing consequential amendments) of the DUA Act subject to transitional and saving provisions. Sections 79 and 88 came into force on 4 September. Sections 89 and 90 come into force on 17 November 2025. These sections all deal with amendments to the Data Protection Act 2018 (not the UK GDPR) and relate to law enforcement and national security data processing. 

Still to come

• Three to four months after Royal Assent, most of the measures on digital verification services in Part 2 of the Act. 

• Approximately six months after Royal Assent, the main changes to data protection legislation in Part 5 and the provisions on information standards for health and adult social care in England (Part 7). 

• Provisions that require a longer lead time including measures on the National Underground Register and the electronic system of registering births and deaths will be introduced once ready.

Changes to the Information Commissioner's Office governance structures in Part 6 will be brought in once the Information Commission's new Board has been appointed. This is expected in early 2026.

ICO consultation on Data (Use and Access) Act amendments

On 21 August 2025, the ICO launched the first two in a series of planned consultations relating to draft guidance on amendments made to the UK GDPR by the Data Use and Access Act (DUA Act). These cover recognised legitimate interest and data protection complaints.

Recognised legitimate interest

This is the new lawful basis for processing personal data in the public interest as set out in Annex I of DUA Act. Currently the pre-approved purposes cover:

• sharing with another organisation on request because they need the information for their public task or official functions 

• to safeguard national or protect public security or for defence 

• to respond to or deal with an emergency situation 

• to prevent, detect or investigate crimes, including the apprehension and prosecution of offenders 

• to protect the physical, mental or emotional wellbeing of people who need extra support or protect them from harm or neglect (safeguarding). 

This list can be amended by the Secretary of State. 

The main benefit of relying on one of these recognised legitimate interests is that there will be no need to carry out a Legitimate Interest Assessment. However, the use of the information must be necessary and must comply with all other legal requirements. 

The draft guidance explains the difference between legitimate interests and recognised legitimate interests and how to assess which lawful basis is appropriate. It goes on to look at each pre-approved legitimate interest in more detail. The consultation closes on 30 October 2025. 

Data protection complaints

The ICO's draft guidance looks at the new requirement for all organisations to have a process in place to handle data protection complaints by June 2026. In particular, organisations must provide a method for submitting complaints and ensure they acknowledge receipt within 30 days. They must also take appropriate steps to respond to complaints without undue delay and keep complainants up to date with the process and inform them without undue delay of the outcome.

The draft guidance sets out suggestions for how to give effect to the new requirements, with a particular focus on complaints made by children. The consultation closes on 19 October 2025.

A full list of the ICO's plans for new or updated guidance, in part as a result of the DUA Act, is available here.

What does this mean for you?

To date, the provisions of the DUA Act which are in force are largely procedural and administrative and/or focus more on the Data Protection Act 2018 than on the UK GDPR – dealing primarily with law enforcement and national security. We are still some way off knowing the detail of what the plans are for smart data schemes and digital identity verification.

Secondary legislation bringing in the bulk of the changes to the UK GDPR is expected towards the end of this year or early in 2026, however, the ICO's focus on recognised legitimate interest and complaints handling is a telling indication of UK GDPR changes the ICO thinks will most impact controllers and processors.