Toz Ali

The Data (Use and Access) Act 2025 (DUAA) is a wide-ranging piece of legislation that does not replace the UK GDPR, the Data Protection Act 2018 (DPA 2018), or PECR (the Privacy and Electronic Communications Regulations). Instead, it amends them to (a) make some compliance requirements clearer/simpler, (b) enable more data sharing and innovation in specified areas, and (c) update the regulator model and enforcement toolkit. It received Royal Assent on 19 June 2025, and most changes commenced in stages (not all at once). 

While the Data (Use and Access) Act 2025 (DUAA) itself is focused on reforms to data protection and related frameworks, some commentators, civil liberties groups, and campaigners have raised broader concerns about how such reforms could combine with other digital policy initiatives to expand state access to personal data or create structures that could be misused for surveillance.

The Data (Use and Access) Act 2025 (DUAA) represents the UK’s most significant update to its data laws in years. Rather than replacing the UK GDPR or the Data Protection Act 2018, it amends them and introduces new measures designed to modernise data governance, support innovation, and clarify compliance obligations for organisations.

Explore how the UK’s Online Safety Act reshapes internet rules, holding tech platforms accountable for user safety, privacy, and harmful content control.