The Data (Use and Access) Act 2025 (Commencement No 1) Regulations 2025 SI 2025/904 have been made. The Regulations bring into force specified provisions of the Data (Use and Access) Act 2025 on 20th August 2025. They are the first commencement regulations made under the Act. Certain provisions were brought into force automatically on Royal Assent under section 142(2) of the Act, and two months after Royal Assent under section 142(3) of the Act. More commencement regulations will follow, see below.
Regulation 2(a) commences Part 1 of the Act which relates to access to customer and business data in connection with the development of Smart Data schemes.
Regulation 2(b) to (q) and (y) commence specified provisions in Part 5 of the Act which makes amendments to certain provisions in the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The provisions include the interpretation provisions. They also change the notification period for reporting a personal data breach to the Information Commission to “without undue delay and where feasible, not later than 72 hours after having become aware of it”, which is the same as the requriements under the UK GDPR.
Regulation 2(r) and 2(z) commence specified provisions in Part 6 of the Act relating to the establishment of the Information Commission. These include duties to set up panels to consider codes of practice and the ICO’s duties, to prepare codes of practice if required to do so, and to produce and publish an annual report.
Regulation 2(s) commences specified provisions in Part 7 of the Act which make amendments to certain provisions in the Online Safety Act 2023.
Regulations 2(t) and (u) commence specified provisions in Part 7 of the Act which make amendments to Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016.
Regulation 2(v) to (x) commence provisions in Part 7 requiring the government to prepare a progress update and a report on copyright works and artificial intelligence systems.
Further commencement plans
The government has also published a summary of its plans for bringing into force provisions in the Act. The Regulations described above form Stage 1.
Stage 2
Three to four months after Royal Assent, stage 2 will include the commencement of most of the measures on digital verification services in Part 2 of the Act; and measures in Part 7 on the retention of information by providers of internet services in connection with the death of a child.
Stage 3
Stage 3 will follow approximately six months after Royal Assent. It will include the commencement of the main changes to data protection legislation in Part 5 of the Act; and the provisions on information standards for health and adult social care in England in Part 7.
Stage 4
Stage 4 will include the commencement of provisions that require a longer lead-in time. Examples include measures on the National Underground Register in Part 3 of the Act, and the electronic system of registering births and deaths in Part 4, which rely on appropriate technology being in place. Changes to the Information Commissioner’s Office governance structures in Part 6 of the Act will take place once members of the Information Commission’s new Board have been appointed. This is expected in early 2026.
