ICO Data Act 2025 amendments: what you need to know

In a landmark development for UK data protection law, the Data (Use and Access) Act 2025, commonly referred to as the DUAA, received Royal Assent on 19 June 2025. This move ushers in a series of reforms designed to strike a delicate balance between innovation and individual privacy.

With phased implementation currently underway, the Information Commissioner’s Office (ICO) has launched consultations to support organisations in interpreting and applying key ICO data protection requirements.

This informative blog post will explain what the DUAA entails, the key upcoming amendments, what they mean for UK businesses, and how Net-Defence can help.

What is the Data (Use and Access) Act 2025?

The DUAA is not a complete overhaul but rather an enhancement of existing legislation – namely the UK GDPR, Data Protection Act 2018, and PECR – that aims to modernise the regulatory framework to foster innovation, streamline services, and ensure robust privacy protection.

What are the core objectives of the Act?

• Economic growth: Unlocking the power of data to bolster the UK economy and increase operational efficiency across sectors like health, infrastructure, and public services.
• Modernising public services: Transitioning to digital systems (e.g., electronic birth/death registration) and improving government service delivery.
• Stronger protections, clearer pathways: Introducing new lawful bases for data use while maintaining individuals’ data rights and promoting transparency.

What are the legislative highlights?

The Act covers multiple domains:

• Access to customer and business data (expanding the “smart data” concept beyond open banking)
• Regulation of digital verification services with trust frameworks and certification schemes
• Formalising the National Underground Asset Register
• Digitising birth and death registration
• Reforming data protection, PECR, and the transition of ICO’s functions to a new Information Commission

This is a forward-looking Act aimed at giving businesses greater clarity on compliance and modernising ICO data protection governance standards.

What amendments does the Act introduce?

Since the Act’s passage, several notable amendments and provisions have come into focus – many currently under consultation by the ICO. These changes set out to increase clarity, strengthen accountability, and modernise how organisations manage personal data in practice.

1. New lawful basis: “recognised legitimate interest”

The Act introduces a new lawful basis called “recognised legitimate interest.” This sits alongside the existing legitimate interests provision but is more specific, offering SMEs greater flexibility when using personal data in clearly defined circumstances.

2. Mandatory data protection complaints process

Organisations must now establish a formal process for handling ICO data protection complaints, ensuring alignment with the regulator’s expectations. This move is designed to improve accountability, raise standards of customer service, and give individuals greater confidence that their concerns will be addressed fairly.

3. Clarification on research, cookies, automated decisions, and marketing

The amendments simplify cookie rules by removing the need for explicit consent in certain scenarios. They also provide clarity for research, automated decision-making, and marketing, including provisions that allow charities to send emails under specific, controlled conditions.

4. Enforcement powers for the ICO

The ICO has gained stronger enforcement powers, reinforcing its role in monitoring and enforcing ICO data protection obligations across UK businesses. Penalties under PECR now align with UK GDPR, reaching up to £17.5 million or 4% of global turnover.

5. AI and copyright transparency

Although some Commons amendments were overturned, a compromise requires the Secretary of State to draft legislation safeguarding copyright owners where AI systems use their works as data inputs. This balances innovation with fair recognition of intellectual property rights.

What does this mean for UK businesses?

The coming waves of changes bring both opportunities and responsibilities for UK organisations. While the amendments are designed to support innovation, they also introduce new layers of accountability that businesses cannot afford to overlook.

Opportunities

One of the most significant opportunities comes from the introduction of new lawful bases and the relaxation of certain restrictions. These adjustments provide businesses with more freedom to develop and launch data-driven services, fostering innovation with greater confidence.

For many organisations, particularly in competitive markets, this creates space to test and deploy products that rely heavily on personal data without the same level of uncertainty that has historically slowed development.

The clarified rules around research and automated processes also help to reduce friction for organisations conducting research and development. By making the parameters clearer, the Act gives businesses a more reliable framework within which they can experiment, test, and refine their processes, knowing their compliance obligations are defined.

In addition, the amendments enhance flexibility for marketing and data use. Smaller organisations and charities in particular stand to benefit, as the new provisions open the door to reaching audiences more effectively within a compliant framework. This levels the playing field between large corporations and SMEs, empowering more organisations to compete in data-driven sectors.

Responsibilities

Alongside the benefits, there are clear responsibilities for organisations to meet. Businesses must update their internal policies and procedures, particularly by implementing formal complaints processes and ensuring alignment with the new “recognised legitimate interest” basis.

A further priority is revisiting cookie and PECR compliance. With fines now elevated and the ICO granted stronger enforcement powers, businesses must ensure their systems comply with ICO data protection standards for marketing and cookie tracking. A thorough audit and, where necessary, rapid adjustments will be key to avoiding unnecessary risks.

Companies must also prepare for the phased implementation of these amendments. While the Act received Royal Assent in June 2025, many of its provisions will not take effect immediately. Instead, they will be rolled out over a period of between two and twelve months, depending on the requirements of secondary legislation. Planning ahead will be critical to staying compliant as each provision comes into force.

Another ongoing responsibility is monitoring forthcoming guidance on ICO data protection practices, lawful bases, and compliance expectations. The regulator has already begun consultations and is expected to publish detailed guidance covering areas such as lawful bases, complaints procedures, archiving, codes of conduct and thresholds for public interest.

This guidance will emerge gradually across late 2025 and well into 2026, making it essential for businesses to track updates closely and adapt accordingly.

Risks

With these responsibilities comes a sharper enforcement landscape. PECR now carries potentially severe penalties, and automated scanning tools are likely to make breaches of cookie and marketing rules easier to detect. For businesses that are not proactive in updating their systems, this creates a tangible risk of regulatory action and financial penalties.

Beyond legal exposure, there is also the danger of eroding customer trust. Mishandling data, failing to make complaints mechanisms visible, or misusing the new legitimate interest basis could undermine an organisation’s reputation.

In an environment where consumer awareness of data rights is growing, reputational damage could have consequences as serious as financial penalties, particularly for businesses competing in trust-sensitive markets.

How can Net-Defence help?

We offer a complete suite of services that can all be tailored to ensure your business or organisation meets the new regulatory requirements and maintains robust protection.

Policy, process & documentation alignment

We can assist in translating the DUAA’s new requirements into practice. Our Business Resilience as a Service packages allow you to integrate these policies into an overarching resilience strategy, backed by specialist guidance across cyber, IT and telecoms functions.

Risk assessment & technical compliance audits

To ensure compliance with PECR, cookies, and data-related requirements, our team can perform detailed security assessments. Our cyber security testing services – including penetration testing – provide a proactive way to identify vulnerabilities and demonstrate readiness in light of the DUAA’s enhanced enforcement.

Monitoring, response & incident management

For organisations that need continuous visibility, our Security Operations Centre (SOC) delivers real-time monitoring, threat detection, and rapid incident response. This service ensures prompt handling of data protection complaints or breaches and strengthens your ability to meet evolving regulatory expectations.

Infrastructure, hosting & continuity support

To support the secure handling of data throughout internal systems, we offer IT support, including managed services (MSP), data backup and recovery, and Secure Server Hosting on cloud platforms like AWS or Azure. These services uphold integrity, availability, and confidentiality in your infrastructure, which is increasingly critical under DUAA standards.

Certification, assurance & compliance pathways

Aligning with DUAA and broader UK data privacy requirements may involve aligning with standards like Cyber Essentials or IASME Cyber Assurance. Our team provides support for achieving these certifications and maintaining compliance vulnerabilities across organisation-wide systems, bolstering your credibility with customers and regulators alike.

At Net-Defence, we make compliance with ICO data protection requirements practical and manageable, ensuring your organisation stays ahead of evolving regulations. From policy alignment and cyber assurance to 24/7 monitoring and secure infrastructure, our services are designed to keep your business resilient and ready for the future of data regulation.