It has been a month since the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent. DUAA amends existing UK data protection legislation, including, the UK GDPR, Data Protection Act 2018 and the Privacy & Electronic Communications (EC) Regulations 2003 (SI 2003/2426). Limited provisions came into force on the day DUAA was enacted, 19 June 2025. Its remaining provisions will come into force in the 12 months after enactment, and those dates will be specified in commencement regulations.
According to the ICO, “[DUAA] changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights. Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law”.
Reassuringly, therefore, if a UK organisation currently has a data protection compliance programme in place it can leverage that programme to accommodate the changes introduced by DUAA. Programme changes could, for example, be phased according to the commencement dates for applicable DUAA provisions (whenever these are published).
Follow our new DUAA series of blogs for regular, themed posts – first one next week will be on cookies!
Explore more insights
Articles 01 July
ECCTA 2023: company directors and IDV… where are we now?
What is the objective of the Economic Crime and Corporate Transparency Act (ECCTA) 2023 with regards to identity…
Newsletters 30 June
Corporate Commentary – June 2026
Welcome to Blake Morgan’s Corporate Commentary, which brings together a selection of our most popular insights on current…
Articles 12 May
UKIPO: 150 years of trade marks
The UKIPO has celebrated 150 years of trade marks this year. To mark the occasion, we look at…

