On 11 June 2025, the UK Parliament passed the Data (Use and Access) Act 2025 (“DUAA”), which received Royal Assent on 19 June 2025. This legislation marks a significant and targeted overhaul of the UK’s data protection framework, introducing reforms of the UK GDPR, the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR). In addition, it lays the groundwork for future regulation of AI, launches new initiatives to support smart data access and the development of a digital identity infrastructure.

While the DUAA is not yet fully in force, it sets the stage for a phased implementation. A limited number of provisions took effect immediately upon Royal Assent, most notably those concerning Data Subject Access Requests (DSARs). Different parts of the Act will come into effect on dates to be established by Commencement Orders which will be issued by the Secretary of State. The first of these is expected in October 2025.

The majority of the remaining provisions are expected to come into force between two and six months after Royal Assent. However, some sections — including changes to the UK GDPR and PECR — could be fast-tracked. More complex and potentially sensitive elements, such as rules on automated decision-making (ADM), direct marketing, cookie consent, and scientific research, may be delayed further, with implementation possibly stretching into mid-2026.

The DUAA represents the culmination of the UK government’s efforts to unlock the economic potential of data while maintaining alignment with emerging European standards. The Act shares several parallels with the EU’s recent regulatory developments, particularly the Data Governance Act and the Data Act.

Whether this reform ultimately delivers a more efficient or radically different data governance model remains to be seen. What is certain, however, is that privacy professionals and businesses will need to take action to implement the changes. Existing privacy policies, notices, and internal procedures will likely require updates to reflect the new legal landscape.

Companies should adapt their policies to reflect new rules on data subject rights and closely monitor the release of statutory instruments and regulatory guidance and be prepared to act on ADM, marketing, and cookie compliance.

1. Data Protection

Data Subject access requests

The DUAA’s rules on data subject access will have immediate effect. They clarify that DSARs can only obtain results of “reasonable and proportionate” searches which corresponds with existing regulatory guidance. Conversely, where information is impossible to obtain or it would involve disproportionate efforts it will not have to be disclosed.

Privacy notices and processes need updating

Controllers will have to make it easier for data subjects to complain including by offering forms “which can be completed electronically and by other means”. In addition, controllers must now acknowledge complaints within 30 days and resolve them without undue delay.

Automated Decision-Making (ADM)

The Data Use and Access Act 2025 amends the UK GDPR (Article 22(1)) to allow the use of personal data in solely automated decision-making (ADM) on legal bases in addition to consent. The stricter regime as known to date continues to apply where special category data is involved.

However, the Act introduces new concepts to differentiate impactful ADM processes from more benign ones. Solely automated processing exists only where no “meaningful human involvement” is present. Additional guidance is expected on the notion of ‘meaningful”. However, where “significant decisions” – those that produce legal effects or similarly significant consequences – are taken based solely on automated processing additional safeguards are required. Mandatory safeguards for all ADM include:

• informing individuals of significant ADM decisions,
• allowing challenges and representations, and
• enabling human intervention.

Similar provisions apply under the law enforcement regime in the Data Protection Act 2018, though limited exemptions exist, for example, to protect national security—provided that any decision is promptly reconsidered with meaningful human input.

While the DUAA opens up the possibility for broader use of ADM, companies are well advised to carefully review and document their ADM processes, analyse their legal basis, the impact decisions have on data-subjects, and the level of human involvement.

International Data Transfers

The DUAA introduces a new data protection test to be applied when assessing whether transferring personal data from the UK to third countries is safe, replacing the EU’s stricter “essentially equivalent” standard. The new test is satisfied if data protection in the destination country is “not materially lower” than in the UK. This test is relevant to companies assessing the risk before transferring data, and for adequacy decisions to be approved by the Secretary of State. This subtle change could be interpreted as lowering of the threshold (why else would the test have been changed?) and hence increase UK companies and UK decision maker’s flexibility to recognise third countries as safe. If this is so, it will also result in potential divergence with the EU placing UK adequacy with the EU at risk over time.

Companies can continue to rely on their existing transfer mechanisms in place before the DUAA came into force but will have to apply the new test for transfer regimes coming into effect after the DUAA.

Information Commission Reform

The ICO becomes the Information Commission, led by a board and CEO (with John Edwards as inaugural chair). Its duties in relation to its functions include the promotion of innovation and competition.

New powers include:

• Requiring companies to produce expert reports, paid for by the data controller.
• Requiring individiuals to attend interviews—even to former employees.
• Fines for false statements in response to investigations.

Companies will need to dedicate more resources to investigation responses and governance.

2. E-Privacy – updating rules on cookies, direct marketing etc

Increased fines

The DUAA increases fines that can be imposed by the Information Commission under the Privacy and Electronic Communications Regulations (PECR) and will now match UK GDPR levels— up to £17.5 million or 4% of global turnover whatever is greater.

Cookie Rules

The scope of the rules on cookies will be extended to include cookies that “instigate the storage or access” or which “collect/monitor information automatically emitted”.

The Act also introduces exemptions from requiring consent for low-risk cookies, provided rights to object and transparency are guaranteed, including:

• Cookies used solely for analytics, statistical purposes, or store user preferences
• Those ensuring security or fraud prevention

Direct Marketing

The DUAA clarifies the legal framework for direct marketing by adding its definition —”the communication (by whatever means) of advertising or marketing material which is directed to particular individuals“—to both PECR and the UK GDPR, aligning key legislation. This will include attempted calls, communication sent but not received, The DUAA confirms that direct marketing can constitute a legitimate interest under the UK GDPR for processing personal data and extends the “soft opt-in” exception to charities, allowing them to send marketing to existing supporters or interested individuals, provided opt-out options are offered.

Reporting timelines under the PECR

These have been extended for breaches notifiable under the PECR and companies have now more time: from 24 hours to 72 hours, in line with the UK GDPR.

Other innovations

Smart Data Schemes: Building a Mandated Data Economy

Legal Basis and What’s New

Part 1 of the DUA Act empowers the Secretary of State to introduce sector-specific Smart Data Schemes via secondary legislation. These are designed to extend the Open Banking model to new areas of the economy by mandating the sharing of customer and usage data with authorised third parties.

Unlike the UK GDPR’s data portability provisions, Smart Data Schemes are broader in scope, covering non-personal, usage, and even certain business data. The goal is to improve competition, facilitate service switching, and spur innovation.

Key legal features include:

• Ministerial powers to define which data sets must be shared, under what conditions, and with whom. The Secretary of State may specify which data sets must be shared, the conditions of access, permitted third-party recipients, and standards for technical interoperability.
• Statutory mandates for data holders (i.e. businesses) to provide, store, rectify, or share customer data with consumers or authorised providers.
• Interoperability and standardisation requirements set via statutory instruments.
• Regulations may impose obligations around dashboards, APIs, data formatting, and security protocols.

This replaces the patchwork approach under older laws like the Enterprise and Regulatory Reform Act 2013, and more closely resembles the EU’s Data Governance Act, though with broader scope and private-sector focus.

Compliance and Business Implications

For businesses, this entails:

• System upgrades and investment in data infrastructure to meet new formatting and interoperability standards.
• Supervision by sector-specific regulators, with penalties for non-compliance.
• Opportunities for new services, market comparison tools, automatic switching platforms, and carbon reporting utilities.
• Overlap risks for firms subject to both the DUA Act and the EU Data Act.

The government’s first consultation on a Smart Data Scheme targeted the energy sector which is widely expected to be the first industry regulated under the Smart Data framework, with detailed implementation plans anticipated later in 2025.

This initiative is part of a broader Smart Data Roadmap published in 2024, which outlines plans to extend similar schemes across multiple sectors. Following energy, consultations and evidence-gathering have been carried out or are planned in the following industries as banking telecommunications, transport, etc.

3. Digital Verification Services (DVS): Laying the Groundwork for Trustworthy Digital Identity

Statutory Framework

Part 2 of the DUA Act establishes a legally binding framework for Digital Verification Services (DVS). These services allow individuals to validate their identity online for access to public and private services. Most UK residents have already used DVS informally—for example, in online banking or government portals.

Key features:

• DVS providers, who must now register and become certified under a new statutory trust framework managed by the Office for Digital Identities and Attributes (OfDIA). Providers can include tech firms, banks, identity platforms, and other private or public entities facilitating online ID checks.
• Certified DVS providers will display a government trustmark, indicating compliance with privacy, security, and interoperability standards.
• Ministers can update certification rules to align with international norms, maintaining global relevance.

This legal framework converts voluntary pilot schemes into mandatory infrastructure—a trusted digital identity ecosystem.

Who is Impacted?

• DVS Providers, now required to register and meet certification standards under the OfDIA framework.
• UK residents and service users, who will increasingly use certified providers when accessing services such as digital banking, healthcare, and government portals.
• Public and private sector organisations relying on secure identity verification to authenticate users and grant access to sensitive digital services.

Compliance Implications

• Providers must meet stringent technical, privacy, and audit requirements.
• Interoperability will be essential—especially in finance, healthcare, and public services.
• Ongoing parliamentary scrutiny (particularly on fraud and law enforcement access) means standards may evolve quickly.

Financial services providers, facing complex AML/KYC duties, are expected to be early adopters. Early engagement with the OfDIA regime will be key for those seeking market entry.

4. AI And Copyright – A Contested Issue Under The DUA Act 2025

The most politically sensitive and heavily debated element of the UK Data (Use and Access) Act 2025 relates to artificial intelligence and copyright, covered in sections 135 to 138 of the Act. This part of the legislation was the subject of intense debate between the House of Commons and the House of Lords.

The House of Lords pushed strongly for amendments that would strengthen the position of copyright holders, reflecting growing concerns that copyrighted works are being used to train AI systems without proper permission, where such permission is legally required. Among the proposed measures were new transparency obligations—specifically, requiring AI developers to disclose which works had been used in their training datasets.

However, the government rejected these proposals, preferring to wait for the outcome of its ongoing Copyright and AI Consultation. It argued that any changes to copyright law should take a holistic and strategic approach, rather than be handled in a piecemeal way through the DUA Act. As a result, the transparency provisions proposed by the Lords were not included in the final version of the Act.

Despite this, the Act does introduce important obligations to prepare the ground for future reforms:

• Within six months of the Act receiving Royal Assent, the Secretary of State must publish a progress report covering:
  • The government’s ongoing consideration of the four options outlined in the Copyright and AI Consultation;
  • The use of copyright-protected works in the development of AI systems.
• Within nine months, the Secretary of State must publish:
  • An economic impact assessment of each of the four policy options set out in the consultation;
  • A detailed report on the use of copyright works in AI training and development.

This report must consider:

• Technical measures and standards for controlling and monitoring how copyrighted content is accessed and used to develop AI systems;
• The effects of such use on different stakeholders, including UK and international access concerns;
• The disclosure of information by AI developers about their data sources and methods of access;
• The licensing mechanisms available for developers seeking permission to use copyrighted materials;
• Enforcement mechanisms, including the possibility of regulation by a dedicated authority.

The Act thus lays the foundation for future regulatory or legislative action but stops short of introducing immediate copyright protections in the AI space.

Conclusion

Having witnessed years of political reshuffling, the final version of the DUAA avoids the more radical changes initially proposed by the previous government. The GDPR’s legacy continues to shape UK data protection law—not only because of its legal foundations but also due to the ongoing significance of EU adequacy and international data flows.

The DUAA brings important changes to UK law. While some rules apply immediately, most will be phased in over time. Key updates affect DSARs, automated decision-making, cookies, international data transfers, and digital identity.

As we enter the second half of 2025, organisations should prepare for a wave of secondary legislation and technical guidance that will determine the practical compliance burden. The real work—adapting compliance programmes to this new, yet familiar, regime—starts now.

Now is the time for organisations to review their data practices, update internal policies, and prepare for compliance.

Listen to this article

Charles Corbusier contributed to this article