The Data (Use and Access) Act 2025 – commencement dates and planned guidance for 2026

In our 2025 series on the Data (Use and Access) Act 2025, (the DUA Act), we considered the key data protection reform pillars introduced by the Act, and the ways in which such reforms lead to UK–EU divergence.

In this article, we summarise:

1. What has already been commenced
2. the ICO’s planned guidance timetable
3. and we look ahead to the key milestones for implementation of the DUA Act which we anticipate to take place in 2026.

Beyond data protection, the DUA Act also introduces new frameworks for smart data schemes (in Part 1 of the DUA Act), digital verification services (Part 2), the National Underground Asset Register (Part 3), modernisation of births and deaths registration (Part 4), alongside data protection and privacy reforms (Part 5) and reorganisation of the ICO (which becomes the Information Commission) (Part 6), plus certain other sector-specific provisions in Part 7.

Commencement Dates

A number of the most significant reforms under the DUA Act require commencement regulations and further secondary legislation before they come into effect, which in some cases are required to be preceded by consultation.

The Department for Science, Innovation and Technology has published a staged commencement plan, setting out the Governments plans for entry into force of the DUA Act’s provisions. The plan indicates an intention to commence the DUA Act in four broad phases, with the main Part 5 data protection amendments expected in “Stage 3” during 2026, while complaints-handling duties and ICO governance changes are expected to follow later.  Four commencement regulations have already been made. 

In summary:

• Commencement No. 1 (in force 20 August 2025) brought into force specified provisions including Part 1 (Smart Data) and Section 111 which amends the personal data breach notification under PECR in line with UK GDPR, as well as certain technical provisions, and the new statutory objectives for the ICO.
• Commencement No. 2 (in force 30 September 2025) brought into force section 124 (a Part 7 provision), which makes a targeted amendment to the Online Safety Act 2023 on retention of information in connection with a child death investigation).
• Commencement No. 3 (in force in stages on 5 September 2025 and 17 November 2025) brought into force section 79 (legal professional privilege) and sections 88 - 90 (national security), amending Parts 3 and 4 of the Data Protection Act 2018 (“DPA 2018”) for law enforcement and intelligence services processing.
• Commencement No. 4 (in force 1 December 2025) brought into force most of Part 2 (Digital Verification Services), excluding sections 45–48 (which relate to public authorities sharing information with digital verification service providers).
• Commencement No. 5 (coming into force on 6 February 2026) will bring into effect section 138, which inserts new sections 66E, 66F, 66G and 66H into the Sexual Offences Act 2003 establishing new offences relating to creating or requesting the creation of, purported intimate images of an adult without consent or reasonable belief in context.   

A number of key provisions relating to data protection reform were due to come into force approximately six months from Royal Assent, and as no regulation was published in December 2025, it is expected that a new commencement regulation will be made in early 2026. Section 103 introduces a new statutory complaints handling duty (new section 164A DPA 2018) and the ICO has stated that organisations must have a compliant complaints process in place by June 2026.  

Separately, reforms to the ICO’s governance and structure are also expected to follow later commencement. 

ICO Guidance

Immediately following Royal Assent on 19 June 2025, the ICO announced that it would be updating its guidance to reflect the reforms being introduced by the DUA Act. Such guidance is eagerly awaited by practitioners and organisations of all sectors. 

The first guidance to be updated is on the data subject’s Right of Access. The ICO’s detailed guidance brought up to date to include the DUA Act’s changes in relation to data subject access requests (DSARs). The ICO has also made clear that some of these changes are not yet in force, but has updated its materials now to support organisational readiness. Interestingly these changes codify on a statutory footing earlier guidance of the regulator in relation to “stop-the-clock” provision and limitation of the right of access to “reasonable and proportionate” search. The latest guidance now clarifies that controllers must make a reasonable and proportionate search in response to a DSAR, which means making “reasonable efforts” to find and retrieve the requested information, but there is no obligation to conduct searches where this would be “unreasonable or disproportionate to the importance of providing access to the information”. It is the responsibility of the controller to make this assessment, and the guidance advises that the following should be taken into consideration:

• The circumstances of the request
• the volume of information which may need to be searched to retrieve the information
• any difficulties involved in finding the information
• the fundamental nature of the right of access. 

The fourth point stresses that a high threshold applies to the exception, and until a body of decision notices emerge to clarify how the ICO will approach the application of the new limitation in practice, controllers would be advised that there may be a risk of challenge if the exception is relied upon without solid grounds. Controllers who reject a DSAR in reliance upon the “reasonable and proportionate” search limitation must be able to provide evidence for the legality of their refusal.     

The following updated guidance are due to be published in the coming months:

ICO planned Guidance: Winter 2025/2026
Codes of Conduct and Certification Guidance Update	Update to reflect the DUA Act reforms to the statutory framework for codes of conduct and certification, and associated changes to the ICO’s processes.
Complaints Guidance for Organisations	Guidance on the new statutory complaints handling duty (new section s164A of the DPA 2018).
Data sharing for scams and frauds	Update to ICO advice to reflect the DUA Act provisions on data sharing to tackle scams and fraud, including how these provisions interact with lawful basis assessments (including the new “Recognised Legitimate Interest”, where relevant).
International Transfers Guidance	Updated guidance to reflect DUA Act amendments to the UK’s international transfers framework under articles 44-49 of the UK GDPR, including the new “data protection test” (introducing the “not materially lower” threshold) for adequacy and transfer mechanisms, and the statutory requirement to assess and document that test on a “reasonable and proportionate” basis.
Lawful Basis Guidance Update	Update of existing lawful basis guidance to reflect DUA Act amendments affecting article 6 of UK GDPR and related concepts.
Legitimate Interest Update	Update to existing guidance to reflect DUA Act reforms including the interaction with the new “recognised legitimate interests” lawful basis and, where relevant, implications for lawful basis assessments in areas such as automated decision making and direct marketing.
Recognised Legitimate Interest	Guidance for organisations on the new legitimate interest introduced by the DUA Act.
Purpose Limitation Update	Updated and expanded guidance on the DUA Act reforms to the purpose limitation principle and further processing rules, including the revised computability assessment and the new statutory conditions governing when further processing is treated as compatible.
ICO planned Guidance: Winter 2025/2026
DSARs guidance for SMEs update	Updates to the ICO’s DSAR guidance aimed at small organisations, reflecting DUA Act changes to DSAR handling.
Research, Archiving and Statistics Provisions update Guidance	Guidance on the DUA Act reforms affecting processing for scientific, historical and statistical purposes, (including how the updated framework applies to consent and data re-use. A public consultation on the proposed guidance is due to launch in January 2026.

Many of the new concepts and reforms which are introduced by the DUA Act will take time to become embedded into organisational compliance programmes. In the interim, organisations should treat the ICO’s updated and forthcoming guidance as a key operational benchmark for interpreting and implementing the new statutory framework as provisions are commenced. 

For advice and support, please contact our expert Technology & Data Protection team.

Related articles:

• Preparing for the UK DUA Act’s new complaints handling regime: ICO guidance and practical steps for organisations (UK)
• The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Scientific, historical and statistical purposes