The Data (Use and Access) Act 2025, first introduced in the House of Lords as the Data (Use and Access) Bill, has finally been granted royal ascent.
This Act aims to introduce amendments to UK data protection law, meaning that it isn’t a replacement for existing regulations, such as UK GDPR, The Data Protection Act 2018 and The Privacy and Electronic Communication Regulation 2003, rather it just makes them look a little different.

Over the weekend of 7-8 June 2025, Oxford City Council was hit by a cyber attack targeting its legacy IT systems. The breach exposed personal data, such as names and contact details, of individuals involved in council-administered elections between 2001 and 2022. These mainly consisted of current or former council officers, including polling station staff and ballot counters.
No evidence has been found that the compromised data was shared externally or downloaded in bulk.

On 19th June 2025, the UK’s Data (Use and Access) Bill was granted Royal Assent and will now be known as The UK Data (Use and Access) Act 2025, or DUAA.
At this point, it is important to clarify The DUAA will amend the existing UK data protection laws, not replace them. This means, we will still have the three primary underlying laws; UK GDPR, Data Protection Act 2018 and PECR 2003.. they’ll just look a bit different.
Reforms to data protection legislation were first proposed by the Conservative Government, promising to “overhaul” data protection legislation post-Brexit.. the early version of these reforms were more radical – even abolishing the requirement for Data Protection Officers (DPOs).

The Information Commissioner’s Office, the independent supervisory authority for data protection in the UK, has fined 23andMe, a genetic testing service, £2.31 million following an investigation into a cyber attack that happened in 2023.
Between April and September 2023, an attacker carried out a credential stuffing attack, which exploited reused login credentials that were stolen from previous unrelated cyber attacks. Credential stuffing is when login details, usually stolen from another breach, are tried on different services, relying on users reusing the same passwords.

Over the past few months, a wave of cyber attacks has swept through the UK retail sector, disrupting some of the country’s largest brands. Adidas, Harrods, The Co-Op and most publicized due to the impact of the attack, Marks & Spencer, have all been targeted by cyber criminals, resulting in outages, data breaches and multi-million-pound losses.
But why are these retailers so frequently targeted by attackers? This blog post will explore the unique risks that retailers face, what we can learn from recent incidents and how the sector as a whole can protect itself from future attacks.