Majority of DUA Act amendments take effect

In a significant update last Tuesday, Ian Murray, joint Minister of State for the Department of Science, Innovation and Technology, and the Department for Culture, Media and Sport, made a commencement order that brought the majority of the Data (Use and Access) Act 2025 (DUA Act) amendments into effect.

The DUA Act (Commencement No.6 and Transitional and Saving Provisions) Regulations 2026, dated 29 January, enact 42 provisions that amend the UK's data protection legislative framework. Of these provisions, 41 took effect on Thursday, 5 February, while the remaining provision concerning the new requirement for organisations to implement a complaints procedure for data subjects is scheduled to take effect on 19 June.

The timing of the announcement has drawn criticism from practitioners and commentators already wary of the piecemeal approach to implementing the changes contained in the DUA Act. Allowing a mere two days' notice before the bulk of the provisions take effect is exceptionally short notice for organisations to adapt their processes, especially since much of the necessary guidance from the Information Commissioner's Office (ICO) to support the new requirements has yet to be released. 

Despite these challenges, the amendments that came into effect on 5 February introduce substantial new obligations and opportunities for both controllers and processors. Organisations are, therefore, advised to act immediately to review their documentation and update their compliance processes to align with the new requirements.

In a statement welcoming the news, the ICO acknowledged the update and called on businesses to "take the opportunities the reforms offer to grow and innovate products and services whilst continuing to maintain good standards of protection for people's personal information."

The statement also included links to a new updated Codes of conducts guide and Data protection by design and by default guidance materials. However. while the latest guidance materials will assist organisations in bringing their processes into compliance with the new rules, the plans for new and updated guidance page on the ICO's website reveal the significant work that still lies ahead.

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.