UK organisations stand to benefit from new data protection laws
The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.
Changes to the law include: clarifying how personal information can be used for research; lifting restrictions on some automated decision making; setting out how to use some cookies without consent; allowing charities to send people electronic mail marketing without consent in certain circumstances; requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests.
The Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR.
Today the ICO are publishing information to support organisations and the public as these changes are introduced. This includes:
- An outline what the Act means for organisations.
- An outline of what the Act means for law enforcement agencies.
- A detailed summary of the changes for data protection experts.
- A new and planned guidance web page setting out what guidance to expect and when.
- An outline of how we will continue our regulatory work as the Act is implemented.
- A guide for the public on how the Act will affect them.
John Edwards, Information Commissioner, said:
“The Data (Use and Access) Act 2025 gives organisations using personal information new and better opportunities to innovate and grow in the UK, and further enhances our ability to balance innovation and economic growth with strong protections for people’s rights.
“Today we’ve published a catalogue of resources to help explain what this new legislation means for businesses. Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act’s principles into everyday operations. Our goal is to ensure that data can be used confidently and responsibly to deliver better services, drive economic growth, and uphold public trust.”
Next steps for organisations
Government will phase implementation of the new law, commencing different changes using secondary legislation. While most provisions are expected to come into force either two or six months after Royal Assent, some may take up to 12 months.
To prepare, organisations can:
- Familiarise themselves with the changes that the DUAA makes to data protection law using these resources. Read our detailed summary for more information.
- If they provide an online service that children are likely to use, make sure they are doing enough to satisfy the new explicit requirement to consider their needs. They should be on track if they already conform to our Children’s code.
- Start thinking about how they can help people to make complaints.
- Review the changes that support innovation and make things easier and consider whether they want to take the opportunity to do anything differently or streamline their processes.
- Sign up to the ICO newsletter and e-shots, so they’ll know when we’ve updated our guidance.
More Information
- The DUAA provides amendments, but does not replace, the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. These changes are designed to make data protection law clearer and more flexible for organisations, while maintaining strong safeguards for individuals.
- The DUAA received Royal Assent on 19 June 2025.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.
UK organisations stand to benefit from new data protection laws
The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services.