On 20th August 2025 some provisions of The Data (Use and Access) Act 2025 will come in to force.
The DUA Act received Royal Assent on 19th June 2025. It amends, rather than replaces, the UK GDPR as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018. (You can read a summary of the Act here.)
The only substantive amendment (Section 78) to the UK GDPR that came into force on 19th June inserted a new Article 15(1A), relating to subject access requests:
“…the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.”
Other provisions of the Act will commence in stages, 2 to 12 months after Royal Assent, according to the Government’s recently published plans for commencement.
The first commencement order, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, was made on 21st July. This does not bring into force any “show stoppers” (like Recognised Legitimate Interests, the new International Transfer adequacy test or increased fines for PECR breaches). Rather 20th August will see mostly technical provisions come into force, alongside new statutory objectives for the Information Commissioner’s Office when carrying out its functions and provisions requiring the government to prepare a progress update and a report on copyright works and AI systems. The full list is here.
The government says that approximately 6 months after Royal Assent, commencement of the main changes to data protection legislation (in Part 5 of the Act) will take place.
Data protection professionals need to assess the changes to the UK data protection regime set out in the DUA Act. Our half day workshop will explore the new Act in detail giving you an action plan for compliance.
0 Comments