Navigating the DUAA: ICO Guidance and Practical Steps for Compliance

The Data (Use and Access) Act 2025 is being introduced in stages, with ICO guidance continuing to evolve alongside it. This article outlines what organisations need to know now and the practical steps they should be taking towards compliance.

A Phased Approach to Compliance

The Information Commissioner’s Office (ICO) has made it clear that its approach to the Data (Use and Access) Act 2025 (DUAA) is designed to mirror the legislation itself: phased, iterative and grounded in practical implementation. For organisations, this means that compliance cannot be treated as a single project with a fixed end date. Instead, it should be approached as an evolving programme of work that started in 2025 and continues into 2026.

The DUAA has not been brought into force all at once. Initial provisions commenced in August 2025, followed by a substantial second phase in February 2026. A final set of measures is expected to come into effect in June 2026. This staggered implementation is intended to give organisations time to adapt, but it also creates complexity. Different obligations apply at different times, and the regulatory expectations attached to them are developing in parallel.

How ICO Guidance Is Developing

The ICO’s guidance strategy reflects this timeline. Early publications focused on explaining what has changed at a high level, rather than prescribing detailed compliance steps. These materials are useful for identifying the key areas of impact, including amendments to the UK GDPR framework, changes to lawful bases for processing, and updates to data subject rights. However, they do not always provide the operational detail that organisations need to implement changes in practice.

More recently, the ICO has begun to publish more targeted and practical guidance, often focusing on specific compliance themes. One of the clearest examples is its work on data protection complaints handling. Under the DUAA, organisations will be required to implement formal internal processes for dealing with data subject rights complaints (DSR), with the requirement becoming mandatory in June 2026. The ICO has already issued guidance outlining expectations in this area, including the need for accessible procedures, clear response timelines and appropriate escalation mechanisms.

Consultation and Regulatory Direction

The ICO has also placed significant emphasis on consultation as part of its guidance development process. Throughout 2025 and into 2026, it has sought stakeholder input on draft guidance in areas such as recognised legitimate interests, research provisions and aspects of automated decision making. For organisations, this creates both a challenge and an opportunity. Whilst draft guidance can introduce uncertainty, it also provides early visibility of the regulator’s thinking and allows organisations to anticipate future requirements before they are finalised.

Moving from Planning to Implementation

From an operational perspective, the February 2026 implementation phase represented the point at which many organisations had to move from planning to execution. This phase included a number of substantive changes, such as revised rules on automated decision making, updates to subject access request handling, and the introduction of new lawful bases including recognised legitimate interests. These changes are not purely legal in nature. They require updates to internal policies, revisions to privacy notices, adjustments to data governance frameworks and, in many cases, changes to systems and workflows.

Prioritising the Right Workstreams

A further practical consideration is sequencing. Not all requirements carry the same level of urgency. Some obligations are already in force and require immediate attention, while others, such as the complaints handling framework, have a longer lead time but may require more significant organisational change. In practice, this means organisations need to prioritise their compliance activities carefully, balancing short-term legal risk against longer-term implementation effort.

A Pragmatic but Active Enforcement Environment

The ICO has indicated that its enforcement approach during this transition will be proportionate and pragmatic. It recognises that organisations are operating in an environment where guidance is still being developed and refined. However, this should not be interpreted as a relaxation of expectations. The regulator has consistently emphasised that organisations should be taking active steps towards compliance and should be able to demonstrate progress if challenged.

Practical Steps Organisations Should Be Taking Now

In practical terms, organisations should now be focusing on several parallel workstreams. These include updating governance frameworks to reflect new legal concepts, reviewing data processing activities in light of lawful bases, and preparing for upcoming requirements such as formalised complaints handling. At the same time, organisations should establish processes for tracking ICO guidance updates and consultation outcomes, ensuring that their compliance approach remains aligned with the regulator’s evolving expectations.

A Continuing Compliance Programme

Ultimately, the DUAA represents a shift in how data protection compliance needs to be managed. It is no longer sufficient to implement a static framework based on settled guidance. Instead, organisations must be prepared to adapt continuously as both the law and the regulator’s interpretation of it develop. Those that take a structured, programme-based approach to implementation, rather than a reactive or deadline-driven one, will be better positioned to manage both compliance risk and operational impact over the coming year.

How AJC Can Help

AJC supports organisations in strengthening their data protection frameworks and responding to evolving regulatory requirements with confidence. Our Data Protection services help clients review governance arrangements, assess the impact of legislative and regulatory change, update policies and procedures, and build practical compliance programmes that reflect both legal obligations and operational realities.

Whether your organisation is reviewing lawful bases, updating privacy documentation, preparing complaints handling processes or strengthening broader data governance, AJC provides clear, proportionate support tailored to your needs.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/

https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/

https://www.arnoldporter.com/en/perspectives/advisories/2026/02/ico-publishes-guidance-on-how-to-deal-with-data-protection-complaints

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/08/ico-launches-consultations-for-data-use-and-access-act-2025-amendments/

https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2026/02/key-aspects-of-the-data–use-and-access–act-take-effect.html

https://www.mayerbrown.com/en/insights/publications/2026/02/preparing-for-the-data-use-and-access-act-2025-upcoming-complaints-procedure-requirement

Image accreditation: Mike Hindle (January 2023) on Unsplash.com+. Last accessed on 13th April 2026. Available at: https://unsplash.com/photos/a-black-and-white-photo-of-a-laptop-with-a-shield-on-it-YSgZGl_a_3Q