As we touched upon last week, the Data (Use and Access) Bill has finally received Royal Assent.

Now the Data (Use and Access) Act 2025, the Act is broad in its scope and seeks to bring certain aspects of data protection law up to date. We discussed some of the main provisions of the Act previously here, and recently published a list of five take aways on the Act’s impact on the UK’s data protection and e-privacy framework here.

Changes to the law include introducing a new lawful basis for processing (for so-called “recognised legitimate interests”), clarifying how personal information can be used for research, making it clear that data subjects submitting a DSAR are only entitled to information resulting from a “reasonable and proportionate” search, loosening the consent requirements for some cookies, and removing certain restrictions on organisations being able to rely on automated decision-making.

At the same time as the Act became law, the Information Commissioner’s Office (ICO) released a suite of documents aimed at assisting organisations to understand the details and implications of the new legislation. This includes an outline of what the Act means, a detailed summary for data protection experts, and an outline of how the ICO will continue its regulatory work as the Act begins to be implemented over the course of the next year.

The ICO also has a dedicated webpage setting out what it is planning by way of publishing guidance for the new Act, as well as expected timeframes. Among other things, it suggests that we can expect guidance on the new lawful basis of recognised legitimate interests and on the Codes of Conduct in the Act later this year.

To read more from the ICO about the Act, its implementation, and planned guidance, click here.