UK businesses are being warned not to get caught out by the drip-feed of the new Data Use & Access Act despite previous claims that the legislation will also trigger a “data gold rush”.
While the Act has been on the Statute Book since June, it will still be some time before the key regulations – including UK GDPR, the Data Protection Act 2018, and the Privacy & Electronic Communications Regulations (PECR) – are amended.
And, unlike many major reforms, there will not be a sudden wave of changes; instead, rules will be introduced gradually, with elements coming into force between now and June 2026.
Square One Law is urging firms not to take the phased approach lightly and stay on top of which elements have come into force.
Partner and head of commercial Helen Brain is urging organisations not to be complacent. She said: “DUAA is already here with changes in regulation filtering in over the course of a year.
“Having the time to adjust is welcomed, but it’s easy for businesses to take their eye off the ball and risk breaching new laws as they come into force.
“Reform around website cookies and international data transfers have major implications and now is the time to plan, audit processes, and agree a roadmap to stay compliant. Act early and avoid last-minute stresses.”
Changes already live include the greater clarity on the handling of data subject access requests (DSARs) that now require conduct of “reasonable and proportionate” searches, with deadlines that can be paused. Several procedural adjustments to the Information Commissioner’s Office have taken effect, although most enforcement powers will arrive later.
Further reform is expected later this year and into early 2026, with the ICO currently consulting on many of the new measures.
These include restrictions on automated decision-making and AI without human oversight, while new rules on cookies and online tracking could replace consent pop-ups with browser or device settings.
The Act also introduces a new lawful basis for processing under “recognised legitimate interests” (which are listed in a schedule to the Act), and. while a necessity test is required for use of this new basis, there will be no need to conduct a balancing test in certain contexts. There are also some changes introduced to the existing legitimate interests lawful basis.
Brain added: “Heading into 2026, an ICO restructure will give it improved enforcement powers. It’s fair to say that some of the new rules on digital identity and automated decision-making coming into play are quite complex and firms will need time to fully interpret their implications.
“It’s important that businesses are on top of this – early movers who stay agile will face fewer surprises and may even gain a competitive edge.”
For now, she maintains that businesses should consider a number of measures, including auditing DSAR processes immediately to ensure compliance; mapping cookies/analytics use to prepare for exemptions and reduced banner reliance; reviewing automated decision making and AI deployments in compliance with impending changes; and tracking so-called “Commencement Orders” on Gov.uk to confirm exact “live” dates.
In addition, while the EU has extended the UK’s adequacy decision until December 27, to review implications of the DUAA, maintaining this deal is crucial to smooth data flow between the UK and EU, and firms reliant on international data transfers will be watching the outcome closely.
Any changes will have serious implications for financial services, technology and health sector businesses, with further guidance for these sectors due in the coming months.
Brain concluded: “In short, DUAA has arrived. But the most significant changes are still to come. For now stay alert to each new Commencement Order and prepare now to ensure you are ready when each reform lands.”
The move follows claims that the new legislation will turbocharge marketing and customer engagement, but marketers can only capitalise with a fresh, data-led strategy.
That is according to data intelligence company Sagacity, whose data quality and governance manager Andrew Bridges insisted: “This is a gold rush: a once-in-a-generation opportunity.”
Bridges, who is also a member of the DMA Governance Committee, is keen to stress that there has never been a better time for marketers to get in shape.
He explained: “Until now, around half of businesses have been nervous and unclear about whether they could process customer data under ‘legitimate interest’ – and with the risk of damaging fines, it’s easy to see why.
“The Data Act changes that, giving businesses the legal clarity to use data confidently, whether that means reconnecting with lapsed customers or reaching new audiences. With regulatory updates imminent, now is the time for businesses to get ready.”
Related stories
Marketers urged to get in shape for new ‘data gold rush’
ICO plans triage system to tackle complaints emergency
Lawmakers urged to act on ‘severe’ failings of the ICO
Complaints to the ICO soar as performance takes a hit
The £161bn question: Will EU renew data transfer deal?
DMA claims Data Act victory as privacy groups seethe
