On 11 June 2025 Parliament passed a Bill that will shortly gain Royal Assent and become the Data (Use and Access) Act 2025 (the DUAA). The DUAA is a wide-ranging and significant package of reforms to UK data-related laws, with implications for all businesses operating in the UK. While businesses that already comply with the current UK data and privacy law regimes will generally only need to make minor adjustments, they should consider opportunities to leverage the greater flexibility afforded by the new law.
This article is the first in a series unpacking the implications of the DUAA for businesses, and provides a high-level overview of some of its key aspects.
The key reforms
The DUAA’s most noteworthy reforms include:
At-a-glance
Summary of the reforms
Reforms to data protection and ePrivacy laws
UK’s data protection authority, the Information Commissioner’s Office (ICO), replaced by a new Information Commission, with revised structure, duties and powers.
Significant increase to maximum fines under laws governing the use of direct marketing and tracking technologies (such as cookies).
Numerous other reforms impacting businesses operating in the UK, such as: (1) amended duties relating to data subject requests and complaints; (2) strengthened protections of children’s data; (3) reforms facilitating automated decision making and use of AI; and (4) changes to ease international transfers of personal data.
For further information see this blog post.
Powers for the government to establish smart data schemes
Smart data schemes are intended to allow the secure sharing of customer and business data with customers and certain authorised third-parties (eg for switching, personalised market comparison and account management services).
Priority sectors may include banking, finance, energy, road fuels, telecommunications and transport.
To further enable Open Banking/Finance, the reforms will also empower the government to order the Financial Conduct Authority to make rules requiring financial services providers (and certain other persons) to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when providing or receiving customer data or business data.
Establish a framework for the provision of digital verification services in the UK
The DUAA aims to enhance digital verification services (DVS) in the UK by establishing a comprehensive framework for the provision of DVS.
The new regime will aim to streamline and secure the process of identity and eligibility verification and enable digital identities and attributes (eg age) to be used with the same confidence as paper documents through a trust framework.
Online safety
New obligations for providers of internet services to retain information in connection with investigations into child deaths, and provide information for research into online safety (amending the UK’s Online Safety Act).
New offences in respect of creating purported intimate images without consent.
Other data-related reforms
Those include:
Permitting recognition of certain overseas electronic signatures, electronic seals and other trust services.
Extending certain data sharing powers to improve public service delivery.
Reforming the information standards for health and adult social care in England and the way births and deaths are registered in England and Wales.
Facilitating the flow and use of personal data for law enforcement and national security purposes.
Establishing a register of underground assets.
Next steps
A few provisions, such as reforms to the scope of searches required in response to data subjects’ requests, take effect immediately upon the Act receiving Royal Assent.
Most reforms will not come into force until appointed by regulations made by the Secretary of State. The government has yet to confirm a timetable to bring all the DUAA into effect, but we expect to see a phased implementation with different parts of the Act commencing at different times over 2025 and 2026. Proactive monitoring of forthcoming statutory instruments will be crucial for affected organisations.
Some aspects of the DUAA, such as smart data schemes, are likely to be a introduced gradually and sector-by-sector.
We will publish a series of blog posts unpacking key aspects of the DUAA over the coming weeks. Click here to learn about the implications for UK data protection and ePrivacy laws and here to see the rest of the series as it is published.
