Implementation of the New Data (Use and Access) Act 2025 begins

The Data (Use and Access) Act 2025 (DUAA) officially became law on 19 June 2025. However, its provisions are being implemented gradually through a four-stage plan which has been outlined by the UK Government, helping to ensure a smooth transition for organisations and regulators. The DUAA aims to introduce significant updates to data handling, access and protection. It focuses on modernising public services, enhancing privacy safeguards and strengthening the UK’s ability to enforce data regulations. You can read our summary of the key aspects of the DUAA here.

The Data (Use and Access) Act 2025 (Commencement No.1 Regulations 2025) introduces the first key stage of implementation which begins on 20 August 2025. It lays the legal groundwork, including technical provisions which clarify aspects of the legal framework and new statutory objectives for the Information Commissioner’s Office (ICO). This stage also requires the Government to publish an impact assessment, a report and a progress update on AI and copyright issues, a requirement included as a concession during the parliamentary “ping-pong” between the Commons and Lords that helped to secure the passing of the DUA bill into law.

In autumn 2025 (three to four months after Royal Assent), the second stage will introduce most of the measures related to digital verification services. It will also activate provisions that allow internet service providers to retain certain information following the death of a child, helping to support bereaved families and investigations.

By winter 2025 (approximately six months after Royal Assent), the third stage of implementation will introduce the main changes to UK data protection legislation (in Part 5 of the DUAA) and the provisions on information standards for health and adult social care in England (in Part 7 of the DUAA). Updates to UK GDPR, Data Protection Act 2018 and PECR will change how personal data is handled and processed quite significantly. Amongst other things, it will introduce “Recognised Legitimate Interests” as a new lawful basis, provide a new data protection test for assessing international data transfers and increase fines for PECR breaches.

The final stage is expected in early 2026 (more than six months after Royal Assent) and will cover more complex or infrastructure-heavy provisions. These include the creation of a National Underground Asset Register, the rollout of an electronic system for registering births and deaths, and changes to the ICO’s governance structure, which will take effect once a new board is appointed.

The Government’s phased approach to implementing the DUAA helps businesses to ensure they are ready for when the relevant provisions become applicable, allowing time to follow guidance, system development, and stakeholder engagement. Updates and further details will be provided by the Department for Science, Innovation and Technology and the ICO as each stage progresses.

We will continue to monitor developments closely and provide updates on each stage as the DUAA is implemented, including reporting on any new guidance that is issued and commenting on the practical implications for organisations and individuals. Feel free to subscribe to our blogs here for all the latest insights and updates.

If you have any questions or would like to discuss any of the topics in this article, please contact Selina Clifford in our Intellectual Property team.