Today, the Data (Use and Access) Bill receives Royal Assent and passes into law, becoming the Data (Use and Access) Act 2025.
The Act creates limited, but in some cases notable, changes to the UK's existing data protection laws – the UK GDPR and the Data Protection Act 2018.
Beyond data protection and privacy, the Act does a huge amount to attempt to unlock the potential of data across society, with initiatives including smart data schemes, underground asset registers, and healthcare IT standards. We will look at these non-data protection parts of the Act in an upcoming Part 2. For now, however, we focus on the key changes to UK data protection law, and explain the practical impact of those changes for organisations operating in the UK.
We also provide some clarity on what the Act does not do, acknowledging that readers might be understandably confused by the various packages of reform to data protection law that have been proposed by successive governments over recent years!
Key changes to data protection law
The key areas of reform, and their practical impacts, include:
- Automated decision making
The requirement to establish a qualifying lawful basis when conducting automated decision-making (currently Article 21(2) UK GDPR) will be removed, except when special category data is involved. However, all remaining safeguards – including the data subject's rights to object and human intervention – will remain.
Impact: This makes it somewhat easier for organisations to use automated-decision making, which is particularly important in an age of rapidly expanding AI adoption. One interpretation is that this is about the government recognising the reality of AI's ubiquity, and asking organisations to focus less on the preparatory question of a lawful basis, and more on building in the safeguards necessary to ensure the use of AI is fair, and can be effectively challenged by a data subject.
2. Recognised legitimate interests
The Act introduces the concept of "recognised legitimate interests", providing a presumption of legitimacy for certain processing activities under Article 6(1)(f) UK GDPR. In other words, if a recognised legitimate interest is applicable, a data controller can assume that there is a lawful basis to conduct the processing, without needing to carry out a balancing test. Recognised legitimate interests must be tied to an objective listed in Article 23(1) UK GDPR (e.g., public security, crime prevention, public health etc.).
Impact: Because of their link to public interest objectives, it seems likely that recognised legitimate interests will be most useful when a business is deciding whether to share personal data with a public body (such as a government department, regulator or law enforcement agency). Their scope mirrors the scope of existing provisions under Schedule 2 to the Data Protection Act 2018, which exempt data controllers from other data protection law requirements for certain public interest grounds.
3. Cookies and direct marketing
The Act eases cookie consent requirements in certain areas. Specifically, cookies used for certain analytics and website appearance purposes will be exempt from consent requirements. However, website operators will still need to provide information about these cookies and offer an 'opt out', likely through existing cookie banners. On direct marketing, charities will now be able to rely on the soft opt-in exemption to make it easier to carry out marketing by email and SMS.
Impact: The changes to cookie rules reflect widespread agitation about the complexity and onerousness of cookie consent management. However, arguably the changes will not materially help the position, as many cookies (e.g., advertising) will still need opt-in consent, and websites will now need to grapple with a third, intermediary category of 'opt-out' cookies. For charities, the availability of the soft opt-in exemption is hugely significant, given how important electronic communications are to these organisations, and given how useful the soft opt-in standard can be for businesses.
4. Scientific research
The Act introduces a statutory definition of "scientific research", for the purpose of understanding when data processing activities can benefit from the special treatment given to scientific research related activities under data protection law. The definition confirms the broad application of the term to both commercial and non-commercial activities, encompassing anything "that can reasonably be described as scientific". This aligns with the GDPR recitals' intent for a broad interpretation. The Act also clarifies that individuals can consent to their data being used for multiple types of scientific research, even if all specific research purposes are not known at the time of consent.
Impact: These changes are more about providing certainty to what many experts already understood to be the legal position. However, they signal the government's intent in wanting to ensure that UK data protection law is not an unnecessary hindrance to scientific research, whether that research is sponsored publicly or privately.
5. Data subject access requests
On data subject access requests, the Act incorporates various helpful parts of the ICO's guidance, and prior case law, into legislation. For example, controllers are only required to conduct a 'reasonable and proportionate search' when responding to DSARs, and the clock on a DSAR is stopped when a controller needs to identify a data subject or clarify a request. Less helpfully, a controller must now expressly inform a data subject when withholding documents due to legal professional privilege or client confidentiality.
Impact: Again, these changes are mostly about reinforcing what many already understand to be the law. However, putting these matters on a statutory footing provides welcome certainty for controllers, and prevents courts or the ICO from changing its approach.
6. ICO powers
There are fundamental reforms to the Information Commissioner's Office. The ICO – which until now has operated through an archaic model known as a 'corporation sole', in which all power vests in the individual Commissioner – will, going forward, operate as more of a regular organisation, complete with a Board and an appointed CEO.
The new Commission will also have some new powers, notably a power to issue "interview notices", by which it may require an individual to attend an interview in person and to answer questions, and to mandate the production of a report, in connection with that notice, by an "approved person", such as a forensic cybersecurity expert.
Impact: The constitutional changes to the ICO are unlikely to have a direct impact on businesses, although reading between the lines one might conclude that the government is hoping a structural shake-up to the ICO might make it a more nimble and effective regulator.
The ICO's new powers could make its approach to investigations more robust and more challenging for businesses. For those operating in financial services, the powers will be familiar as they mirror those held currently by the FCA.
What the Act does not do
Some readers may recall the previous government's proposal for reforms to UK data protection law, which was called the Data Protection and Digital Information Bill. That bill proposed more far-reaching reforms to UK data protection law, which have not made their way into the Act. In particular, the softening of requirements around core components of a data protection compliance programme, such as records of processing activities and data protection impact assessments. Similarly, the Act does not include the previous bill's proposal to abolish the position of the data protection officer and replace it with a 'senior responsible individual'.
From a reference perspective, it's also important to note that the Act does not supersede or replace the UK GDPR or the Data Protection Act 2018. Both of those laws survive, and continue to be the relevant data protection laws in a UK context. Instead, the Act works by making changes to those existing laws. In due course, the official UK legislation website will be updated with new versions of each of those laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
