Clifford Chance

After an eventful three-year legislative voyage, the UK's Data (Use and Access) Act 2025 (DUA Act) received Royal Assent on 19 June 2025. While most of the changes are yet to be brought in through secondary legislation,  a few limited provisions are already in force and others will come into force on 19 August 2025 (see our timeline below).

The DUA Act introduces wide-ranging and significant changes. In addition to amending UK data protection laws, the DUA Act establishes frameworks for 'smart data' schemes and a new regime for Digital Verification Services (DVS).

Below is a general overview, act highlights, takeaways for businesses and other organisations, and a what's next timetable. We have prepared a series of short articles looking in more detail at the following:

• Framework for smart data schemes
• Digital Verification Services Framework
• Changes to UK data protection laws
• Enforcement and regulatory engagement
• Cookies, trackers and security patches
• Other provisions

We have also published a comprehensive PDF bringing all these together in one document for you to read and share.

Overview

How did we get here?

The predecessor to the DUA Act –  the Data Protection and Digital Information Bill (DPDI Bill)l – was first introduced to the UK Parliament in 2022 following a public consultation and government  response on reforming the UK's data protection laws. Following a pause for input from business leaders and data experts, the Data Protection and Digital Information Bill (DPDI) Bill was reintroduced in March 2024 but did not complete during that parliamentary session. Instead, the DUA Bill which contained many similar provisions was introduced in October 2024 (see our comparative briefing on the DUA Bill and the DPDI Bill). Several amendments were debated during the legislative process but few made it into the final text of the DUA Act. Notably, Baroness Kidron's proposals to mandate transparency in respect of copyright works used in pre-training, training and fine-tuning AI models, which delayed the passage of the DUA Bill for a couple of months, are not reflected.

Act Highlights

Smart Data: Building on the Smart Data Working Group's policy paper (published in Spring 2021), the DUA Act lays out a framework for the establishment of smart data schemes in the UK. While the detail of these schemes is to be set out in secondary legislation, they are potentially very broad and applicable beyond personal data.

Digital Verification Services: A framework to support digital identity verification in the UK, including rules for the provision of DVS and a public register of service providers.

Changes to the UK data protection regime include:

• Automated decision-making: relaxing the general prohibition on the use of personal data for significant automated decision-making (provided this is not based on special category data);
• Facilitating data processing: lowering the compliance burden and/or providing additional clarity for certain personal data processing (including for the prevention and detection of crime) – for example, see below on recognised legitimate interests, purpose compatibility and scientific research;
• International data transfer: reformulating the test for assessing a third country's adequacy in connection with international data transfer;
• Complaints: enabling data subjects to complain directly to controllers;
• Clarifications: codifying recitals and regulatory guidance (e.g. regarding children's privacy and responses to data subject requests); and
• The Information Commissioner's Office (ICO): The ICO is to be restructured, renamed and gains new enforcement powers. In performing its duties, it will need to consider (among other things) promoting competition and innovation.

Changes to PECR: The enforcement regime for the Privacy and Electronic Communications Regulations (PECR), which regulate cookies and electronic direct marketing, is aligned with that of the UK GDPR and the Data Protection Act 2018. Notably, this includes increasing potential PECR fines to UK GDPR levels. Certain cookies (e.g., for statistical purposes) are now expressly permitted without the requirement for consent.

Other provisions in the DUA Act range from digitising registers of births and deaths, to new crimes for creating intimate deepfake images, to requiring the government to publish a report on the economic impact of the policy options set out in the Copyright and AI Consultation Paper.

Takeaways for businesses and other organisations

Organisations should monitor secondary legislation passed under the DUA Act (and any related consultations or engagement) to understand when the changes that are not already in force will be brought in and monitor upcoming ICO guidance (see our timeline). In addition, organisations should consider the preparatory steps below.

1. Review UK data governance compliance processes

Organisations should review their data protection processes, notices and internal guidance in light of:

• upcoming obligations that require updates to policies and workflows — such as the requirement that controllers to put in place an electronic complaint handling mechanism; and
• additional clarity organisations may have in areas where recitals and regulatory guidance have been codified into the law – such as in relation to responding to data subject requests and considerations for children's privacy.

2. Prepare for divergence from the EU GDPR and ePrivacy Directive

The DUA Act includes some steps away from EU data protection norms, such as the broader range of legal bases available for significant ADM in many circumstances, the ability to rely on certain recognised legitimate interests and some nuances regarding assessments that accompany international data transfers. It also allows for use of a broader range of cookies without consent and changes the maximum potential fines for PECR infringements.

In most cases, compliance with requirements under EU privacy-related laws will also mean compliance with the UK regime but organisations should:

• identify any instances where a change is mandatory (e.g. see above in relation to privacy complaints); and
• in other cases, where maintaining existing processes would remain compliant under UK laws, organisations should consider whether any data processing activities or cookie use would benefit sufficiently from the changes introduced by the DUA Act that it is worth implementing operational divergence. Organisations that are also subject to EU laws will need to consider possible complexities introduced by dual compliance processes and whether they need to carry out any data segregation to operate different processes for data that is subject only to UK law. 

Organisations should also review any risk-based decisions they may have made based on the previous PECR enforcement regime.

3. Monitor Sector-Specific Data Sharing Provisions

Businesses should monitor especially closely the progress of initiatives to implement smart data schemes in the UK, in particular any secondary legislation passed relating to the sectors in which they operate and related consultations or engagement processes. These could introduce significant operational requirements in respect of customer data and/or business data, as well as potential opportunities for businesses receiving such data. Engagement with regulators and industry bodies may help shape these schemes.

What happens next?

Most of the DUA Act's changes are yet to be brought into force or otherwise apply only when secondary legislation is made. So far, only one commencement regulation has been made: The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025. This brings a number of provisions into effect on 20 August 2025 (see our timeline below).

We understand that the Government's general plan is to commence: (i) the DVS provisions in September or October 2025; (ii) the substantive data protection provisions around December 2025; and (iii) provisions that require technology implementations and the privacy complaints provisions in 2026 (or later).

In the interim, the ICO has released high-level remarks on the DUA Act as well as a timetable setting out when we should expect it to publish updated guidance in light of the various changes introduced in the DUA Act.

Known dates

19 JUNE 2025

Provisions that entered into effect include:

• Provisions stating that controllers need only conduct a "reasonable and proportionate search" on receipt of a subject access request.
• Provisions empowering the Secretary of State to make regulations. The Secretary of State will use these powers to bring into force the various aspects of the DUA Act over time.

19 AUGUST 2025

Provisions that enter into effect include those granting the ICO powers to require the provision of documents and to issue interview notices.

20 AUGUST 2025

Various provisions come into effect pursuant to The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025[RF1] . These include, for example:

•  Provisions establishing the "Information Commission" (IC) – a body corporate to replace the ICO – as well as provisions amending the duties of the Commissioner when carrying out their functions and requiring the Commissioner to produce an annual report on regulatory action.
• The framework for smart data schemes in Part 1 of the DUA Act, to the extent not already in effect (although these provisions largely grant powers to the Secretary of State or the Treasury to make regulations, rather than directly implementing smart data schemes – powers which have not yet been exercised).
• Provisions stating that, where a court is required to determine whether a data subject is entitled to information by virtue of certain rights under the UK GDPR (e.g., the right of access and right to data portability) the court may require the controller to make available for inspection by the court "so much of the information as is available to the controller".
• Provisions updating PECR and Regulation (EU) 611/2013 to require providers of public telecommunication services to report personal data breaches to the IC without undue delay, and where feasible, no later than 72 hours of becoming aware of the breach.
• Provisions requiring the Secretary of State to publish a report assessing the economic impact of the policy options set out in the Copyright and AI Consultation Paper and a report on the effect of copyright on the development of AI systems within 9 months of commencement of the DUA Act, with a progress statement within 6 months.

SUMMER 2025

The ICO is expected to release:

• Detailed guidance on the right of access.
• An interactive tool for "Substantial Public Interest Conditions".
• DUA Act updates to draft guidance on storage and access technologies (Part 1).
• An "eIDAS – Revisions to ICO eIDAS Guide".
• "Profiling for Online Safety" guidance.

AUTUMN 2025

• On 15 September 2025 the Department for Science Innovation and Technology's call for evidence on smart data opportunities in digital markets closes.
• The ICO is expected to release guidance on encryption.

WINTER 2025/2026

The ICO is expected to release:

• Complaints guidance for organisations.
• Guidance on the DUA Act's new legal basis of recognised legitimate interests.
• Updated guidance on international transfers.
• A "legitimate interest update".
• Updated guidance on the purpose limitation principle.
• An update to direct marketing and privacy and electronic communications guidance.
• Sectoral guidance on sharing information to safeguard children.
• Guidance on the use of anonymisation and pseudonymisation for research purposes.
• DUA Act updates to draft guidance on storage and access technologies (Part 2).

SPRING 2026

The ICO is expected to release:

• A Research, Archiving and Statistics Provisions update.
• An Automated Decision-Making (ADM) and Profiling Guidance update.