What the UK Data (Use and Access) Act Means for Your Business

Following an Odyssean journey, the UK is finally on course to make changes to its data protection framework. The Data (Use and Access) Bill passed by Parliament on 11 June 2025 has now received Royal Assent, amending (rather than replacing) the UK GDPR, Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).

The Data (Use and Access) Act 2025 (the Act) heralds the restructuring of the Information Commissioner’s Office, creation of a ‘national underground asset register’ and the implementation of a framework to govern data sharing via smart data schemes. In terms of impact on day-to-day business operations there are a number of changes within the Act that will require organizations to closely review and amend their compliance policies and procedures.

This may mean taking advantage of regulatory relaxation and making changes to reflect new or more stringent requirements and increased enforcement powers. As the dust settles, businesses need to navigate both the opportunities and obligations embedded in the Act to remain compliant and competitive. Understanding where the rules have been relaxed, where they’ve tightened, and what’s entirely new is now essential for informed, proactive compliance.

Data Subject Rights

Good news for businesses is the Act codifies existing ICO guidance and case law on the handling of data subject rights, including:

• That when searching for information in response to a data subject access request (DSAR) the obligation on controllers is to perform a “reasonable and proportionate” search.
• Recognition that the “applicable time period” for responding to a data subject request may vary if the clock has been stopped e.g. because the controller awaits further information or identification from the requester. Any extension period will apply from the end of the original applicable time period.

Complaint Handling

Significantly, the Act introduces a new statutory right for data subjects to complain to data controllers about the processing of their personal data.

Controllers are expected to provide individuals with any easy means of bringing such complaints and must respond to a complaint within 30 days of receipt.

Organizations will need to build a robust complaint handling process; set SLAs to ensure effective complaint handling and update their privacy notices to publish details of how a privacy-related complaint can be made.

Direct Marketing and Cookie Consent

The Act brings in changes to the Privacy and Electronic Communications Regulations (PECR) which regulate electronic direct marketing and the use of cookies:

• Charities can take advantage of the “soft-opt in” mechanism for direct marketing to individuals who have previously donated or shown interest in the charity, provided they can easily opt-out at will.
• Updates to website tracking - certain lower risk cookies including those collecting information for statistical analysis to help improve a service, and cookies used to customise a website’s appearance or obtain help in an emergency (e.g. connected smart devices) can be deployed without prior consent, again provided users have clear information and can opt-out with ease.

The sting in the tail, however, is that the ICO’s enforcement powers are dramatically increasing to bring potential PECR fines in line with those under the UK GDPR. This means that the cap on fines under PECR will jump from £500,000 to the higher of £17.5 million or 4 % of the company’s global turnover.

This significant increase comes at a time when the ICO is pro-actively investigating and enforcing against cookie non-compliance so it worth taking note. This combination of new cookie exemptions and an ICO crackdown on compliance means now is the time for businesses to reassess their consent mechanisms and to remove unnecessary consent prompts, while offering clear opt-outs.

Automated Decision Making (ADM) including AI

Automated Decision Making, including profiling, is prohibited under the UK GDPR if a decision results in a legal effect on the individual or significantly impacts them in a similar way.

There are limited exemptions to this, such as where ADM is necessary for the performance of a contract with the data subject, or the individual has consented to automated decisions being made about them. The Act aims to create greater flexibility, allowing for the use of ADM in specific circumstances provided that sufficient safeguards are implemented. These include ensuring data subjects can seek meaningful human intervention and/or question decisions made solely by automated means. The general prohibition and original exemptions still apply however to special category data. All of this is a prompt for businesses to audit their decision-making models to identify which require human oversight and add any necessary additional safeguards.

Legitimate Interest

The Act clarifies that under the UK GDPR controllers can rely on “legitimate interest” as their lawful basis for processing personal data in respect of direct marketing. In addition, it creates a list of specific “recognised” legitimate interests which businesses will be permitted to rely upon without the need to complete the usual balancing part of the full three-part Legitimate Interest Assessment, assuming they have implemented sufficient safeguards. These include responding to an emergency, safeguarding vulnerable individuals and for reasons related to the prevention and detection of crime.

International Scope

Organizations outside of the UK should note that there have been no changes to the extra-territorial scope of the UK GDPR. Those without an establishment in the UK can still be caught by the UK GDPR if they are targeting goods or services to individuals in the UK or monitoring their behaviour. Where this is the case such controllers and processors should appoint a UK representative to act on their behalf in communications with data subjects and the ICO.

Timeline

Now that the Bill has received Royal Assent, it is expected that most of the changes are likely to come into force over the next year, with further details, including timelines for cookie rules, data-sharing frameworks, and other secondary measures, to be confirmed in due course.

Important Point to Note

For individuals managing day to day privacy operations, it is important to remember that the Data (Use and Access) Act operates by amending the three major pieces of UK data protection legislation listed above, i.e. the UK GDPR, the DPA 2018 and PECR. Once updated versions of these legal texts have been published it will be important to ensure you consult the most up to date amended legal texts to consider changes brought in under the Act.

What You Should Do Now

In preparation for the Act, organizations should consider:

• Data Subject Rights: Automate DSR handling to easily implement variable applicable response times.
• Complaint Handling: Implement a robust complaint handling process, set internal SLAs for dealing with complaints and update privacy policies with the relevant details.
• UK Representative: Businesses caught by the extra-territorial scope of the UK GDPR should appoint a UK representative if they have not already done so.
• Cookies: Review cookie consent mechanisms, ensure valid consent is being obtained where needed, remove the requirement to consent where it is no longer required (supported by transparency and easy opt out methods).
• ADM: Audit any automated decision-making models to identify which require human oversights and add necessary safeguards.

Why Is This Important?

The Act modernises the UK data regime, adding some welcome flexibility, while increasing sanctions for non-compliance in specific areas such as electronic marketing and tracking. It is important for organizations to respond to the changes brought about by the Act both to make the most of any areas of regulatory relaxation and to implement any compliance program changes necessary to reflect new obligations or more stringent sanctions for breach of the updated UK data protection regime.