DUA Act – next steps
When will provisions under the Data Use and Access Act 2025 (DUAA) take effect and when we can anticipate guidance to be published by the Information Commissioner’s Office?
The DUAA received Royal Assent on 19th June but while limited provisions came into effect immediately, the majority will be phased in over the coming months up to June 2026, with some requiring secondary legislation to be passed.
To be crystal clear, the DUAA does not replace UK GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations (PECR). The Act brings in amendments to these core pieces of legislation, much in the same way PECR was amended in 2009 with the so-called ‘cookie law’.
Commencement of DUAA provisions
With immediate effect: One provision which has come in with immediate effect is clarification that when responding to Data Subject Access Requests (the right of access) organisations only need to undertake a “reasonable and proportionate search”. This inserts a new Article 15(1A) into UK GDPR, and gives a statutory footing to existing case law and guidance from the ICO.
From 20th August 2025 the following amendments will come into force:
■ Information Commissioner can serve notices by email
This amends the Data Protection Act 2018 with a new section 141A permitting notices to be served by email. You may want to double check the email address the ICO has on file for your organisation on the register of fee payers, make sure this is regularly monitored and who/which team a notice should be immediately forwarded to.
■ Information Notices and ICO power to ask for documentation
This grants the ICO the power to require organisations to provide documents as well as information when responding to an Information Notice.
Other measures commencing on 20th August include requirements for the Government to prepare a progress update and report on copyright and AI.
From September/October: Commencement is expected of measures on digital verification services.
Around December: Commencement of main changes to data protection legislation.
At present we don’t have precise dates for when specific provisions such as the soft opt-in for charities, changes to the cookie rules and recognised legitimate interests will commence, but we’ll update this article as and when we hear more. For a top-level summary of the Act see DUAA 2025: 15 key changes ahead.
ICO guidance
The ICO has published a timeline of when we can expect updated or new guidance covering the changes the DUAA ushers in.
Summer 2025
■ Data Subject Access Requests – update to detailed Right of Access guidance
■ Substantial public interests conditions – a new interactive tool
■ Cookies & similar technologies (Part 1) – update to ‘cookie guidance’ and renamed ‘guidance on storage and access technologies’.
Winter (2025/26)
■ Direct marketing and Privacy and Electronic Communications Regulations guidance – update to existing guidance
■ Complaints procedures – new guidance for organisations on how to handle data protection complaints
■ Lawful basis of recognised legitimate interests – new guidance
■ Legitimate interests – update to existing guidance
■ International data transfers guidance – update to existing guidance
■ Cookies & similar technologies (Part 2) – (‘guidance on storage and access technologies’).
■ The purpose limitation principle– updated and enhanced guidance
■ Anonymisation and pseudonymisation for research purposes – guidance
Spring 2026
■ Automated Decision Making (ADM) and Profiling – updated guidance
■ Research, archiving and statistics provision – updated guidance.
■ SME data essentials – guidance
More detail and other updates from the ICO can be found here: plans for new and updated guidance.
Codes of practice
The ICO will also in due course be producing codes of practice on edtech and artificial intelligence.
There’s lots to watch out for and we’ll try our best to keep you up to date with developments as and when they happen.