Data Use and Access Act 2025: What It Means for Secure IT Disposal

The UK’s Biggest Data Law Reform in Years – And What It Means for How You Retire IT

The Data Use and Access Act 2025 reshapes UK data protection – and it raises the bar for secure IT disposal. Here is what compliance, IT and risk teams need to do before retiring another device.

✓ What the DUAA actually changed – in plain English
✓ The 19 June 2026 complaints deadline you may have missed
✓ Why data retention rules make disposal a board-level risk
✓ A practical IT disposal compliance checklist for 2026

Data Use and Access Act IT disposal compliance guide for UK businesses

Quick Summary: The Data Use and Access Act and IT Disposal

Short on time? Here is what UK organisations need to know:

What it is: The Data Use and Access Act 2025 (DUAA) amends UK GDPR and the Data Protection Act 2018 – it does not replace them.
Key dates: Part 5 reforms took effect 5 February 2026; a statutory data-protection complaints process must be in place by 19 June 2026.
Why disposal matters: The Act sharpens accountability around data retention and erasure – and retired IT is where personal data most often leaks.
The risk: A drive that “should have been destroyed” surfacing in an ICO investigation is now harder to defend without serial-level evidence.
The fix: Certified data destruction, a documented audit trail, and a certificate of destruction for every asset.

For most UK businesses, data protection law has felt settled since 2018. UK GDPR and the Data Protection Act became the backdrop you mostly stopped thinking about. The Data Use and Access Act 2025 changes that – and if your role touches compliance, security or IT disposal, it deserves a place on your radar this quarter.

The DUAA received Royal Assent in 2025 and is being switched on in stages through 2026. It is not a clean-sheet rewrite. Instead, it amends the existing framework – clarifying some obligations, easing a few, and tightening others. The headline reforms in Part 5 took effect on 5 February 2026, and a hard deadline lands on 19 June 2026, by which every organisation must operate a formal data-protection complaints process.

Most coverage of the Act focuses on marketing, cookies and automated decision-making. Far less has been said about the part that quietly raises your exposure: data retention and erasure. And the single biggest place where retention promises go to die is the cupboard full of decommissioned laptops, servers and drives waiting to be dealt with. This guide explains what the Data Use and Access Act means for IT disposal, and how to stay defensible.

What the Data Use and Access Act Actually Changed

The DUAA is broad, but a handful of changes matter most for organisations holding personal data on physical IT assets.

It Amends, It Doesn’t Replace

UK GDPR and the Data Protection Act 2018 remain in force. The DUAA edits them. So every existing obligation you already have around lawful processing, security and the right to erasure still applies – now with additional clarifications layered on top.

Recognised Legitimate Interests

The Act introduces a list of “recognised legitimate interests” where organisations can process data without the usual balancing test. Useful – but it does not loosen your duty to securely dispose of data once you no longer need it.

Clearer Rules on Purpose and Retention

The reforms reinforce purpose limitation and storage limitation: you keep personal data only as long as you have a lawful reason to. When that reason expires, the data must go – properly. That is where data destruction versus data erasure stops being academic and becomes an audit question.

A Mandatory Complaints Process by 19 June 2026

From this date, organisations must have a clear route for individuals to complain about how their data is handled, and to respond within statutory timeframes. Complaints about “you still held my data after I asked you to delete it” frequently trace back to assets that were stockpiled instead of destroyed.

What the Data Use and Access Act Does Not Change

It is just as important to be clear about what has stayed the same. If you already had a compliant data protection and IT disposal programme, the DUAA does not pull the rug from under you. The core principles are intact:

You still need a lawful basis to process personal data, and the security principle still requires “appropriate technical and organisational measures” – which includes how you dispose of data-bearing assets.
The right to erasure still applies. When someone asks you to delete their data, or your retention period ends, the obligation to actually remove it – including from any device pulled out of service – has not softened.
Breach reporting is unchanged. A lost or stolen unwiped laptop is still a reportable personal data breach if it puts individuals at risk.
Accountability still sits with you, the data controller – even when a third party handles the physical destruction. That is why your choice of IT asset disposal partner, and the records they give you, matter so much.

In other words, the Data Use and Access Act raises the stakes on accountability rather than rewriting the rulebook. The organisations most exposed are the ones that were already treating IT disposal as an afterthought.

Key Data Use and Access Act Dates to Diary

The DUAA is commencing in phases rather than all at once. These are the milestones that matter most for compliance and IT teams planning their disposal processes:

2025 – Royal Assent: The Data (Use and Access) Act passes into law, with most provisions commencing via secondary legislation through 2026.
5 February 2026 – Part 5 reforms in force: Key data protection changes take effect, including recognised legitimate interests and clarifications to purpose and storage limitation.
19 June 2026 – Complaints process deadline: Every organisation must have a formal route for individuals to complain about data handling, with statutory response timeframes.
Through 2026 and beyond – Phased commencement: Further provisions continue to switch on. Treat your IT disposal documentation as a living process, not a one-off project.

The practical takeaway: do not wait for a complaint or an audit to discover that your retired IT has been stockpiling personal data. Build the secure destruction and documentation habit into business as usual now.

Why the Data Use and Access Act Makes IT Disposal a Board-Level Risk

Retention rules only mean something if you can prove the data is actually gone. On a live system, deletion is a database operation. On a retired laptop or server sitting in a store cupboard, the data is still there – fully recoverable – until the device is securely wiped or physically destroyed.

That gap is exactly what regulators probe. As the South Staffs Water ICO fine showed, legacy and decommissioned IT is one of the most overlooked security risks a business carries. Under a reformed framework that emphasises accountability, “we thought it had been recycled” is not a defence.

Deletion Is Not Destruction

Dragging files to the bin, formatting a drive, or even a standard factory reset can leave recoverable data behind. If you have ever wondered whether deleting files is GDPR compliant, the short answer is: not on its own. The DUAA’s tighter accountability expectations make that distinction sharper.

The Two-Regulator Problem

Retired IT sits at the intersection of two regimes. Get the data wrong and you answer to the ICO. Get the waste handling wrong and you answer under the WEEE Regulations and environmental law. A single mishandled batch of devices can trigger both. Certified IT equipment recycling with full documentation closes both gaps at once.

Your DUAA-Ready IT Disposal Checklist for 2026

Use this to pressure-test your current process against the reformed framework:

Map where personal data lives on physical assets – laptops, desktops, servers, phones, copiers, backup tapes and loose drives.
Set and document retention triggers so devices are queued for destruction when their lawful basis ends, not left to accumulate.
Use certified destruction, not DIY deletion – wiping to a recognised standard such as HMG Infosec Standard 5, or physical shredding.
Capture a serial-level audit trail so every asset is tracked from collection to final destruction.
Obtain a certificate of destruction for every device – your evidence if the ICO ever asks.
Use an accredited partner with ISO 27001 and the right Environment Agency permissions, so data and waste compliance are handled together.

For the full version, see our GDPR IT disposal compliance checklist, which carries straight across to DUAA-era obligations.

Why Documentation Is Your Best Defence

The thread running through the Data Use and Access Act is accountability: not just doing the right thing, but being able to prove you did. For IT disposal, proof means a paper trail that ties each asset to a verified destruction event.

A certificate of destruction that lists assets at serial-number level is far more defensible in an investigation than a generic “we recycle responsibly” statement. If a data subject complains – and from 19 June 2026 they have a formal channel to do so – you want to answer with a dated record, not a best guess. Innovent provides exactly this documentation as standard with every collection.

How Innovent Makes IT Disposal DUAA-Ready

Meeting the standard set by the Data Use and Access Act does not have to add work to your team. A specialist IT asset disposal partner takes the compliance burden off your desk while giving you the evidence you need. Here is how Innovent approaches it:

Secure, tracked collection from your sites across the UK, with chain-of-custody recorded from the moment your assets leave your premises.
Certified data destruction by wiping to recognised standards or physical shredding, matched to your risk profile and data classification.
Serial-level reporting so every device is accounted for, and nothing quietly slips back into circulation with data still on it.
A certificate of destruction for every job – your audit-ready proof for the ICO, your DPO, and your board.
Combined WEEE and environmental compliance, so the same process that satisfies data protection law also keeps you right under waste regulations.

The result is a disposal process you can stand behind if it is ever scrutinised. Under a reformed regime that prizes accountability, being able to produce the paperwork is the difference between a quick, confident response and an expensive, exposed one. To see how this fits the wider framework, read our GDPR IT disposal compliance checklist and our guide to HMG Infosec Standard 5.

Frequently Asked Questions

Does the Data Use and Access Act replace UK GDPR?

No. The Data Use and Access Act 2025 amends UK GDPR and the Data Protection Act 2018 rather than replacing them. All your existing obligations – lawful basis, security, and the right to erasure – remain in force, with additional clarifications and a small number of new requirements layered on top. For IT disposal, the practical effect is heightened accountability around how and when you securely destroy personal data held on retired devices.

What is the 19 June 2026 deadline?

From 19 June 2026, organisations must operate a formal data-protection complaints process, giving individuals a clear route to raise concerns about how their data is handled and a statutory timeframe for responses. Many such complaints relate to data that should have been deleted, which often traces back to decommissioned IT assets that were stockpiled rather than securely destroyed. A documented disposal process with certificates of destruction helps you respond to these complaints with confidence.

How does the DUAA affect data retention and IT disposal?

The Act reinforces purpose and storage limitation: you keep personal data only while you have a lawful reason to, and securely dispose of it afterwards. The catch is that data on a retired laptop, server or drive remains fully recoverable until the device is wiped to a recognised standard or physically destroyed. Meeting retention obligations therefore depends directly on a certified, documented IT disposal process – not on a factory reset or a deleted folder.

Is a factory reset enough to comply?

Generally, no. A standard factory reset or drive format can leave recoverable data behind, and on its own it does not produce the evidence you need to demonstrate compliance. Under the reformed accountability standard, you should use certified data erasure to a recognised standard such as HMG Infosec Standard 5, or physical destruction, and obtain a certificate of destruction recording each asset at serial-number level.

What documentation should I keep for IT disposal?

Keep a serial-level audit trail tracking each device from collection to final destruction, plus a certificate of destruction for every asset. This is your evidence if the ICO investigates or a data subject complains. A reputable IT asset disposal partner with ISO 27001 certification and the correct Environment Agency permissions will provide this documentation as standard, covering both data protection and WEEE waste obligations in one record.

About Innovent Recycling

Innovent Recycling is a UK-based specialist in secure IT asset disposal and recycling. With ISO 27001 certification and Environment Agency permissions, we provide comprehensive, compliant recycling solutions for businesses across the United Kingdom.

Our services include:

IT Equipment Recycling – Secure, compliant disposal of all business IT assets
Certified Data Destruction – HMG Infosec Standard 5 compliant wiping and shredding
WEEE Compliance Management – Full regulatory compliance and documentation
Nationwide Collections – Free collection service available UK-wide

Trusted by businesses across the UK for secure, compliant IT disposal. View our accreditations and certifications.

Make Your IT Disposal DUAA-Ready

Talk to Innovent about secure, documented IT asset disposal. We provide certified data destruction, serial-level audit trails and a certificate of destruction for every device – so you can prove compliance under the Data Use and Access Act.

Book a Collection

Or call us on 0151 355 5482