An Overview of the UK Data (Use and Access) Act 2025

Associate Jennifer Scott, in our Corporate & Commercial team, discusses the changes made by the Data (Use and Access) Act 2025 for businesses and other organisations.

The UK's data protection rules have recently seen their biggest shake-up since the introduction of the UK GDPR in January 2021. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, is a significant piece of legislation aimed at streamlining compliance, promoting innovation, and enabling the better, more secure use of data across the economy. The changes are expected to come into effect in tranches from June 2025 to June 2026.

It's important to remember that the DUAA does not replace the UK GDPR or the Data Protection Act 2018 (DPA 2018); rather, it introduces targeted amendments to both, alongside changes to other regulations like the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Key Changes Affecting Businesses

For businesses and other organisations, across all sectors, the DUAA introduces several practical changes intended to provide greater clarity and, in some cases, help ease the administrative burden of compliance:

• Recognised Legitimate Interests: The Act introduces a list of 'recognised legitimate interests' for processing personal data (such as crime prevention, safeguarding vulnerable individuals, and responding to emergencies).  The requirement for a detailed assessment balancing the impact of a data subject vs. the benefit of the legitimate interest for the organisation will be removed when processing is for one of the recognised legitimate interests, although the processing will still need to pass the necessity test (i.e. that the processing is necessary for a specific purpose).
• Automated Decision-Making (ADM): The rules on ADM have been relaxed. The strictest restrictions now primarily apply to decisions that rely on Special Category Data (like health or racial data). For other personal data, the Act creates a more permissive framework, provided specific safeguards are in place, including giving data subjects information on the decision made about them and the right for an individual to ask for meaningful human intervention and to contest the decision.
• International Transfers: The threshold for transferring personal data to third countries has been simplified. The UK can now permit transfers where the level of protection is deemed 'not materially lower' than that of the UK GDPR and DPA 2018, moving away from the previous 'essentially equivalent' test. It’s worth noting, however, that the same principles of the UK GDPR are required to be complied with, in that appropriate safeguards will still need to be in place, such as an adequacy decision in respect of the third country receiving the data or standard contractual clauses.

Amendments to Data Subject Rights and PECR

The DUAA also makes changes to how organisations must handle requests and complaints from individuals:

• Subject Access Requests (SARs): The Act codifies existing case law, as organisations are only required to carry out 'reasonable and proportionate' searches when responding to a SAR. Furthermore, a 'stop the clock' rule is also codified, confirming that the response time is to be paused if the organisation needs to request further clarifying information from the individual and it cannot reasonably proceed with the response without this further information.
• Data Subject Complaints: Organisations now have a requirement to put in place a formal complaints process, such as providing an electronic complaints form. They must respond without undue delay and usually within one month of receiving the request. Although there is no requirement for an individual to complain first to the organisation processing their data, the ICO has encouraged data subjects to complain to the data controller in the first instance before submitting a complaint to the ICO.
• PECR and Cookies: The Act has added some further exceptions to cookie consent, such as cookies to collect statistical information to improve the services or for functional purposes in how a website is displayed on a device. Significantly, the maximum fine for breaches of PECR that the ICO can levy (e.g. for unlawful electronic marketing) has been increased to match the UK GDPR levels: up to £17.5 million or, in the case of an undertaking, 4% of the global annual turnover of the previous year.

Next Steps for Compliance

The provisions of the DUAA are being implemented in phases. Businesses should proactively:

1. Review Internal Processes: Update privacy policies, notices and codes of conduct. Review SAR and complaints-handling procedures to comply with the new statutory timeframes and requirements.
2. Audit Lawful Bases: Review and document where they can now rely on 'recognised legitimate interests' and update privacy notices accordingly.
3. Check ADM Systems: Assess any automated decision-making processes to ensure transparency and human intervention safeguards are correctly implemented.
4. Training: Ensure that training is rolled out internally so that employees, workers and consultants are confident in comply with existing data protection rules and the new changes.

The DUAA presents both a relaxation of some burdens and a tightening of expectations in other areas, such as complaints handling and PECR fines. Remaining compliant means adapting early.

For further information or legal advice, please email law@blandy.co.uk or call 0118 951 6800.

This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.