The UK’s Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, marks one of the biggest data governance reforms since the Data Protection Act 2018. Its rollout is being staged, with certain provisions coming into force immediately and others subject to secondary legislation over the coming year. Here’s a deeper look at how the timetable breaks down, what businesses should expect, and what legislative hurdles may lie ahead.
Immediate provisions (19 June 2025)
From 19 June 2025, several significant changes took effect without delay. Most notably, the Act revised how data subject access requests (DSARs) are handled. Organisations must now ensure searches are “reasonable and proportionate,” a change that is retroactively applied to requests from as far back as 1 January 2024. This should help reduce the burden of fishing-expedition DSARs, which have been criticised for excessive scope and cost.
In addition, a “stop-the-clock” mechanism came into force, allowing organisations to pause DSAR deadlines while they seek clarification from the requester. This aims to address the uncertainty around vague or overly broad requests.
Also immediately active are rules around the retention of biometric data for law enforcement, tightening the periods during which police or other authorities may retain such data (for example, fingerprints or facial images) after collecting it. Police can’t keep biometric data indefinitely and there must be a clear, proportionate reason to retain it.
Near-term provisions (August 2025)
Two months after Royal Assent—by 19 August 2025—the Information Commissioner’s Office (ICO) will gain stronger investigative powers. These include the right to issue interview notices, request documents and records, and impose penalties for failing to cooperate or for providing false statements. These powers are expected to significantly bolster the ICO’s enforcement muscle and could place new pressures on businesses to maintain meticulous records and respond promptly to regulatory requests.
Phased provisions (June 2025 – June 2026)
Much of the Act will be rolled out gradually through what’s called secondary legislation. These are commencement regulations laid before Parliament that bring individual provisions of the Act into force over time. Unlike primary legislation, secondary legislation is usually passed with less scrutiny, although Parliament retains the power to object under negative or affirmative resolution procedures. In practice, the chance of significant opposition to these measures is low, since the Act itself passed with broad consensus.
The measures coming online over the next year include:
- Smart Data schemes to open up consumer data-sharing in regulated industries, akin to Open Banking.
- Digital identity frameworks for trusted, secure e-verification of identity.
- The National Underground Asset Register to improve coordination of infrastructure works.
- Provisions to digitise and automate vital records (birth and death certificates) to support modern digital government.
- A wider set of data protection reforms, including expanded legitimate interests bases, rules on automated decision-making, updates for children’s data, and scientific research protections.
- Revised rules on cookies under PECR to enable some low-risk tracking without explicit consent.
- Replacement of the ICO with the newly created Information Commission, with broader regulatory responsibilities and transparency obligations.
Secondary legislation will specify the exact dates, but the Department for Science, Innovation and Technology has indicated that the bulk of these reforms should be live by June 2026.
Could the DUAA still change?
Because the Act itself has passed with cross-party support, it is unlikely there will be major parliamentary fights over the secondary legislation. However, areas like Smart Data and automated decision-making could attract debate if stakeholder groups raise concerns about privacy, competition, or discrimination as they did in the Lords on AI. Parliament technically retains the power to block statutory instruments, but this is rare unless there is a major policy shift or scandal.
What this means for business
For businesses, the Data (Use and Access) Act represents both a simplification and a tightening of data compliance. On the plus side, the clearer DSAR rules and proportionate search standards should lower litigation and administrative costs. On the downside, expanded ICO powers and more proactive enforcement mean that organisations cannot afford to be complacent.
Firms involved in data-driven services, especially those operating in finance, energy, telecoms, or health, should start preparing for Smart Data frameworks and digital identity schemes, which will transform how customer data can be shared and reused. The new legal bases for processing data, as well as a less burdensome cookie regime, may create fresh commercial opportunities but will also require thorough documentation and updates to privacy notices and policies.
In short, businesses have a window between now and summer 2026 to adapt, train staff, update contracts, and embed these reforms. Regulators will expect to see clear, documented evidence of compliance as these new measures come on stream.
Data (Use and Access) Act organisation implementation calendar
Now (July 2025): Review and update DSAR procedures; start staff training on new subject access rights and proportionality tests.
August 2025: Ensure records and documentation are ready for expanded ICO powers.
By December 2025: Prepare for Smart Data participation and digital identity frameworks.
Early 2026: Update cookie policies and automated decision-making documentation.
Spring 2026: Confirm contracts and privacy notices are adapted to the new lawful processing bases.
By June 2026: Final checks on all data governance systems, with staff fully trained.
July 2026: Implement year two training for staff on data protection changes.
August 2026: Prepare for full enforcement and investigation powers by the Information Commission.
