The Information Commissioner’s Office (ICO) has advised that the Data (Use and Access) Act 2025 (DUAA) received Royal Assent and became law on Thursday 19 June 2025.
The DUAA is a new piece of legislation that updates some existing laws about digital information matters. It amends, but does not replace, the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). The changes aim to make it easier for UK businesses to grow, whilst still protecting people’s personal information and their rights.
Most of the changes offer organisations an opportunity to do things differently, rather than requiring them to make specific changes to comply with the law. There is a requirement for organisations to have a process to help people who want to make complaints about how their personal information is used. This change won't come into force straight away and the ICO will provide guidance to help organisations.
The law will also place new duties on the ICO to:
- promote innovation and growth
- recognise the importance of preventing and detecting crime
- safeguard the public and national security
- recognise that children merit specific protection regarding their personal information.
The changes will be phased in at different points over the next 12 months. Firms can find out how the DUAA can help make things easier and understand if any of the changes apply to them by reading the announcement and guidance on the ICO website: Data (Use and Access) Act 2025 | ICO
The ICO has published a press release on its website: UK organisations stand to benefit from new data protection laws | ICO
There is also a business advice service to answer any questions or help.
