Today, 20 August 2025, several important parts of the Data (Use and Access) Act 2025 (DUAA) officially come into effect. These changes mark the start of the law’s gradual implementation, following its passage in June. For compliance teams, data privacy professionals, and legal advisers, today’s updates require immediate attention and some practical adjustments.
Although the Data (Use and Access) Act 2025 received Royal Assent in June, most of its provisions don’t take effect automatically. Instead, the law is designed to be implemented in stages through Commencement Regulations made by the government. This staggered rollout allows time for regulators, courts and organisations to prepare for complex changes, especially where new procedures or oversight structures are involved.
The first of these regulations, the Commencement No. 1 Regulations 2025, were made on 21 July and bring a number of key provisions into force today, 20 August 2025. These include amendments to the Data Protection Act 2018 and PECR, as well as the formal creation of the Information Commission. Future sets of regulations will activate other parts of the Act in the months ahead, but today’s provisions are the first to take legal effect.
New court powers for subject access and data portability disputes
One of the most significant changes of DUAA is the new Section 180A which was inserted into the Data Protection Act 2018. It gives courts the power to inspect withheld data when there is a legal dispute over a subject access request (SAR) or a request for data portability. Until the court reaches a ruling in favour of the data subject, neither the subject nor their representatives may access that material. The court is limited to only ordering the same level of reasonable and proportionate search that the controller is already obliged to perform. That avoids exposing sensitive internal data to challengers prematurely, while still enabling judicial assessment .
What’s changed:
- Courts can now ask organisations to provide them with the disputed personal data.
- That data won’t be shown to the individual or their legal team unless the court agrees the person has a right to it.
- Courts can only demand a reasonable and proportionate search, organisations don’t have to go beyond what’s normally expected.
Why it matters:
This change makes it easier for courts to properly resolve disputes over withheld personal data. However, it also means that if you’re facing a legal challenge to how you handled a SAR, you’ll need a clear plan for how to securely provide the data to the court while protecting confidentiality.
Takeaway for compliance teams:
- Prepare internal protocols for handling Section 180A orders.
- Work with legal counsel to ensure any withheld data can be securely provided to courts.
New duties for the Information Commissioner
From today, the Information Commissioner is legally required to meet new objectives when carrying out regulatory duties. These are set out in Sections 120A to 120D of the Data Protection Act 2018. The Commissioner’s principal objective is to secure an appropriate level of protection for personal data, balancing the interests of data subjects, controllers and public interest while promoting public trust and confidence in processing.
Below that sit secondary duties: promoting innovation and competition, safeguarding public and national security, preventing crime, and recognising that children require special protection. Controllers should now monitor public statements and guidance from the ICO closely, since regulatory enforcement posture may subtly shift under these framework duties, although we don’t expect an immediate dramatic change in enforcement priorities.
What’s changed:
- The Commissioner must balance the rights of data subjects, controllers, and the public interest.
- A new statutory duty has been introduced to promote public trust in how personal data is handled.
- Children’s data is specifically highlighted as needing special protection.
Why it matters:
This might subtly change how the ICO approaches investigations, enforcement, and public engagement, but immediate impact is likely to be limited.
Takeaway for compliance teams:
- Keep an eye on future Commission guidance. These new duties could shape enforcement trends.
- If you’re working on DPIAs or audits, consider referencing public trust and transparency in how you assess data processing impacts.
A new regulatory body: The Information Commission
Today also sees the formal creation of the Information Commission as a new corporate body. It’s a step toward reforming the structure of data regulation in the UK. This replaces the current ICO entity. That does not yet transfer the Commissioner’s enforcement powers, but allows for recruitment of non‑executive board members. John Edwards, as current Commissioner, will become Chair automatically. This transition signals a future shift to a board‑led regulator; early planning for engagement with the new governance structure; strategy publication, accountability mechanisms, KPI disclosures. These can help maintain smooth relations.
What’s changed:
- The Commission is now legally established, but it hasn’t yet taken over regulatory powers.
- It allows for board members (like non-executive directors) to be appointed.
- The current Information Commissioner, John Edwards, automatically becomes Chair of the new Commission.
Why it matters:
Although no enforcement powers have changed hands yet, this is the start of a move from a single-commissioner model to a board-led regulator.
Takeaway for compliance teams:
- Expect governance changes in how the regulator operates in the future.
- Be ready for more public reporting, strategy documents, and formal board decisions from the new Commission.
Stricter deadlines for reporting PECR data breaches
The Privacy and Electronic Communications Regulations (PECR) have also been updated. These apply to organisations that send marketing emails, run cookie banners, or operate public communications services. Regulation 5A(2) now requires notification of personal data breaches under PECR to the Information Commissioner without undue delay and, where feasible, within 72 hours of awareness. Until now PECR only mandated “undue delay”; the new timeline injects greater pressure on breach response teams to meet a more defined deadline.
What’s changed:
- If there’s a personal data breach under PECR, you must now report it to the ICO without undue delay, and where feasible, within 72 hours.
- Previously, only “undue delay” was mentioned. Now, there’s a clearer deadline.
Why it matters:
This aligns PECR more closely with UK GDPR breach reporting rules and will increase pressure on teams to act fast.
Takeaway for compliance teams:
- Update your incident response plans to reflect the 72-hour breach notification window for PECR-related data.
- Make sure your internal reporting lines can escalate incidents quickly to legal and DPO teams.
Looking ahead
Today’s provisions are just the beginning. More parts of the DUAA will come into force over the coming months, including:
- Stronger ICO enforcement powers (e.g. interviews, penalties, investigations)
- Codified time limits and clarification rules for DSARs
- Statutory complaints-handling duties for controllers
- Smart data schemes and digital identity rules (inspired by open banking)
Key takeaways for compliance and privacy professionals
Subject access litigation just got more complex. Be ready for court requests to inspect withheld data and plan how to respond securely.
Trust and transparency are now statutory duties for the Commissioner. This may influence enforcement behaviour over time.
A new regulator structure is coming. Start preparing for a board-led Commission with broader oversight.
72-hour deadlines now apply to PECR breaches. Incident response teams must move faster and coordinate more closely.
Data (Use and Access) Act organisation implementation calendar
July 2025: Review and update DSAR procedures; start staff training on new subject access rights and proportionality tests.
August 2025: Ensure records and documentation are ready for expanded ICO powers.
By December 2025: Prepare for Smart Data participation and digital identity frameworks.
Early 2026: Update cookie policies and automated decision-making documentation.
Spring 2026: Confirm contracts and privacy notices are adapted to the new lawful processing bases.
By June 2026: Final checks on all data governance systems, with staff fully trained.
July 2026: Implement year two training for staff on data protection changes.
August 2026: Prepare for full enforcement and investigation powers by the Information Commission.
Join our free webinar on what’s changed in UK data protection on 10 September 2025 at 12pm UK time
