Key dates to diarise: Data (Use and Access) Act implementation timeline

Key dates to diarise: Data (Use and Access) Act implementation timeline

On 19 June 2025, we reported on the Data (Use and Access) Act 2025 (the “Act”) receiving Royal Assent and highlighted the key changes to be aware of (please see here). Now that the initial buzz surrounding the long-awaited Act has subsided, it’s time to take a closer look at the key implementation dates to mark in your calendars, and the steps you should be taking to prepare for each stage.

Phased Implementation

Implementation of the Act is set to take place in phases between June 2025 and June 2026, meaning that while some provisions took effect immediately, others will require secondary legislation and standards before they take effect. The ICO indicates that most provisions are expected to come into force either two or six months after Royal Assent with the rest taking up to a year. 

We have set out the key dates to be aware of below, some of which are provisional at this stage.

Implementation Timeline

19 June 2025: The Data Use and Access Act came into force with certain provisions taking immediate effect

The key change that came into effect immediately is that when organisations are responding to a data subject access request, they only need to carry out “reasonable and proportionate” searches for relevant information. This is retrospectively dated to apply from 1 January 2025. However, further changes to data subject access requests such as the ‘stop the clock’ rule are not yet in force. It is worth noting that these updates largely reflect existing ICO guidance, so the practical impact for most organisations is expected to be minimal.

The ICO also published initial guidance helping organisations to understand and comply with the new Act.

19 August 2025: New ICO powers come into effect

From 19 August, the ICO will have the power to send notices by email as well as by post and to compel the production of documents to evidence compliance with UK data protection laws. Other new ICO powers will be introduced at a later date by secondary legislation.

Autumn 2025: ICO Codes of Conduct to be published.

The ICO has confirmed that it is expecting to publish new Codes of Conduct in relation to the Data (Use and Access) Act in Autumn 2025 to reflect the changes in the rules. These Codes will provide further practical guidance on how to comply with the new Act.

Winter 2025/2026: Further ICO guidance 

The ICO has announced that it intends to issue further guidance in Winter 2025/2026, including guidance on: the new lawful basis of recognised legitimate interest, international transfers, how to handle data protection complaints for organisations and the purpose limitation principle. Further guidance will follow in Spring and Summer 2026. 

19 December 2025: Six-month mark since Royal Assent

The ICO expects most of the remaining provisions to come in within 6 months. This is likely to include changes to UK GDPR and PECR. 

27 December 2025: EU/UK adequacy decisions extended until this date

To allow time for the data protection reforms to be finalised and for the Commission to assess their adequacy, the European Commission has extended the UK's data protection adequacy decisions until 27 December 2025. The allows for the continuation of the free flow of data between the EU and UK.

This is not an implementation milestone as such but nevertheless an important date to note in the progression of the data protection reforms. 

19 June 2026: All provisions of the Act are expected to be fully implemented and final guidance published.

By Spring the ICO intends to publish guidance on the changes to research, archiving and statistics and by Summer 2026, guidance on disclosing documents to the public. A full schedule of upcoming guidance can be found on the ICO website.

Steps to prepare for each stage of the timeline

It is worth noting that, during this transition phase, the ICO’s position is to apply the law as it stands at the time an infringement took place (rather than the date that it receives any complaint or when the infringement was detected). 

In some cases, the ICO will need to exercise discretion when considering whether to take regulatory action under the existing provisions or, in cases of ongoing non-compliance, consider applying the new provisions. When assessing potential action under the Act, the ICO will take into account the guidance that was available to organisations at the time the non-compliance is believed to have occurred.

To prepare for each stage of implementation, as a starting point we suggest that organisations: 

Now: Update data subject access request policies/processes 

As noted above, the updates around data subject access requests largely codify existing ICO guidance. Many organisations may therefore find that their current policies and procedures are already aligned with the new statutory requirement to conduct only “reasonable and proportionate” searches. If not, organisations should update their data subject access request policies and processes to reflect this requirement. Further updates may be needed to data subject access request processes when the ‘stop the clock rule’ comes into effect.

Before 19 December 2025 (six-month stage): Familiarise yourself with upcoming changes and keep informed

Further implementation is expected within the first six months for which dates have not yet been set. Organisations should also keep themselves informed of the upcoming changes and implementation dates as they are confirmed. A good place to start is making yourself aware of the key changes under the Act using our latest article.

In the meantime, there are areas where organisations can begin taking proactive steps: 

• Complaints procedures – look to update complaint handling procedures to reflect the new requirements for handling complaints from data subjects to organisations.
• Electronic direct marketing practices – reassess marketing strategies in light of the fines increasing for breaches of PECR.
• Use of ADM – existing rules for use of ADM have softened (except for special category data) so revisit policies and check if any new opportunities arise as a result.
• Legitimate interests analysis – with the introduction of ‘recognised legitimate interests’, you may not always need to conduct a legitimate interests assessment.
• Cookies banners – given the new exemptions for certain cookies, revisit cookies banners and policies to reflect this.

It is important to note that organisations will need to wait for changes (in relation to the use of ADM, recognised legitimate interests and cookies) to be brought into force before effecting changes. 

Before 19 June 2026 (one-year mark since Royal Assent)

All provisions of the Act are expected to be in effect by this date. Organisations should ensure that all relevant policies, procedures and documentation are aligned with the Act. Whilst there are a handful of new requirements for which changes will need to be made to comply, most of the changes introduced by the Act are designed to provide greater clarity and flexibility. Organisations should take the opportunity to assess how it may benefit from this flexibility in a way that supports both compliance and operational efficiency.

For advice on the proposed changes to UK data protection laws and other changes introduced by the Act, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Emily Fox and Amanda Leiu.