The UK’s data protection landscape is undergoing its first significant transformation since Brexit reshaped the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) and introduced the UK GDPR. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, introduces key changes to the current structure, powers and enforcement capabilities of the UK’s data protection regulator.

When the relevant provisions come into force via secondary legislation – the bulk of which are currently expected to be phased in around December 2025 – the Information Commissioner’s Office (ICO) will be replaced by a new body, the Information Commission (IC), with a modernised corporate structure and an enhanced suite of investigatory and enforcement powers.