DUA Act – next steps

July 2025

When will provisions under the Data Use and Access Act 2025 (DUAA) take effect and when we can anticipate guidance to be published by the Information Commissioner’s Office?

The DUAA received Royal Assent on 19th June but while limited provisions came into effect immediately, the majority will be phased in over the coming months up to June 2026, with some requiring secondary legislation to be passed.

To be crystal clear, the DUAA does not replace UK GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations (PECR). The Act brings in amendments to these core pieces of legislation, much in the same way PECR was amended in 2009 with the so-called ‘cookie law’.

Commencement of DUAA provisions

One provision which has come in with immediate effect is clarification that when responding to Data Subject Access Requests (the right of access) organisations only need to undertake a “reasonable and proportionate search”. This change simply gives a statutory footing to case law and existing guidance from the ICO.

At present we don’t know precisely when other specific provisions will commence, such as the soft opt-in for charities, changes to the cookie rules and recognised legitimate interests, but we’ll update this article as and when we hear more. For a top-level summary of the Act see DUAA 2025: 15 key changes ahead.

ICO guidance

The ICO has published a timeline of when we can expect updated or new guidance covering the changes the DUAA ushers in.

Summer 2025

 Data Subject Access Requests – update to detailed Right of Access guidance
Substantial public interests conditions – a new interactive tool
Cookies & similar technologies (Part 1) – update to ‘cookie guidance’ and renamed ‘guidance on storage and access technologies’.

Winter (2025/26)

Direct marketing and Privacy and Electronic Communications Regulations guidance – update to existing guidance
Complaints procedures – new guidance for organisations on how to handle data protection complaints
Lawful basis of recognised legitimate interests – new guidance
Legitimate interests – update to existing guidance
International data transfers guidance – update to existing guidance
Cookies & similar technologies (Part 2) – (‘guidance on storage and access technologies’).
The purpose limitation principle– updated and enhanced guidance
Anonymisation and pseudonymisation for research purposes – guidance

Spring 2026

Automated Decision Making (ADM) and Profiling – updated guidance
Research, archiving and statistics provision – updated guidance.
SME data essentials – guidance

More detail and other updates from the ICO can be found here: plans for new and updated guidance.

Codes of practice

The ICO will also in due course be producing codes of practice on edtech and artificial intelligence.

There’s lots to watch out for and we’ll try our best to keep you up to date with developments as and when they happen.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.