The Data (Use and Access) Act 2025 commencement update

The question

What does the Data (Use and Access) Act 2025 (DUAA) change for UK data protection law, and what are the practical implications for businesses' data uses, governance and compliance strategies?

The key takeaway

As of 5 February 2026, most of the remaining DUAA data protection provisions have come into force. Some provisions commence on 19 June 2026, and certain ICO governance provisions will follow later. Following the commencement of these new provisions, businesses should review their existing processes and consider a number of changes, including: assessing whether any current reliance on legitimate interests can be transitioned to a "recognised legitimate interest basis"; updating playbooks to reflect potentially simpler UK GDPR compliance requirements; and identifying potential scope for automated decision making (ADM) process changes.

The background

The DUAA, which received Royal Assent on 19 June 2025, updates current UK data protection legislation such as the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), introducing a number of pro-business changes (see our Summer 2025 edition of Snapshots).

While some of its provisions came into force automatically, many required commencement regulations. The government has taken a four-staged approach towards commencement.

The development

On 5 February 2026, most of the remaining DUAA data protection provisions came into force via the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82). Some provisions, for example those relating to complaints procedures (section 103 and Schedule 10), commence on 19 June 2026, and certain ICO governance provisions will follow later. Some key changes that are now in force include:

• clarification on what constitutes processing for research and statistical purposes (such as certain research for a commercial interest) and additional flexibility for obtaining valid consent for scientific research related processing
• a new lawful basis for personal data processing: “recognised legitimate interest”
• clarification on purpose limitation requirements and the factors to consider when determining whether a new purpose of processing is compatible with the original purpose
• controllers can now rely on relevant international law obligations to justify some processing activity, potentially widening justification for certain cross‑border or public‑interest processing
• codification of the existing ICO guidance on DSARs, including information relating to timeframes to respond to requests and the position that controllers only need to carry out reasonable and proportionate searches for personal data
• a new exception to the obligation to provide transparency information when controllers process personal data for a further purpose, where that purpose is for research, archiving or statistical purposes, subject to certain additional restrictions
• an updated ADM framework, expanding the circumstances in which the lawful basis will apply and adding provisions on safeguards (eg around human involvement and transparency)
• provides factors to be considered when implementing data protection by design when providing information society services likely to be accessed by children
• alters the test to determine whether a third country may receive an adequacy decision, which is now that the standard of data protection offered to data subjects in the third country is not materially lower than that in the UK
• enhances ICO powers including in relation to manifestly unfounded/excessive requests made to the ICO, demanding reports relating to data protection compliance, issuing interview notices, penalty notices and PECR enforcement. In particular, Schedule 13 brings PECR fines in line with UK GDPR levels (up to the greater of £17.5m or 4% of global turnover).

Why is this important?

The majority of the long anticipated data protection provisions of DUAA are now in force. It is hoped that these changes will reduce administrative burdens on businesses and foster innovation and economic growth. Given the amount of notice we have had for these changes, the market may have started to consider implementing any necessary changes in advance of commencement.

Any practical tips?

Businesses may want to consider:

• mapping UK processing where they currently rely on legitimate interests and assess whether businesses can shift to a “recognised legitimate interest” basis, noting that in certain scenarios both lawfulness and purpose limitation can be assumed, particularly for activities such as fraud/crime prevention, security and safeguarding under‑18s
• identify scenarios for potential ADM process changes eg automation in recruitment
• include children’s higher protection in DPIA templates and/or design governance artefacts
• review research, experimentation and measurement activities using personal data subject to UK GDPR to identify whether it may fall under the broad definition of scientific research.

Spring 2026