Key data protection provisions of the Data (Use and Access) Act 2025 (DUAA) have now come into force. This briefing note outlines the newly implemented provisions and highlights two significant Information Commissioner’s Office (ICO) consultations that UK-based businesses (or those targeting UK individuals) should be aware of.

Key provisions now in force

1. Special Category Data expansion

The Secretary of State now has the power to designate new types of Article 9(1) special category data (sensitive data, e.g. identifiable health or biometric data) under the UK GDPR. This also includes tailoring conditions for their use to enable the government to reflect and respond to future technological and societal developments. While no new categories have yet been defined, the power under Section 74 is intended to future-proof the UK GDPR by allowing the government to respond to emerging technologies and societal changes.

Impact for businesses: Organisations should monitor developments closely, particularly in areas such as biometric data, neurodata (i.e. info gathered directly from the brain or nervous system) or AI-inferred personal data (e.g. data from AI inferring someone's health status from a wearable device), which may be candidates for future classification as special category data.

2. Law enforcement Codes of Conduct

The ICO is now required to encourage expert public bodies to develop codes of conduct for processing personal data in law enforcement contexts (section 84).

Impact for businesses: Companies working with affected public bodies (e.g. in law enforcement contexts) or in adjacent sectors should monitor these developments and assess whether emerging codes might affect their operations.

3. ICO governance reforms & establishment of the Information Commission

The DUAA formally establishes the Information Commission (IC), which will replace the ICO’s current structure with a more institutionalised governance model (section 117 and schedule 14). The ICO continues to function and publish guidance under its current name until the transition to the IC is complete, which is expected in early 2026 when the governance structure and board appointments are finalised. The ICO governance provisions restructure the ICO’s duties (sections 91–95 and 102), including:

• Establishing panels to review codes of practice and the ICO’s duties;
• Preparing codes when directed; and
• Publishing an annual report.

Impact for businesses: these governance reforms are designed to improve the ICO’s transparency and accountability, with clearer procedures for developing and reviewing codes of practice and a formalised annual reporting duty. Businesses can expect more consistent regulatory guidance and a more predictable framework for engaging with the regulator, particularly as new DUAA provisions continue to roll out.

4. Court procedure for DSARs

A new court procedure has been introduced to provide a structured legal mechanism for resolving disputes over data subject access requests (DSARs) (section 104) - namely that a court can require a data controller to make relevant data available to the court, but that information cannot be disclosed to the data subject until the court has decided in the data subject's favour. In essence, this provides a safeguard for both data subjects and organisations by establishing a controlled process for information disclosure in the event of a court challenge to a subject access request.

Impact for businesses: irrespective of this change, organisations should ensure DSAR processes are robust, timely and well-documented to mitigate risk and demonstrate compliance. Please also see our briefing note from earlier in the year, on preparing for the DUAA, which contains further details on DSAR changes for businesses.

5. PECR amendments and breach notification

The notification period for personal data breaches under Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) has been extended (under sections 109–111 and 113) to:

“Without undue delay and where feasible, not later than 72 hours after having become aware of it”

This change aligns PECR breach notification requirements with Article 33(1) of the UK GDPR, creating a unified standard for reporting across both regimes.

Impact for businesses: Organisations must update incident response plans and ensure breach reporting mechanisms meet the new timeline.

DUAA: what’s coming next

1. Recognised Legitimate Interest

A new lawful basis for processing personal data - ‘Recognised Legitimate Interest’ - has been introduced by the DUAA. This new basis is expected to come into force following consultation and secondary legislation, likely in late 2025 or early 2026. It is distinct from the existing ‘Legitimate Interests’ basis under Article 6(1)(f) UK GDPR and is limited to five pre-approved public interest purposes, including:

• Public task disclosure request condition (this only applies to data sharing with organisations who have public tasks or official functions in UK law);
• National security, public security and defence condition (appropriate if you need to handle personal information to safeguard national security, protect public security or for defence purposes);
• Emergencies condition (appropriate if the situation meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (e.g. which threatens serious damage to human welfare) and your use of the personal information is necessary to respond to that emergency);
• Crime condition (appropriate if you need to handle personal information to detect, investigate or prevent crime, including capturing or prosecuting offenders); and
• Safeguarding condition (appropriate if you need to use personal information to safeguard a “vulnerable individual”).

The ICO’s draft guidance aims to help organisations understand and apply this new basis, with practical examples and compliance tips.  It has now opened consultation on the guidance.

Link: ICO Consultation on Recognised Legitimate Interest

Impact for businesses: Organisations should assess whether their processing activities could benefit from this new basis and consider responding to the consultation to help shape the final guidance.

2. Data Protection complaints handling

The DUAA introduces a new requirement for all organisations to have a data protection complaints process in place by June 2026. This includes:

• providing individuals with a clear mechanism for submitting data protection complaints;
• acknowledging complaints within 30 days of receiving them;
• ‘without undue delay’, take appropriate steps to investigate them (including making appropriate enquiries and keeping people informed); and
• informing individuals of outcomes without undue delay.

The ICO’s draft guidance outlines what organisations must, should and could do to comply, with practical advice for each stage.  A consultation on the draft guidance is also underway.

Link: ICO Consultation on Complaints Guidance

Impact for businesses: Organisations should begin planning their complaints handling procedures now, to ensure readiness by June 2026. Participating in the consultation may help organisations better understand the new requirements and contribute to clearer final guidance from the ICO.

Next steps for UK businesses

With the DUAA now partially in force and further provisions expected later this year, businesses should consider:

• reviewing internal policies on breach notification, DSARs and special category data;
• engaging with ICO consultations to influence guidance and prepare for future compliance;
• monitoring developments around the Information Commission and law enforcement codes; and
• planning for the June 2026 complaints handling requirement.

The DUAA introduces targeted reforms to the UK’s data protection framework, focusing on regulatory clarity, public trust and operational efficiency. While many provisions are ‘evolutionary’ rather than ‘revolutionary’, they require businesses to re-assess compliance strategies, particularly around breach reporting, complaints handling and lawful bases for processing. Early engagement with the new requirements and ICO consultations will help organisations stay ahead of enforcement and regulatory expectations. Further DUAA provisions are expected to be commenced in stages throughout late 2025 and early 2026, with accompanying ICO guidance to follow.

For more information or advice, please contact Beverley Flynn and Quintin Farley in the commercial and technology team at Stevens & Bolton.

The information contained in this guide is intended to be a general introductory summary of the subject matters covered only. It does not purport to be exhaustive, or to provide legal advice, and should not be used as a substitute for such advice.