Data (Use and Access) Bill becomes law

The Data (Use and Access) Bill has today received Royal Assent. The Department of Science and Technology (DSIT) will issue guidance and a commencement schedule in due course.

Information Commissioner John Edwards said: “Today we’ve published a catalogue of resources to help explain what this new legislation means for businesses. Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act’s principles into everyday operations.”

The ICO’s factual summary of the DUA Act specifically aimed at DPOs lists the changes, but interpretation will follow as the ICO develops and updates its guidance.

The DUA Act amends, but does not replace the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

The UK government has aimed for a delicate balance between giving data controllers more flexibility in their use of data, and maintaining the UK’s EU adequacy status. An EU decision will be announced by the end of this year.

Today the government also announced that it is recruiting 7 non-executive members to the board of the new Information Commission, which will be established by the Data (Use and Access) Act 2025 to replace the Information Commissioner’s Office (ICO) as the UK’s data regulator.

See:

• ICO - The Data Use and Access Act 2025 (DUAA) - summary of the changes to data protection law

Register now for PL&B’s 38th International Conference to hear ICO and DSIT speakers on the content and application of this new law.

Read more about this topic in PL&B UK Report July 2025.