UK's Data (Use and Access) Act 2025 Rewrites UK GDPR Rules: What Changed and When

Information last verified on June 20, 2026.

Status: The Act is law and most data protection provisions are in force. One element, the duty on data controllers to operate a complaints-handling process, is on a longer lead-in and is expected to commence approximately 12 months after Royal Assent, around June 2026.

The United Kingdom has carried out the most significant overhaul of its data protection regime since it left the European Union. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, recorded as 2025 c. 18 on the official statute book (legislation.gov.uk). Rather than scrapping the post-Brexit framework, the Act edits it in place, leaving the UK GDPR, the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR) intact but materially changed.

The long title of the Act runs to several hundred words because DUAA is a sprawling piece of legislation. Alongside the data protection reforms it covers smart data and open banking, digital verification services, a register of underground assets, digital birth and death records, online safety research access, and rules on AI training and copyright. This explainer focuses on the parts that touch personal data and privacy.

What the Act actually changes

The headline reform is a new lawful basis for processing. The government guidance describes a category of recognised legitimate interests that lets organizations process personal data for specified purposes such as crime prevention, safeguarding, and responding to emergencies without running the usual balancing test (gov.uk). The idea is to remove uncertainty for processing that Parliament has already decided is in the public interest.

DUAA also rewrites the rules on solely automated decision-making. Under the new framework, organizations may make solely automated decisions that produce legal or similarly significant effects in a wider range of situations, provided they put safeguards in place. Those safeguards include telling people that a significant automated decision has been made about them and giving them a route to make representations and to challenge the outcome. The interaction between algorithmic decisions and individual rights is a live issue in the United States too, which we cover in our guide to AI and data privacy.

For subject access requests, the Act introduces a stop-the-clock mechanism. When an organization reasonably needs more information to find the data or to confirm the requester's identity, it can pause the statutory response deadline until the requester replies. The Act also clarifies that organizations only need to conduct a reasonable and proportionate search.

Cookies and similar technologies get lighter-touch treatment. The guidance states that DUAA permits the use of certain storage and access technologies without explicit consent in defined low-risk situations, for example for some analytics and for remembering display preferences. The strict opt-in default still applies to anything that tracks people across services.

Bigger fines and a new regulator

One of the most consequential changes is structural. The Information Commissioner has long been a corporation sole, a single office-holder. DUAA replaces that model with a body corporate, the Information Commission, with a board made up of executive and non-executive members (gov.uk ICO factsheet). The governance handover depends on board appointments expected in early 2026.

The regulator's toolkit also grows. The Act lets the regulator require a person to attend an interview to answer questions, extends assessment notices so an organization can be made to commission and pay for a report to assist an investigation, and confirms that information notices can demand documents. The regulator generally must issue a final penalty notice within six months of a notice of intent, or as soon as reasonably practicable after that.

Crucially for marketers and anyone sending electronic communications, DUAA aligns PECR enforcement sanctions, both powers and fines, with the Data Protection Act 2018. PECR previously capped monetary penalties far below the data protection regime, which limited the regulator's leverage over nuisance calls, spam texts, and unlawful cookie practices. Bringing PECR into line with the DPA 2018 raises the ceiling substantially.

How the reforms are being switched on

DUAA is not a single switch. The government published a staged commencement plan and has been bringing provisions into force in tranches (gov.uk commencement plan). Technical provisions and new statutory objectives for the regulator came into force on 20 August 2025. Several law enforcement and intelligence processing amendments commenced in early September 2025, and the digital identity trust framework in Part 2 came into force on 1 December 2025.

The bulk of the data protection and privacy provisions in Part 5 commenced on 5 February 2026. The one notable holdout is the new duty requiring controllers to operate a complaints process, including an electronic complaint form and telling people the outcome. That obligation sits on a longer timeline and is expected to commence roughly 12 months after Royal Assent, which points to around June 2026 as of this writing.

The practical takeaway is that any organization handling UK personal data should treat the new regime as live now, while watching for the complaints duty to land. Employers in particular face overlapping obligations, a theme that also runs through US workplace privacy rules, which we cover in our guide to employee data privacy.

Analysis: Why This Matters

In the view of the Recording Law Editorial Team, the most important thing about DUAA is what it does not do. The UK chose evolution over rupture. Despite years of political talk about replacing the GDPR, the final Act keeps the UK GDPR and the DPA 2018 as the backbone and trims around the edges. That matters for the UK's data adequacy relationship with the European Union, because a wholesale departure would have put cross-border data flows at risk. The amend-in-place approach signals to Brussels that the core protections survive.

The second theme is enforcement. Aligning PECR penalties with the DPA 2018 is not a footnote. It hands the regulator real financial weight over the exact behaviors that generate the most public complaints, nuisance marketing and intrusive tracking. Combined with new powers to compel interviews and to make companies fund their own assessment reports, the practical risk of getting privacy compliance wrong in the UK has gone up, even where the substantive rules were relaxed.

The third theme is the trade-off baked into the reforms. Lighter cookie rules, broader automated decision-making, and a fixed list of recognised legitimate interests are designed to reduce friction for business and the public sector. The counterweight is supposed to be transparency and the right to challenge. Whether that balance holds will depend on how the new Information Commission writes its guidance and how aggressively it polices the safeguards. For a fuller picture of how these rules fit together, see our overview of UK data privacy laws.

What Happens Next

The remaining piece to watch is the complaints-handling duty, expected to commence around June 2026, after which organizations will need a working electronic complaint route and a process for telling people the result. The new Information Commission's board appointments and its first wave of statutory guidance and codes will also shape how the relaxed provisions, especially automated decision-making and recognised legitimate interests, operate in practice. Organizations should keep checking the regulator's published guidance, because several DUAA provisions are deliberately framed to be filled in by codes and secondary regulations as of mid-2026.