The Data (Use and Access) Act 2025 (DUAA) represents the UK’s most significant update to its data laws in years. Rather than replacing the UK GDPR or the Data Protection Act 2018, it amends them and introduces new measures designed to modernise data governance, support innovation, and clarify compliance obligations for organisations.
What Is the Data (Use and Access) Act?
The DUAA received Royal Assent on 19 June 2025 and is being implemented in stages. It does not repeal or replace the core UK GDPR, the Data Protection Act 2018 (DPA 2018), or the Privacy and Electronic Communications Regulations (PECR). Instead, it updates these laws to make data protection rules simpler and more aligned with modern data use, including digital verification services, Smart Data schemes, and data registers.
The Act also includes a range of non-privacy provisions — for example making it an offence to create or request intimate images of someone without consent using generative AI — but the focus of this post is on changes to data protection law.
Why It Matters
The UK’s data protection framework has been grounded in the UK GDPR and DPA 2018, which implement strong standards for lawful processing, transparency, data subject rights, security, and accountability. These foundational laws continue to apply, but the DUAA refines how they operate in practice and introduces new rules to reflect current needs.
Key Changes Under the Act
1. Automated Decision-Making (ADM)
The Act expands the circumstances in which organisations can make decisions based solely on automated processing that have legal or significant effects on individuals, as long as certain safeguards are in place. These include providing meaningful information, enabling people to challenge decisions, and offering access to human intervention.
This shift means the general prohibition on some kinds of automated decision-making under the previous UK GDPR is now more nuanced, particularly outside of special category data.
2. Subject Access Requests (DSARs)
DUAA clarifies how organisations should respond to subject access requests:
Organisations can pause (“stop the clock”) the statutory deadline while waiting for clarification from a requester.
Searches must be reasonable and proportionate, aligning the law with accepted regulatory practice.
These changes are intended to reduce operational strain on organisations while upholding individuals’ rights.
3. Scientific Research and Broad Consent
The Act puts into statute definitions around scientific research and expressly recognises broad consent for research purposes where precise objectives may evolve — subject to ethical safeguards. This brings concepts previously found only in GDPR recitals into the main legal text.
4. Recognised Legitimate Interests
A new lawful basis called “recognised legitimate interests” has been added. When processing meets this category, organisations no longer need to perform a full balancing test between their interests and individuals’ rights. This can make lawful processing easier for activities such as public security and certain social value purposes.
5. Complaints Handling
Organisations are now required to have a clear process for handling data protection complaints from individuals, including an accessible form and information on how the complaint will be resolved.
6. Storage & Access Technologies (Cookies)
In certain low-risk situations, organisations can use some storage and access technologies (like cookies) without requiring explicit consent from individuals, reflecting similar adjustments in ePrivacy law.
7. International Transfers and Other Amendments
The Act also reorganises and clarifies rules on international data transfers, purpose compatibility, and other technical provisions across the UK GDPR and DPA 2018, offering more consistency and certainty.
What It Means for Compliance
For most organisations that already comply with UK GDPR and related UK privacy laws, the DUAA does not require a complete overhaul of their compliance frameworks. However, the changes do require updates to policies, contracts, and operational procedures, especially around ADM, DSAR handling, consent mechanisms, and legitimate interest assessments.
Debate and Concerns
While the government and the Information Commissioner’s Office (ICO) frame the Act as balanced and modernising, some commentators and privacy advocates have raised questions around:
- How the expanded ADM rules affect individual rights. Critics suggest the changes make it easier to justify automated decisions in more cases.
- The new lawful basis for recognised legitimate interests, which removes the balancing exercise in certain scenarios.
- Whether these reforms could lead to divergence from EU data protection standards, though the UK has recently had its adequacy status renewed for continued data flows from the EU.
Additionally, earlier stages of data-law reform in Parliament drew criticism from civil liberties groups over potential broad government powers, particularly around political campaigning uses of personal data. While these specific provisions are not part of the final Act, they reflect ongoing public debate about data governance in the UK.
In summary…
The Data (Use and Access) Act 2025 represents a measured update to the UK’s data protection framework. It clarifies and streamlines existing rules, introduces new lawful bases and procedures, and embeds modern data-use concepts into law while retaining the UK GDPR’s core principles. Organisations operating in the UK should begin updating their compliance efforts to reflect these changes and watch for forthcoming ICO guidance as provisions are brought into force.
Watch out next month for part two of the The Data Use Act 2025 blog: Growing Fears of Surveillance and Eroded Liberties