ICO Guidance on the Data (Use and Access) Act 2025

The Information Commissioner’s Office (ICO) has released practical guidance to help organisations understand the Data (Use and Access) Act 2025 (DUAA), which became law on 19 June 2025. The Act amends (but does not replace) the UK GDPR, Data Protection Act 2018 and PECR, with commencement staged over the next year. ICO+1

What the ICO’s guidance covers (in brief)

  • What’s changing and what isn’t: UK GDPR, DPA 2018 and PECR remain in force; the DUAA adjusts and simplifies parts of those regimes. The ICO explains how it will regulate during the transition. ICO
  • Phased timetable: Changes come in stages between June 2025 and June 2026, with the first provisions in force from 19–20 August 2025 and more to follow via commencement regulations. ICO+2ICO+2
  • Deep-dive for DPOs: The ICO has published a section-by-section summary of DUAA amendments aimed at data protection experts, and will update formal guidance as commencement progresses. ICO

Key changes organisations should note

  • Automated decision-making (ADM): A more permissive framework—wider scope for solely automated decisions with legal/similarly significant effects with mandatory safeguards (transparency, right to make representations, human review). GOV.UK
  • Subject access requests (SARs): Clarified time limits and a “stop-the-clock” mechanism when you reasonably need more information; searches should be reasonable and proportionate. GOV.UK
  • Recognised legitimate interests: New lawful ground for certain specified purposes (e.g., public security, safeguarding, emergencies). GOV.UK
  • Cookies & similar technologies: Limited additional circumstances where consent isn’t required (low-risk uses), alongside existing obligations. GOV.UK
  • International transfers & law-enforcement/ intelligence updates: Clarifications and alignment changes to simplify operation across regimes. GOV.UK

What you can do now

  1. Map impact areas (ADM, SARs, cookies, legitimate interests) and identify policy/process updates required as provisions commence. GOV.UK
  2. Update request handling: build SAR stop-the-clock steps and ensure searches are proportionate and documented. GOV.UK
  3. Refresh cookie/accountability records to capture any low-risk consent exemptions you plan to rely on. GOV.UK
  4. Plan staff training around commencement dates; the ICO will regulate based on the law in force at the time of the alleged infringement. ICO
  5. Monitor commencement regulations via DSIT updates and the ICO’s rolling guidance programme. GOV.UK+1

 

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.